Category: dnsdist

First alpha release of dnsdist 1.5.0

We are very happy to announce the 1.5.0 alpha 1 release of dnsdist. This version contains several new exciting features detailed below, but also a few breaking changes so please take the time to read the next section.

Your feedback will be much appreciated so we can deliver a stable 1.5.0 final release!

Important changes

We took the opportunity of this new release to clean up a few things that might require updating your existing configuration.

First, in systemd environments, dnsdist used to be started as root before dropping privileges and switching to an unprivileged user, which could lead to weird issues where files where readable during startup but not after, or the other way around. This is no longer the case, and dnsdist is now directly started as an unprivileged user. This might require updating the permissions on the files accessed during startup. It is therefore recommended to recursively chown directories used by dnsdist:

chown -R root:dnsdist /etc/dnsdist

Packages provided on the PowerDNS Repository will chown directories created by them accordingly in the post-installation steps.

We also updated the default behavior of our DNS over HTTPS implementation. DoH endpoints specified in the fourth parameter of addDOHLocal are now specified as exact paths instead of path prefixes.

For example,

addDOHLocal('2001:db8:1:f00::1', '/etc/ssl/certs/example.com.pem', '/etc/ssl/private/example.com.key', { "/dns-query" })

will now only accept queries for /dns-query and no longer for /dns-query/foo/bar.

The default endpoint also switched from / to /dns-query. That can be overridden through the fourth parameter of addDOHLocal().

Finally the default SSL/TLS library used for DNS over TLS was changed from GnuTLS to OpenSSL / LibreSSL, based on the feedback we received from our users.

Please see the upgrade guide for more information.

New features and improvements

The most exciting new feature is the implementation of the Proxy Protocol between dnsdist and its backends. Aimed to replace the use of EDNS Client Subnet and our own XPF, the Proxy Protocol is an existing standard where a small header is prepended to the query, passing not only the source and destination addresses and ports along to the backend, but also custom values. Support for parsing the Proxy Protocol is already available in the development tree of the PowerDNS Recursor.

We implemented a new spoofRawAction(), which makes it possible to spoof any kind of response from dnsdist, instead of the existing limitation to A, AAAA and CNAME records. This new action requires submitting the response in DNS wire-format.

While it has always been possible to write custom selectors and actions in Lua, there was a huge performance gap between built-in rules written in C++ and the Lua ones. This release adds the ability to use the Lua FFI interface available in LuaJIT to write high-performance selectors and rules, as well as load-balancing policies. With carefully written Lua, this delivers performances almost on par with the built-in C++ rules and actions, with greater flexibility.

Several very large-scale users reported that the load-balancing policies based on a hash of the qname could lack a bit of fairness when the traffic was heavily skewed toward a few names, leading to some backends receiving much more traffic than others. In order to address this shortcoming, we added the ability to set load bounds to the chashed and whashed policies so that queries will be dispatched to a different backend if the one selected based on the qname is already handling more queries than it should.

Our DNS over HTTPS implementation received several improvements, including the ability to send cache-control headers, and to parse X-Forwarded-For headers sent by a frontend.

Users with a large number of backends will be happy to know that we refactored the handling of health checks so that they can now be performed in parallel instead of sequentially, leading to a huge performance improvement.

Finally our remote logging features using DNSTAP or our own protobuf saw several performance enhancements, a better handling of re-connection events, and the addition of the source and destination ports of the query whenever possible.

We want to once again thank everyone that contributed to the testing of the previous release candidates!

Please see the dnsdist website for the more complete changelog and the current documentation.

Release tarballs are available on the downloads website.

Several packages are also available in our repository. Please be aware that we have enabled a few additional features in our packages, like DNS over HTTPS, DNS over TLS and DNSTAP support, on distributions where the required dependencies were available.

Third release candidate for dnsdist 1.4.0

We are very happy to announce the third, and hopefully last, release candidate of the 1.4.0 version of dnsdist.

This version adds the ability to accept DNS over HTTPS queries over HTTP, in order to be able to use dnsdist behind a TLS-offloading device, and improves the management of TLS session ticket keys for DNS over HTTPS.

It also fixes several minor issues, and improves the DoH-related metrics in our prometheus export.

We want to thank everyone that contributed to the testing of the beta release, and invite you to contribute to the testing of this release candidate!

Please see the dnsdist website for the more complete changelog and the current documentation.

Release tarballs are available on the downloads website.

Several packages are also available on our repository.

First release candidate for dnsdist 1.4.0

We are proud to announce the first release candidate of the 1.4.0 version of dnsdist. 1.4.0 brings a much more scalable way of handling DNS over TCP and DNS over TLS connections since the first alpha release. A major new feature since alpha2, and marquee feature of 1.4.0 compared to 1.3.x, is the new DNS-over-HTTPS functionality.

Following a round of testing from several large scale users, this version fixes several issues, most of them related to DNS over HTTPS (7894, 7917, 7927, 8112), DNS over TCP (7974, 7979, 8003, 8030, 8067, 8078, 8079, 8113), or both (7915).

In addition to minor improvements, it also introduces several new features:

  • a new ContinueAction allowing to keep processing rules even after calling a normally terminal action, like PoolAction (8117) ;
  • OCSP stapling for DNS over TLS and DNS over HTTPS (8141) ;
  • custom HTTP headers for DNS over HTTPS responses (contributed by Melissa Voegeli, 8148) ;
  • actions, rules and Lua binding to interact with DNS over HTTPS queries and generate responses from dnsdist (8153).

We want to thank everyone that contributed to the testing of the beta release, and invite you to contribute to the testing of this release candidate!

Please see the dnsdist website for the more complete changelog and the current documentation.

Release tarballs are available on the downloads website.

Several packages are also available on our repository.

dnsdist 1.4.0-beta1

We are very happy to announce the first beta release of the 1.4.0 version of dnsdist. This version fixes a crash in the DNS over HTTPS (DoH) implementation and adds a new rule to route queries based on the incoming TLS Server Name Indication (SNI) value. It also adds latency histograms to the Prometheus export, courtesy of Marlin Cremers.

As with the alpha releases, your feedback will be much appreciated so we can deliver a stable 1.4.0 final release!

Please see the dnsdist website for the more complete changelog and the current documentation.

Release tarballs are available on the downloads website.

Several packages are also available on our repository.

dnsdist 1.4.0-alpha2 with DNS over HTTPS support

We are very happy to announce the second alpha release of the 1.4.0 version of dnsdist. This version keeps up the DNS privacy improvements with the addition of a new major feature, DNS over HTTPS (DoH), and contains very few changes apart from that.

As with the first alpha, your feedback will be much appreciated so we can deliver a stable 1.4.0 final release!

Please see the dnsdist website for the more complete changelog and the current documentation.

Release tarballs are available on the downloads website.

Several packages are also available on our repository.

First alpha release of dnsdist 1.4.0

We are very happy to announce the 1.4.0 alpha 1 release of dnsdist. This version contains a few new features, but is mostly focused on DNS privacy improvements. We are introducing a new, much more scalable way of handling DNS over TCP and DNS over TLS connections. It will be followed quite quickly by a new alpha including experimental DNS over HTTPS support.

In older versions of dnsdist, a TCP worker could only handle one incoming connection at a time, which was not very efficient when dealing with a larger number of mostly inactive connections, as we are beginning to see with DNS over TLS. Starting with this release, TCP workers are now event-based and each one of them can handle a very large number of incoming connections simultaneously.

Your feedback will be much appreciated so we can deliver a stable 1.4.0 final release!

Important changes

We took the opportunity of this new release to clean up a few things that might require updating your existing configuration. First, the number of parameters to the newPacketCache command was getting out of hand, so we switched it to a table-based syntax as we already did with newServer a while ago.

addLuaAction and addLuaResponseAction have been removed. Instead, use addAction with a LuaAction, or addResponseAction with a LuaResponseAction.

Lua constants for DNS response codes and QTypes have been moved from the ‘dnsdist’ prefix to, respectively, the DNSQType and DNSRCode prefixes.

To improve security, all ambient capabilities are now dropped after the startup phase, which might prevent launching the webserver on a privileged port at run-time, or impact some custom Lua code. In addition, systemd’s sandboxing features are now determined at compile-time, resulting in more restrictions on recent distributions. See pull requests 7138 and 6634 for more information.

And finally, if you are compiling dnsdist, note that several ./configure options have been renamed to provide a more consistent experience. Features that depend on an external component have been prefixed with –with while internal features use –enable. This has lead to the following changes:

  • –enable-fstrm to –enable-dnstap
  • –enable-gnutls to –with-gnutls
  • –enable-libsodium to –with-libsodium
  • –enable-libssl to –with-libssl
  • –enable-re2 to –with-re2

New features and improvements

Dynamic blocks and Lua rules can now use the NoRecurse action, thanks to phonedph1.

Richard Gibson added the possibility to inspect and alter trailing data.

Dmitry Alenichev implemented new rules and actions to deal with unexpected EDNS versions, and to optionally accept completely empty (qdcount=0) responses from a backend.

Andrey Domas added the new QNameSetRule rule, along with the DNSNameSet object, to match exact qnames instead of doing suffix matching.

The health check mechanism has been improved with the new checkInterval, checkTimeout and rise parameters, thanks notably to “1848”.

We added a few convenience functions to pseudonymize IP addresses, as several users reported that they needed it to be GDPR-compliant.

We noticed that, on some specific versions of the Linux kernel, the code we used to measure our memory usage could be quite expensive so we switched to an alternative, cheaper method. You might notice that the memory usage reported by this new version does not exactly match the one reported by older versions, but it should be close enough.

Finally the cost of exporting queries and responses using our remote logging solution based on protobuf has been reduced by a huge margin. System calls that used to be cheap before the Spectre and Meltdown mitigations were introduced are now having a very visible impact, and we designed a new way of sending messages to work around that.

Please see the dnsdist website for the more complete changelog and the current documentation.

Release tarballs are available on the downloads website.

Several packages are also available on our repository. Please be aware that we have enabled a few additional features in our packages, like DNS over TLS and DNSTap support, on distributions where the required dependencies were available.

dnsdist 1.3.3 released

We are very happy to announce the 1.3.3 release of dnsdist. This release contains a few new features, but is mostly fixing a security issue reported since the release of dnsdist 1.3.2.

Security fix

While working on a new feature, Richard Gibson noticed that it was possible for a remote attacker to craft a DNS query with trailing data such that the addition of a record by dnsdist, for example an OPT record when adding EDNS Client Subnet, might result in the trailing data being smuggled to the backend as a valid record while not seen by dnsdist. This is an issue when dnsdist is deployed as a DNS Firewall and used to filter some records that should not be received by the backend. This issue occurs only when either the ‘useClientSubnet’ or the experimental ‘addXPF’ parameters are used when declaring a new backend.

While dnsdist has not had any important security issue until now, we decided this was a good time to implement the same security polling mechanism that the authoritative server and the recursor have had for years. Starting with this release, dnsdist will regularly perform a security check using a DNS query to determine whether the current version is up-to-date security-wise, and let the administrator know otherwise.

Important changes

It is sometimes very useful to be able to generate answers directly from dnsdist, to quickly return a “No such domain” answer, spoof an “A” or “AAAA” answer, or even just reply with the TC bit set so that legitimate clients retry over TCP. Until now, answers generated that way were mirroring the flags and EDNS options, if any, of the initial query. This was not great because it could mislead the client into thinking that dnsdist, or the server behind it, was supporting features or a UDP payload size it did not.

Starting with this release, dnsdist is now generating a proper EDNS payload if the query had one, and responding without EDNS otherwise. This behavior can be turned off using the new setAddEDNSToSelfGeneratedResponses() directive if needed.

We must, however, provide a responder’s maximum payload size in this record, and we can’t easily know the maximum payload size of the actual backend so we picked a safe default value of 1500, which can be overridden using the new  setPayloadSizeOnSelfGeneratedAnswers() directive.

New features and improvements

A new load-balancing policy named “chashed” has been introduced, based on consistent hashing. This new policy load-balances the incoming queries based on a hash of the requested name, like the existing “whashed” one, but has the interesting property that adding or removing a server will only cause a very small portion of the incoming queries to be mapped to a different server than they were before, keeping the caches warm.

While we have been supporting the export of metrics using the well-known carbon protocol from day one, we have seen an increasing demand for supporting the emerging Prometheus protocol. Thanks to the work of Pavel Odintsov and Kai S, dnsdist now supports it natively.

Very large installations of the DNS over TLS feature introduced in 1.3.0 reported several issues that we addressed in this release:

  • dnsdist did not set TCP_NODELAY on its TLS sockets, causing needless latency ;
  • it was not possible to configure the number of stored TLS sessions ;
  • our OpenSSL implementation had a memory leak when some clients aborted prematurely because of a negotiation error during the TLS handshake.

We seized the opportunity to refactor the part of the code handling TLS connections with the use of smart pointers while fixing that last issue, making sure that this kind of memory leak will not happen again.

In 1.3.2, the optimized DynblockRulesGroup introduced in 1.3.0 gained the ability to whitelist and blacklist ranges from dynamic rules, for example to prevent some clients from ever being blocked by a rate-limiting rule. This feature has now been made available when our in-kernel eBPF filtering feature is used as well. At the same time, we introduced the ability to set up warning rates to the dynamic rules, making it possible to get an alert without blocking clients when they reach a configured rate, and to block them should they reach a higher rate.

Finally, we introduced several new rules to our existing set:

  • EDNSOptionRule, to be able to filter based on the presence of a given EDNS option ;
  • DSTPortRule, offering the ability to route queries by looking at their destination port ;
  • PoolAvailableRule, to be able to route queries based on whether a pool has at least one usable backend.

Please see the dnsdist website for the more complete changelog and the current documentation.

Release tarballs are available on the downloads website.

Several packages are also available on our repository. Please be aware that we have enabled a few additional features in our packages, like DNS over TLS and DNSTap support, on distributions where the required dependencies were available.