We are happy to announce the first beta release of dnsdist 1.7.0!
We introduced a fair number of improvements and new features since the second alpha, and we will now iron out the documentation and fix any bugs before hopefully releasing the first release candidate very soon.
The main new feature is the ability to use the same outgoing TCP or DNS over TLS connection for queries coming from different clients, leading to a huge decrease of the number of outgoing connections needed when the backend supports out-of-order processing.
We also added the exact transport type to dnstap and protocol buffer messages, making it possible to differentiate between plaintext queries and DNS over HTTPS or DNS over TLS ones.
Recently Pierre Grié from Nameshield contributed an XDP program to reply to blocked UDP queries with a truncated response directly from the kernel, in a similar way to what we were already doing using eBPF socket filters. This beta finally adds support for eBPF pinned maps, allowing dnsdist to populate the maps using our dynamic blocking mechanism, and letting the external XDP program do the actual blocking or response.
Stéphane Bortzmeyer helped us pinpoint a few issues in the encryption between dnsdist and its backends, notably in the way the outgoing connections are cached while waiting to be reused. That could have led to a waste of memory piling up over time.
We also fixed an issue where the threads handling incoming DoH queries could have stopped processing responses when they were completely overloaded by TLS handshakes, leading to a degradation of performance.
The last issue was that a backend was not properly marked as non-available when a certain exception was raised during a health-check attempt.
Finally Rosen Penev contributed a lot of clean up changes to make sure that we make the best of what C++17 can offer.
With the future 1.7.0 final release, the 1.4.x releases will be EOL and the 1.5.x and 1.6.x releases will go into critical security fixes only mode.