We are very happy to release the third candidate of what will become dnsdist 1.8.0!

This release contains fixes for several issues that were found in the second release candidate.

• #12641: Use the correct source address when harvesting failed
• #12639: Fix a race when a cross-protocol query triggers an IO error
• #12638: Report the TCP latency for TCP-only Do53, DoT and DoH backends
• #12648: Report per-incoming transport latencies in the web interface

The first one is actually a follow-up to the “dnsdist is responding from the wrong source IP address in some setups” which was incompletely corrected in rc2. The second one is a race condition that might have been occurring in very specific cases of network errors during asynchronous processing of cross-protocol queries. The last issue is a bit more complicated: in 1.8.0 we decided to break down the latency metrics to provide a more accurate view of what was actually going on:

• global latency metrics are now per incoming protocol (Do53 UDP, Do53 TCP, DoT, DoH)
• backend latency metrics are split between UDP (Do53) and TCP (Do53 TCP, DoT, DoH)

This change brought some adjustment in the interfaces consuming these metrics, and it was reported that this was not quite right. The web interface, for example, was only reporting the UDP-based metrics and not the other ones.

Please see the dnsdist website for the more complete changelog and the current documentation. The upgrade guide is also available there.

Please send us all feedback and issues you might have via the mailing list, or in case of a bug, via GitHub.

We are immensely grateful to the PowerDNS community for the reporting of bugs, issues, feature requests, and especially to the submitters of fixes and implementations of features.

The release tarball and its signature are available on the downloads website, and packages for several distributions are available from our repository.

Hello!

We are very happy to release the first candidate of what will become dnsdist 1.8.0!

This release contains a significant amount of changes since the last major release, 1.7.0, which was released a bit over a year ago. We try to stick to a major release every six months, but this one took a bit longer than expected as we tackled a few challenges:

Low-end devices friendly

We know, based on the feedback we get from the users that interact with us, that dnsdist is used in a lot of different environments, from very large installations dealing with millions of queries per second to very small computers running in a closet somewhere! While we have until now been more focused on the first case, we have been getting a lot of interest coming from the very-low end of the spectrum: low-end devices, like customer premises equipment (CPEs), with very few resources. We realized that while other open-source components do a good job of providing traditional DNS services in that world, there is a need for software providing DNS over TLS and DNS over HTTPS support, to protect the confidentiality and integrity in the first mile of the internet access.

We knew that dnsdist was already successfully used on small devices, like raspberry pis, and that our memory and CPU usage was quite low, so we were surprised to learn that people were struggling to meet the very stringent requirements of some devices, and decided to have a look. This was a very interesting journey into flash-based filesystems of a few dozen megabytes, proportional set size memory usage, and low-powered CPUs.

Long story short, we managed to drastically reduce our memory usage and our CPU consumption, especially with very low QPS rates. We developed a new way of doing health-checking for these environments, only doing an actual active health-check after detecting failures from normal traffic. We also introduced a few options to reduce our binary size where it matters, like on OpenWrt builds.

OpenWrt integration

We wrote the necessary code to make dnsdist play nicely with OpenWrt’s native configuration format, Unified Configuration Interface (UCI), so that it is easy to set up dnsdist via the usual interfaces, including the Web UI.

We also provide DHCP integration, so that dnsdist can learn about devices on the local network and provide native DNS resolution for these devices.

This integration is not yet merged into the OpenWrt tree as it requires some feature that will only be available once 1.8.0 final has been released. Stay tuned, or reach out if you want a quick peek!

Hostile networks

We also realized that we could no longer rely on the network path between dnsdist and its backend to be trusted: while this is true when dnsdist is deployed on the same box, rack or datacenter as the backend, this no longer is when it is deployed on a CPE and instructed to forward its queries to a remote recursive resolver like Quad9.

Of course we strongly advise using DNS over TLS and/or DNS over HTTPS to secure that path, but this is unfortunately not always possible. We learned the hard way that in some countries ISPs are not only providing DNS over plain UDP only, without even supporting plain TCP, they are also still blocking attempts to connect to an external resolver via a more secure channel.

To work around that issue, we implemented new features to make dnsdist suitable as a proxy with an untrusted network path to the resolver, using well-known methods: random ports and random IDs. These are not enabled by default because they come at a cost, which we don’t want to impose when it is not necessary.

Discovery of Designated Resolvers

It’s one thing to support DNS over TLS and DNS over HTTPS both inbound and outbound, but it really does not help if the client does not know that you do, or if the configuration does not tell dnsdist that the backend does.

The IETF has been working for quite some time now on a new mechanism that leverages the SVCB record type to actually advertise that a secure, encrypted endpoint is available for use: Discovery of Designated Resolvers (DDR).

Since 1.7.0 dnsdist has been able to advertise DoT and DoH support to the client via SVCB records, but that requires writing a few lines of Lua to configure it. In 1.8.0, we have integrated that process into the OpenWrt configuration, requiring a single click to enable DDR advertisement to all the local clients, allowing Android and iOS devices to automatically upgrade to a secure channel.

We also taught dnsdist how to use DDR to detect whether a given backend can be upgraded from plain Do53 to DoT and DoH, so that we switch to a secure channel as soon as it becomes available, and fallback to Do53 if needed.

Faster TLS

To be able to keep pushing for broader adoption of DoT and DoH, it is crucial to reduce the overhead of the encryption compared to plain old Do53. To do so, we have added support for:

• hardware-accelerated TLS via OpenSSL engines, like Intel Quick-Assist Technology (QAT)
• Linux’s kernel TLS acceleration, eliminating the need to copy data into user space and back for TLS operations

The technologies are still evolving quickly, and for now are marked as experimental in dnsdist but yields very promising results.

Second-chance lookups

The ability to act on a Server Failure, Refused, or any specific type of responses to trigger a second DNS lookup is a feature that regularly came up. It was not easy to implement given the existing design of dnsdist, but we refactored a fair amount of code in this release to be able to process queries and responses in an asynchronous way, paving the way for external lookups without blocking dnsdist and degrading performance.

This refactoring allowed us to finally implement that second-chance lookup, so that a query can be re-sent to a different pool of servers if the obtained response is not good enough.

User-defined metrics

It is now possible to define custom counters and gauges, that can be manipulated via the Lua API and are exported via the API and prometheus like built-in metrics.

New compilations options, Link-Time optimizations

We introduced several new compile-time options:

• Link-Time Optimizations (LTO): GCC, clang and the associated linkers now support a new mode of building a binary, where information about all the individuals components, called compilation units, is made available to the linker so that it can make better optimization decisions. We have now enabled these optimizations in our own packages, via the –enable-lto option.
• For a long time, we have been automatically detecting if the compiler has support for the FORTIFY_SOURCE=2 hardening option, enabling it whenever possible. Recently a stronger version of that option has been supported by GCC and clang, FORTIFY_SOURCE=3. This stronger version can be enabled by passing either –enable-fortify-source=3 or –enable-fortify-source=auto to our configure, with the latter always selecting the best supported version. We have enabled the stronger version in our test suites, but not yet in our production builds, as we are not yet sure of the actual impact
• C++, as opposed to other languages, does not initialize its variables by default. This had led to a fair amount of security issues in the past, ranging from information disclosure to the ability to execute arbitrary code. We now have a new option, –enable-auto-var-init=zero, that can be used to zero-initialize all variables that are allocated on the stack. We have not yet enabled this option in our production builds, but we have enabled instead, in our test suites, a variant that increases the likelihood of detecting bugs by initializing the variables with specific patterns: –enable-auto-var-init=pattern

Users that can trade a bit of performance for stronger security guarantees are invited to enable both –enable-fortify-source=auto and –enable-auto-var-init=zero.

And many other improvements

• A lot of new functionalities are now accessible via Lua: helpers to interface with the system network configuration, to get the MAC address of a client, to inspect and edit queries and responses
• The scalability of MaxQPSIPRule has been improved on multi-core setups
• The handling of multiple Carbon servers was lacking, allowing a misbehaving Carbon server to impact other servers: this has now been fixed
• We introduced a new chain of rules, triggered after cache insertion
• Our eBPF and XDP code has been greatly improved by Pierre Grié, Y7n05h and Yogesh Singh

Security audit

In the second part of 2022 we have mandated a security audit from the Nixu team, to have a strong look at the new features we introduced in 1.8.0 in particular (DDR, DNS over HTTPS, OpenWrt integration). This is the second audit of the dnsdist code-base realized by Nixu, and they were able to quickly focus on the new features. They went above and beyond what we expected, as they did last time, and found a potential issue in the way our ACL interacted with the OpenWrt system, in our not yet released UCI integration. In short, we were relying a bit too much on the OpenWrt firewall, and it might have opened access to the Do53, DoT and DoH ports from unintended network interfaces in some deployment scenarios where the firewall was not effective. We fixed that by being more restrictive in our default ACL.

Please see the dnsdist website for the more complete changelog and the current documentation. The upgrade guide is also available there.

Please send us all feedback and issues you might have via the mailing list, or in case of a bug, via GitHub.

We are immensely grateful to the PowerDNS community for the reporting of bugs, issues, feature requests, and especially to the submitters of fixes and implementations of features.

The release tarball and its signature are available on the downloads website, and packages for several distributions are available from our repository.

Hello!

We are very happy to release dnsdist 1.7.3 today, a maintenance release with no functional changes.

This release strictly serves to bring dnsdist packages to our EL9 and Ubuntu Jammy repositories, and upgrades the dnsdist Docker image from Debian buster to Debian bullseye, as buster is officially EOL.

Please see the dnsdist website for the more complete changelog and the current documentation.

Please send us all feedback and issues you might have via the mailing list, or in case of a bug, via GitHub.

We are grateful to the PowerDNS community for the reporting of bugs, issues, feature requests, and especially to the submitters of fixes and implementations of features.

The release tarball and its signature are available on the downloads website, and packages for several distributions are available from our repository.

Hello!

We are very happy to release dnsdist 1.7.2 today, a maintenance release fixing a few bugs reported since 1.7.1:

• An unhandled exception could happen when an invalid protocol was used in an incoming DNS over HTTPS forwarded-for header and passed to the backend via the proxy protocol, leading to a use-after-free and a crash. Forwarded-for headers are not used by default and should only be used if the client can be trusted (#11667)
• An invalid proxy-protocol was sent to the backend, over TCP, if a query received via DNS over HTTPS resulted in a truncated UDP response from the backend (#11665)
• Some metrics lacked a proper description in our Prometheus endpoint (#11664)
• A side-effect of fixing the health-check timeout in 1.7.1 was leading to a CPU usage increase on devices that are mostly idle. We improved that situation, reducing the CPU usage even below what it was in 1.7.0 (#11579, #11580)

We also added a couple Lua bindings to make it easier to look into the DNS payload from custom Lua rules and actions (#11666).

Please see the dnsdist website for the more complete changelog and the current documentation.

Please send us all feedback and issues you might have via the mailing list, or in case of a bug, via GitHub.

We are grateful to the PowerDNS community for the reporting of bugs, issues, feature requests, and especially to the submitters of fixes and implementations of features.

The release tarball and its signature are available on the downloads website, and packages for several distributions are available from our repository.

Hello!

We are proud to announce the release of dnsdist 1.7.0. This release contains several new exciting features since 1.6.1, as well as improvements and bug fixes. It contains one single change from the first release candidate, a fix for DynBlockRatioRule::warningRatioExceeded provided by Doug Freed.

In our view, the most exciting new feature of 1.7.0 is the support of outgoing DNS over TLS and DNS over HTTPS, as well as the ability to do “cross-protocol” queries, meaning a query received over a given protocol (UDP, TCP, DoT, DoH, …) can be forwarded over a different one. Now that dnsdist is capable of contacting its backend over an encrypted channel, full end-to-end encryption is possible, offering improved confidentiality and integrity.

Among the new features is the ability to add a custom EDNS option to a query before forwarding it to a backend, via SetEDNSOptionAction. phonedph1 also contributed a new rule making it possible to route a query based on the number of outstanding queries in a pool, PoolOutstandingRule.

Pierre Grié from Nameshield contributed an XDP program to reply to blocked UDP queries with a truncated response directly from the kernel, in a similar way to what we were already doing using eBPF socket filters. This version adds support for eBPF pinned maps, allowing dnsdist to populate the maps using our dynamic blocking mechanism, and letting the external XDP program do the actual blocking or response.

The packet cache has been improved so that one can now configure which EDNS options should be ignored, raising the cache hit ratio behind customer-premises equipment. The incoming and outgoing protocols have been added to the output of the grepq command for a better understanding of the recently processed traffic.

Dimitrios Mavrommatis improved the handling of AXFR and IXFR queries, making it possible to reuse a TCP connection used for a zone transfer much more efficiently.

We added support for generating the still experimental SVCB and HTTPS records directly from dnsdist, offering potential benefits to both performance and privacy.

Our LMDB code has gained the ability to do range-based lookups, and is now more performant even for simple lookups.

Extending the per-thread custom load-balancing policies introduced in 1.6.0, it is now possible to write blazing-fast, lock-less per-thread custom actions using the Lua foreign function interface.

Holger Hoffstätte also improved the reporting of an unavailable backend, making sure the existing metrics are no longer reported to prevent any confusion.

This release also reduces the memory footprint of dnsdist in several places, which makes it easier to use in resource-constrained environments.

Please see the dnsdist website for the more complete changelog and the current documentation.

Please send us all feedback and issues you might have via the mailing list, or in case of a bug, via GitHub.

The release tarball and its signature are available on the downloads website, and packages for several distributions are available from our repository.

With this release, the 1.4.x releases become be EOL and the 1.5.x and 1.6.x releases go into critical security fixes only mode.

Finally, we would like to thank the PowerDNS community and all external contributors for their great work in this release!