Hello!
We are proud to announce the final release of dnsdist 1.6.0, with no changes since the second release candidate. Compared to 1.5.x, this release contains several new exciting features, as well as improvements and bug fixes.
In our view, the most exciting new feature is the support of out-of-order processing for TCP and DNS over TLS connections. Out-of-order processing makes it possible to have several concurrent queries on the same TCP connection, and to receive the answers to these queries as soon as they are ready. Along with connection reuse, this reduces the overhead of TCP by a huge factor. Starting with 1.6.0, dnsdist will accept up to 65536 concurrent queries on the same incoming TCP connection, and will pass all of these to the backend over a single connection as well, provided that the backend supports it. This feature is not enabled by default, and can be enabled via the maxInFlight
parameter of the addLocal/addTLSLocal (client-side) and the newServer (backend-side) commands.
This new version also brings support for accepting a Proxy Protocol header on incoming connections, making it possible for a frontend to provide dnsdist with the initial source and destination ports and addresses, as well as custom values. dnsdist can then process, add and remove values before passing the information to the backend. Chaining two dnsdist instances has never been this easy!
Other new features include the ability to define custom web endpoints in Lua, to extend the existing API, as well as the ability to create blazing-fast, lock-less per-thread custom load-balancing policies using the Lua foreign function interface (FFI).
Among the many improvements, dnsdist’s packet cache no longer hashes EDNS Cookies by default, which means that two queries that are identical except for the content of their cookies will now be served the same answer. Note that it might be necessary to restore the existing behaviour when dnsdist is in front of a backend actually using EDNS Cookies, which can be done via the cookieHashing
parameter to newPacketCache.
Users of our own protocol buffer logging mechanism, or of dnstap, will be happy to learn that we replaced our implementation based on Google’s protocol buffer library by a tremendously faster one, based on the protozero library. This change results in much lower CPU utilization and increased scalability in a transparent way.
The memory usage of idle DNS over HTTPS and DNS over TLS connections has also been significantly reduced when the OpenSSL provider is used.
If you are upgrading from a previous version, please be aware that a few actions and commands have been renamed to clear some ambiguities. Almost all actions that allow further processing of rules now start with ‘Set’, to prevent mistakes:
DisableECSAction
toSetDisableECSAction
DisableValidationAction
toSetDisableValidationAction
ECSOverrideAction
toSetECSOverrideAction
ECSPrefixLengthAction
toSetECSPrefixLengthAction
MacAddrAction
toSetMacAddrAction
NoRecurseAction
toSetNoRecurseAction
SkipCacheAction
toSetSkipCacheAction
TagAction
toSetTagAction
TagResponseAction
toSetTagResponseAction
TempFailureCacheTTLAction
toSetAdditionalProxyProtocolValueAction
SetNegativeAndSOAAction
toNegativeAndSOAAction
Some commands changing the order of the rules could have easily been confused with the ones providing insight into the current traffic, and have therefore also been renamed:
topCacheHitResponseRule
tomvCacheHitResponseRuleToTop
topResponseRule
tomvResponseRuleToTop
topRule
tomvRuleToTop
topSelfAnsweredResponseRule
tomvSelfAnsweredResponseRuleToTop
Please also note that the use of additional parameters on the webserver command has been deprecated in favor of using setWebserverConfig.
Regular users should not be impacted by this change, but packagers should be aware that since 1.6.0 dnsdist now uses the C++17
standard instead of the C++11
one it was previously using.
Please see the dnsdist website for the more complete changelog and the current documentation.
Please send us all feedback and issues you might have via the mailing list, or in case of a bug, via GitHub.
The release tarball (signature) is available on the downloads website, and packages for CentOS 7 and 8, Debian Buster and Ubuntu Bionic and Focal are available from our repository.
With this release, the 1.3.x releases are EOL and the 1.4.x releases go into critical security fixes only mode.
We would also like to take this opportunity to announce that we will stop supporting systems using 32-bit time. This includes 32-bit Linux platforms like arm and i386 before kernel version 5.1.
Finally, we would like to thank the PowerDNS community and all external contributors for their great work in this release, and in particular Stephane Bakhos, Stéphane Bortzmeyer, Georgeto, Matti Hiljanen, Andreas Jakum, Nuitari, Oli Schacher, Sukhbir Singh, Thibmac and Mischan Toosarani-Hausberger!