We are happy to announce the third alpha release of dnsdist 1.6.0. This release contains a few fixes for issues reported in the second release candidate:
- DNS over HTTPS queries with a non-zero ID were not properly handled. Very few DoH clients actually send an ID with a value different than 0 but it does happen and is allowed by RFC 8484. Many thanks to Frank Denis for reporting the issue !
- The connect timeout was not used for outgoing TCP connections, and the write timeout was used instead.
In addition to these fixes, several improvements were made:
- Reduced memory usage for idle DNS over HTTPS and DNS over TLS connections, saving roughly 35 kB per connection.
- Smarter caching of outgoing TCP connections, ability to configure the number of concurrent incoming TCP connections per frontend, with more metrics.
- Sharding has been enabled in the ring buffers and the packet cache by default, leading to better performance in the default configuration.
- TLS renegotiation is now disabled by default, to prevent issues like CVE-2021-3449 in the future.
With the future 1.6.0 final release, the 1.3.x releases will be EOL and the 1.4.x releases will go into critical security fixes only mode.
We would also like to take this opportunity to announce that we will stop supporting systems using 32-bit time. This includes 32-bit Linux platforms like arm and i386 before kernel version 5.1.