Category: powerdns

Technical Preview Releases of Authoritative Server, Recursor and dnsdist

Hi everybody!

As recently announced, we have finished the great PowerDNS 4.x Spring Cleaning. And it was indeed kind of grand. We consciously set out to fix many things that had been waiting for years to be addressed. We took the liberty to change many things that we could not change (break) within 3.x.  However, it was breaking for the better.

As noted in our previous post, we are very grateful to our community, users, developers and customers that we were able to devote significant time to cleaning up past mistakes. This is very rare in the world of software. Additionally, as usual a specific shout-out to Aki Tuomi (these days working for our sister-company Dovecot), our certified consultants Kees Monshouwer, Christian Hofstaedtler and Jan-Piet Mens, our independent code-contributors Ruben Kerkhof, Ruben d’Arco, Mark Zealey, Pavel Boldin, Mark Schouten and all the others who contributed ideas, code and GitHub issues.

With this message, we bring good news and bad news just in time for our holidays. We promised 4.0 releases of PowerDNS Recursor, PowerDNS Authoritative and even a 1.0 release of dnsdist, in “December 2015”. The bad news is that we did not make it. The good news however is that we do have a set of Technology Preview releases that contain everything that 4.0 will.

In other words: the features are done, but we can’t yet sign off on the quality. However! Since most people won’t be deploying x.0 releases in December anyhow, we felt it was worthwhile to launch the 4.x series now with a strong technology preview. This preview will allow you to test our features, both to see if they work and to see if they actually fit in with your needs. And please do test, since that will speed up the advent of the actual 4.x release date!

In terms of roadmap, we consulted PowerDNS customers, community and developers, and out came a plan for 4.x. A few months into the development, various users and customers suddenly chimed in on absolutely mandatory features we had somehow missed. Because of that, 4.x both under- and overdelivers.

In addition to the huge internal cleanup, here are visible changes that did make it:

dnsdist

  • Fully-featured load balancer with a number of DNS-relevant load balancing policies. The default policy favours servers with the least amount of queries in flight and the fastest response times. This turns out to deliver tangible user experience improvements
  • Comes with a host of rules to block, change, or redirect traffic based on your needs. For example, use dnsdist to implement ‘views’, or what has been called ‘Advanced DNS Protection’ by some closed source resellers of open source.
  • dnscrypt, EDNS Client Subnet adding (for CG-NAT traversal, for example)
  • Realtime insights via HTTP/JSON/RESTful API & built-in live graphing website
  • For more about this new product, please see http://dnsdist.org/

Authoritative

  • GeoIP backend has gained many features, and can now run based on explicit netmasks not present in the GeoIP databases
  • Caches are now fully canonically ordered, which means entries can be wiped on suffix in all places
  • Old geobackend has been deprecated and is no longer part of PowerDNS
  • Newly revived ODBC backend for talking to Microsoft SQL Server & Azure, and with some tweaking, any other ODBC-database we do not support natively.
  • pdnssec tool does far more than DNSSEC, and has thus been renamed into ‘pdnsutil’.
  • ECDSA signing is now supported without external dependencies, and a single combined ECDSA signing key is the new default for securing zones.
  • Experimental ed25519 signing support based on draft-sury-dnskey-ed25519-03.

Recursor

  • DNSSEC processing: if you ask for DNSSEC records, you will get them
  • DNSSEC validation: if so configured, PowerDNS will attempt to perform DNSSEC validation of your answers
  • Completely revamped Lua scripting API that is “DNSName” native and therefore far less error prone, and likely faster for most commonly used scenarios. Loads and indexes a 1 million domain custom policy list in a few seconds
  • New asynchronous per-domain, per-ip address, query engine. This allows PowerDNS to consult an external service in realtime to determine client or domain status. This could for example mean looking up actual customer identity from a DHCP server based on IP address (option 82 for example).
  • RPZ (from file, over AXFR or IXFR) support. This loads the largest Spamhaus zone in 5 seconds on our hardware, containing around 2 million instructions.
  • All caches can now be wiped on suffixes, because of canonical ordering
  • Many many more relevant performance metrics, including upstream authoritative performance measurements (‘is it me or the network that is slow’)
  • EDNS Client Subnet support, including cache awareness of subnet-varying answers

More technical details are available in the changelog.

Finally – the big question is of course: when will the actual 4.0.0 releases (and 1.0 for dnsdist) happen. The answer is that all this depends on what you find out during testing. We may be closer or further from the goal. As of now we can’t tell. We will report back to you in January to let you know when we expect to be able to do a release that meets our standards. But the more you test, the sooner this will be!

You can download tarballs:

Packages for several distributions are available from our repositories.

Once again, thank you everyone for working with us on this release. Happy holidays and a splendid new year!

The PowerDNS development & automation team:  Peter, PieterRemi (and Bert, who spent this release week on a sunny island, and not helping much!).

PowerDNS Recursor 3.7.1 Released

Released February 12th, 2015.

Download page.

This version contains a mix of speedups and improvements, the combined effect of which is vastly improved resilience against traffic spikes and malicious query overloads.

Of further note is the massive community contribution, mostly over Christmas. Especially Ruben Kerkhof, Pieter Lexis, Kees Monshouwer and Aki Tuomi delivered a lot of love. Thanks!

Minor changes:

  • Removal of dead code here and there 04dc6d618
  • Per-qtype response counters are now 64 bit 297bb6acf on 64 bit systems
  • Add IPv6 addresses for b and c.root-servers.net hints efc259542
  • Add IP address to logging about terminated queries 37aa9904d
  • Improve qtype name logging fab3ed345 (Aki Tuomi)
  • Redefine ‘BAD_NETS’ for dont-query based on newer IANA guidance 12cd44ee0 (lochiiconnectivity)
  • Add documentation links to systemd unit eb154adfd (Ruben Kerkhof)

Improvements:

  • Upgrade embedded PolarSSL to 1.3.9: d330a2ea1
  • yahttp upgrade c29097577 c65a57e88 (Aki Tuomi)
  • Replace . in hostnames by – for Carbon so as not to confuse Metronome 46541751e
  • Manpages got a lot of love and are now built from Markdown (Pieter Lexis)
  • Move to PolarSSL base64 488360551 (Kees Monshouwer)
  • The quiet=no query logging is now more informative 461df9d20
  • We can finally bind to 0.0.0.0 and :: and guarantee answers from the correct source b71b60ee7
  • We use per-packet timestamps to drop ancient traffic in case of overload b71b60ee7, non-Linux portability ind63f0d836
  • Builtin webserver can be queried with the API key in the URL again c89f8cd02
  • Ringbuffers are now available via API c89f8cd02
  • Lua 5.3 compatibility 59c6fc3e3 (Kees Monshouwer)
  • No longer leave a stale UNIX domain socket around from rec_control if the recursor was down 524e4f4d8, ticket #2061
  • Running with ‘quiet=no’ would strangely actually prevent debug messages from being logged f48d7b657
  • Webserver now implements CORS for the API ea89a97e8, fixing ticket #1984
  • Houskeeping thread would sometimes run multiple times simultaneously, which worked, but was odd cc59bce67

New features:

  • New root-nx-trust flag makes PowerDNS generalize NXDOMAIN responses from the root-servers 01402d568
  • getregisteredname() for Lua, which turns ‘www.bbc.co.uk’ into ‘bbc.co.uk’ 8cd4851be
  • Lua preoutquery filter 3457a2a0e
  • Lua IP-based filter (ipfilter) before parsing packets 4ea949413
  • iputils class for Lua, to quickly process IP addresses and netmasks in their native format
  • getregisteredname function for Lua, to find the registered domain for a given name
  • Various new ringbuffers: top-servfail-remotes, top-largeanswer-remotes, top-servfail-queries

Speedups:

  • Remove unneeded malloc traffic 93d4a8909 8682c32bc a903b39cf
  • Our nameserver-loop detection carried around a lot of baggage for complex domain names, plus did not differentiate IPv4 and IPv6 well enough 891fbf888
  • Prioritize new queries over nameserver responses, improving latency under query bursts bf3b0cec3
  • Remove escaping in case there was nothing to escape 83b746fd1
  • Our logging infrastructure had a lot of locking d1449e4d0
  • Reduce logging level of certain common messages, which locked up synchronously logging systems 854d44e31
  • Add limit on total wall-clock time spent on a query 9de3e0340
  • Packet cache is now case-insensitive, which increases hitrate 90974597a

Security relevant:

  • Check for PIE, RELRO and stack protector during configure 8d0354b18 (Aki Tuomi)
  • Testing for support of PIE etc was improved in b2053c28c and beyond, fixes #2125 (Ruben Kerkhof)
  • Max query-per-query limit (max-qperq) is now configurable 173d790ea

Bugs fixed:

  • IPv6 outgoing queries had a disproportionate effect on our query load. Fixed in 76f190f2a and beyond.
  • rec_control gave incorrect output on a timeout 12997e9d8
  • When using the webserver AND having an error in the Lua script, recursor could crash during startup 62f0ae629
  • Hugely long version strings would trip up security polling 18b733382 (Kees Monshouwer)
  • The ‘remotes’ ringbuffer was sized incorrectly f8f243b01
  • Cache sizes had an off-by-one scaling problem, with the wrong number of entries allocated per thread f8f243b01
  • Our automatic file descriptor limit raising was attempted after setuid, which made it a lot less effective. Found and fixed by Aki Tuomi a6414fdce
  • Timestamps used for dropping packets were occasionaly wrong 183eb8774 and 4c4765c10 (RC2) with thanks to Winfried for debugging.
  • In RC1, our new DoS protection measures would crash the Recursor if too many root servers were unreachable.6a6fb05ad. Debugging and testing by Fusl.

Various other documentation changes by Christian Hofstaedtler and Ruben Kerkhof. Lots of improvements all over the place by Kees Monshouwer.

Diverting recursor-to-auth attacks

We get frequent reports from users/customers about various DNS-related attacks they are facing on either their authoritatives or recursors. This post focuses on one kind of attack that involves both. (Cloudmark wrote about this some time ago as well).

The attack works like this: given a target domain of example.com, the attacker takes his botnet, and has it fire off high amounts of $RANDOM.example.com queries. These queries go from the infected hosts to their recursors (i.e. normal ISP recursors). The recursors then need to go out to the auths, after all they don’t have any random string in cache.

When this attack starts, there is no packet count amplification – bot sends query to recursor, recursor sends to auth, answer flows back, done. However, if enough of this happens, one or more of the auths for example.com may get overloaded, and start responding more slowly, or not respond at all. The recursors will then either retry or move on to other auths, spreading the attack in the most effective and destructive way over the auths.

These attacks are painful, especially for authoritatives backed by (SQL) databases, like many PowerDNS users are running. Legitimate traffic for existing names gets cached very well inside pdns_server, but even if you put a wildcard in your database, these random queries will cause an SQL query, and those are costly.

Because SQL and random names are a bad fit, we get requests for being able to combine the bindbackend and an SQL backend in one pdns_server process. This works, but does not have the desired effect of offloading the SQL – we query both before sending out a response. So, something else needs to happen. While pondering that question this week, a few ideas came up:

  1. use IPTables u32 to match queries for the victim domain, and redirect them (I understand this can be done without generating a lot of state)
  2. teach dnsdist to pick backends based on domain name
  3. somehow get the recursors to redirect their traffic

I did not try ideas 1 and 2; I trust they will work in practice, and will effectively remove load from the SQL backends, but they still involve handling the whole malicious query load on the same server pipe. Luckily, it turns out idea 3 is feasible.

The idea behind 3 is to convince a recursor it is talking to the wrong machines, by virtue of sending it a new NSset in the AUTHORITY section of a response. Some authoritative servers will include the NSset from the zone in every response, but PowerDNS does not do this – so we need another trick.

Some time ago we added an experimental, internal-use-only feature to the Authoritative Server called lua-prequery, to be used specifically for our Recursor regression tests. While never designed for production usage, we can abuse it to make idea 3 work.

require 'posix'

function endswith(s, send)
 return #s >= #send and s:find(send, #s-#send+1, true) and true or false
end

function prequery ( dnspacket )
 qname, qtype = dnspacket:getQuestion()
 print(os.time(), qname,qtype)
 if endswith(qname, '.example.com') and posix.stat('/etc/powerdns/dropit')
 then
   dnspacket:setRcode(pdns.NXDOMAIN)
   ret = {}
   ret[1] = {qname='example.com', qtype=pdns.NS, content="ns-nosql.example.com", place=2, ttl=30}
   ret[2] = {qname='example.com', qtype=pdns.NS, content="ns-nosql2.example.com", place=2, ttl=30}
   dnspacket:addRecords(ret)
   return true
 end
 return false
end

(A careful reader noted that the stat() call, while cached, may not be the most efficient way to enable/disable this thing. Caveat emptor.)

This piece of code, combined with a reference to it in pdns.conf (‘lua-prequery-script=/etc/powerdns/prequery.lua‘), will cause pdns_server to send authoritative NXDOMAINs for any query ending in example.com, and include a new NSset, suggesting the recursor go look ‘over there’.

In our testing, BIND simply ignored the new NSset (we did not investigate why). PowerDNS Recursor believes what you tell it, and will stick to it until the TTL (30 seconds in this example) runs out. Unbound will also believe you, but if none of the machines you redirect it to actually work, it will come back. So, in general we recommend you point the traffic to a set of machines that can give valid replies.

In a lab setting, we found that with both Unbound and PowerDNS Recursor, this approach can move -all- traffic from your normal nameservers to the offload hosts, except for a few packets every TTL seconds. Depending on attack rate and TTL, this easily means offloading >99.9% of traffic, assuming no BIND is involved. In the real world, where some ISPs do use BIND for recursion, you won’t hit 99% or 90% but this approach may still help a lot.

We have not tried this on a real world attack, yet.

What’s next?

If you are under such an attack, and would like to give this a shot, please contact us, we’d love to try this on a real attack!

If you feel like toying around with this (I really want to find out how to make BIND cooperate, but I ran out of time), please get in touch (IRC preferred), I want to talk to you 🙂

PowerDNS Security Advisory 2014-02

PowerDNS Security Advisory 2014-02: PowerDNS Recursor 3.6.1 and earlier can be made to provide bad service

Hi everybody,

Please be aware of PowerDNS Security Advisory 2014-02, which you can also find below. The good news is that the currently released version of the PowerDNS Recursor is safe. The bad news is that users of older versions will have to upgrade.

PowerDNS Recursor 3.6.2, released late October, is in wide production use and has been working well for our users. If however you have reasons not to upgrade, the advisory below contains a link to a patch which applies to older versions.

Finally, if you have problems upgrading, please either contact us on our mailing lists, or privately via powerdns.support@powerdns.com (should you wish to make use of our SLA-backed support program).

We want to thank Florian Maury of French government information security agency ANSSI for bringing this issue to our attention and coordinating the security release with us and other nameserver vendors.

  • CVE: CVE-2014-8601
  • Date: 8th of December 2014
  • Credit: Florian Maury (ANSSI)
  • Affects: PowerDNS Recursor versions 3.6.1 and earlier
  • Not affected: PowerDNS Recursor 3.6.2; no versions of PowerDNS Authoritative Server
  • Severity: High
  • Impact: Degraded service
  • Exploit: This problem can be triggered by sending queries for specifically configured domains
  • Risk of system compromise: No
  • Solution: Upgrade to PowerDNS Recursor 3.6.2
  • Workaround: None known. Exposure can be limited by configuring the allow-from setting so only trusted users can query your nameserver.

Recently we released PowerDNS Recursor 3.6.2 with a new feature that strictly limits the amount of work we’ll perform to resolve a single query. This feature was inspired by performance degradations noted when resolving  domains hosted by ‘ezdns.it’, which can require thousands of queries to  resolve.

During the 3.6.2 release process, we were contacted by a government security agency with news that they had found that all major caching nameservers, including PowerDNS, could be negatively impacted by specially configured, hard to resolve domain names. With their permission, we continued the 3.6.2 release process with the fix for the issue already in there.

We recommend that all users upgrade to 3.6.2 if at all possible. Alternatively, if you want to apply a minimal fix to your own tree, it can be found here, including patches for older versions.

As for workarounds, only clients in allow-from are able to trigger the degraded service, so this should be limited to your userbase.

Note that in addition to providing bad service, this issue can be abused to send unwanted traffic to an unwilling third party. Please see ANSSI’s report for more information.

Authoritative Server 3.4.0 Release Candidate 1

[Warning] Warning
Version 3.4.0 of the PowerDNS Authoritative Server is a major upgrade if you are coming from 2.9.x. Additionally, if you are coming from any 3.x version (including 3.3.1), there is a mandatory SQL schema upgrade. Please refer to Section 6, “From PowerDNS Authoritative Server 3.3.1 to 3.4.0” and any relevant sections before it, before deploying this version.

This is a performance, feature, bugfix and conformity update to 3.3.1 and any earlier version. It contains a huge amount of work by various contributors, to whom we are very grateful.

A list of changes since 3.3.1 follows.

DNSSEC changes:

  • commit bba8413: add option (max-signature-cache-entries) to limit the maximum number of cached signatures.
  • commit 28b66a9: limit the number of NSEC3 iterations (see RFC5155 10.3), with the max-nsec3-iterations option.
  • commit b50efd6: drop the ‘superfluous NSEC3’ option that old BIND validators need.
  • The bindbackend ‘hybrid’ mode was reintroduced by Kees Monshouwer. Enable it with bind-hybrid.
  • Aki Tuomi contributed experimental PKCS#11 support for DNSSEC key management with a (Soft)HSM.
  • Direct RRSIG queries now return NOTIMP.
  • commit fa37777: add secure-all-zones command to pdnssec
  • Unrectified zones can now get rectified ‘on the fly’ during outgoing AXFR. This makes it possible to run a hidden signing master without rectification.
  • commit 82fb538: AXFR in: don’t accept zones with a mixture of Opt-Out NSEC3 RRs and non-Opt-Out NSEC3 RRs
  • Various minor bugfixes, mostly from the unstoppable Kees Monshouwer.
  • commit 0c4c552: set non-zero exit status in pdnssec if an exception was thrown, for easier automatic usage.
  • commit b8bd119: pdnssec -v show-zone: Print all keys instead of just entry point keys.
  • commit 52e0d78: answer direct NSEC queries without DO bit
  • commit ca2eb01: output ZSK DNSKEY records if experimental-direct-dnskey support is enabled
  • commit 83609e2: SOA-EDIT: fix INCEPTION-INCREMENT handling
  • commit ac4a2f1: AXFR-out can handle secure and insecure NSEC3 optout delegations
  • commit ff47302: AXFR-in can handle secure and insecure NSEC3 optout delegations

New features:

  • DNAME support. Enable with experimental-dname-processing.
  • PowerDNS can now send stats directly to Carbon servers. Enable with carbon-server, tweak with carbon-ourname and carbon-interval.
  • commit 767da1a: Add list-zone capability to pdns_control
  • commit 51f6bca: Add delete-zone to pdnssec.
  • The gsql backends now support record comments, and disabling records.
  • The new reuseport config option allows setting SO_REUSEPORT, which allows for some performance improvements.
  • local-address-nonexist-fail and local-ipv6-nonexist-fail allow pdns to start up even if some addresses fail to bind.
  • ‘AXFR-SOURCE’ in domainmetadata sets the source address for an AXFR retrieval.
  • commit 451ba51: Implement pdnssec get-meta/set-meta
  • Experimental RFC2136/DNS UPDATE support from Ruben d’Arco, with extensive testing by Kees Monshouwer.
  • pdns_control bind-add-zone
  • New option bind-ignore-broken-records ignores out-of-zone records while loading zone files.
  • pdnssec now has commands for TSIG key management.
  • We now support other algorithms than MD5 for TSIG.
  • commit ba7244a: implement pdns_control qtypes
  • Support for += syntax for options

Bugfixes:

  • We verify the algorithm used for TSIG queries, and use the right algorithm in signing if there is possible confusion. Plus a few minor TSIG-related fixes.
  • commit ff99a74: making *-threads settings empty now yields a default of one instead of zero.
  • commit 9215e60: we had a deadly embrace in getUpdatedMasters in bindbackend reimplementation, thanks to Winfried for detailed debugging!
  • commit 9245fd9: don’t addSuckRequest after supermaster zone creation to avoid one cause of simultaneous AXFR for the same zone
  • commit 719f902: fix dual-stack superslave when multiple namservers share a ip
  • commit 33966bf: avoid address truncation in doNotifications
  • commit eac85b1: prevent duplicate slave notications caused by different ipv6 address formatting
  • commit 3c8a711: make notification queue ipv6 compatible
  • commit 0c13e45: make isMaster ip check more tolerant for different ipv6 notations
  • Various fixes for possible issues reported by Coverity Scan (commit f17c93b, )
  • commit 9083987: don’t rely on included polarssl header files when using system polarssl. Spotted by Oden Eriksson of Mandriva, thanks!
  • Various users reported pdns_control hangs, especially when using the guardian. We are confident that all causes of these hangs are now gone.
  • Decreasing the webserver ringbuffer size could cause crashes.
  • commit 4c89cce: nproxy: Add missing chdir(“/”) after chroot()
  • commit 016a0ab: actually notice timeout during AXFR retrieve, thanks hkraal

REST API changes:

  • The REST API was much improved and is nearing stability, thanks to Christian Hofstaedtler and others.
  • Mark Schouten at Tuxis contributed a zone importer.

Other changes:

  • Our tarballs and packages now include *.sql schema files for the SQL backends.
  • The webserver (including API) now has an ACL (webserver-allow-from).
  • Webserver (including API) is now powered by YaHTTP.
  • Various autotools usage improvements from Ruben Kerkhof.
  • The dist tarball is now bzip2-compressed instead of gzip.
  • Various remotebackend updates, including replacing curl with (included) yahttp.
  • Dynamic module loading is now allowed on Mac OS X.
  • The AXFR ACL (allow-axfr-ips) now defaults to 127.0.0.0/8,::1 instead of the whole world.
  • commit ba91c2f: remove unused gpgsql-socket option and document postgres socket usage
  • Improved support for Lua 5.2.
  • The edns-subnet option code is now fixed at 8, and the edns-subnet-option-numbers option has been removed.
  • geobackend now has very limited edns-subnet support – it will use the ‘real’ remote if available.
  • pipebackend ABI v4 adds the zone name to the AXFR command.
  • We now avoid getaddrinfo() as much as possible.
  • The packet cache now handles (forwarded) recursive answers better, including TTL aging and respecting allow-recursion.
  • commit ff5ba4f: pdns_server –help no longer exits with 1.
  • Mark Zealey contributed an experimental LMDB backend. Kees Monshouwer added experimental DNSSEC support to it. Thanks, both!
  • commit 81859ba: No longer attempt to answer questions coming in from port 0, reply would not reach them anyhow. Thanks to Niels Bakker and sid3windr for insight & debugging. Closes ticket 844.
  • RCodes are now reported in text in various places, thanks Aki.
  • Kees Monshouwer set up automatic testing for the oracle and goracle backends, and fixed various issues in them.
  • Leftovers of previous support for Windows have been removed, thanks to Kees Monshouwer, Aki Tuomi.
  • Bundled PolarSSL has been upgraded to 1.3.2
  • PolarSSL replaced previously bundled implementations of AES (commit e22d9b4) and SHA (commit 9101035)
  • bindbackend is now a module
  • commit 14a2e52: Use the inet data type for supermasters.ip on postgrsql.
  • We now send an empty SERVFAIL when a CNAME chain is too long, instead of including the partial chain.
  • commit 3613a51: Show built-in features in –version output
  • commit 4bd7d35: make domainmetadata queries case insensitive
  • commit 088c334: output warning message when no to be notified NS’s are found
  • commit 5631b44: gpsqlbackend: use empty defaults for dbname and user; libpq will use the current user name for both by default
  • commit d87ded3: implement udp-truncation-threshold to override the previous 1680 byte maximum response datagram size – no matter what EDNS0 said. Plus document it.
  • Implement udp-truncation-threshold to override the previous 1680 byte maximum response datagram size – no matter what EDNS0 said.
  • On shutdown, PowerDNS now attempts to stop all processes in its process group, especially useful for pipe/remotebackend users. Feature donated by Spotify.
  • Removed settings related to fancy records, as we haven’t supported those since version 3.0
  • Based on earlier work by Mark Zealey, Kees Monshouwer increased our packet cache performance between 200% and 500% depending on the situation, by simplifying some code in commit 801812e and commit 8403ade.

Recursor 3.6.0 released

This is a performance, feature and bugfix update to 3.5/3.5.3. It contains important fixes for slightly broken domain names, which your users expect to work anyhow. It also brings robust resilience against certain classes of attacks.

Changes between RC1 and release:

 

New features:

  • commit aadceba: Implement minimum-ttl-override config setting, plus runtime configurability via ‘rec_control set-minimum-ttl’.
  • Lots of work on the JSON API, which is exposed via Aki Tuomi’s ‘yahttp’. Massive thanks to Christian Hofstaedtler for delivering this exciting new functionality. Documentation & demo forthcoming, but code to use it is available on GitHub.
  • Lua modules can now use ‘pdnslog(INFO..’), as described in ticket 1074, implemented in commit 674a305
  • Adopt any-to-tcp feature to the recursor. Based on a patch by Winfried Angele. Closes ticket 836commit 56b4d21 and commit e661a20.
  • commit 2c78bd5: implement built-in statistics dumper using the ‘carbon’ protocol, which is also understood by metronome (our mini-graphite). Use ‘carbon-server’, ‘carbon-ourname’ and ‘carbon-interval’ settings.
  • New setting ‘udp-truncation-threshold’ to configure from how many bytes we should truncate. commit a09a8ce.
  • Proper support for CHaos class for CHAOS TXT queries. commit c86e1f2, addition for lua in commit f94c53d, some warnings in commit 438db54 however.
  • Added support for Lua scripts to drop queries w/o further processing. commit 0478c54.
  • Kevin Holly added qtype statistics to recursor and rec_control (get-qtypelist) (commit 79332bf)
  • Add support for include-files in configuration, also reload ACLs and zones defined in them (commit 829849dcommit 242b90ecommit 302df81).
  • Paulo Anes contributed server-down-max-fails which helps combat Recursive DNS based amplification attacks. Described in this post. Also comes with new metric ‘failed-host-entries’ in commit 406f46f.
  • commit 21e7976: Implement “followCNAMERecords” feature in the Lua hooks.

Improvements:

  • commit 06ea901: make pdns-distributes-queries use a hash so related queries get sent to the same thread. Original idea by Winfried Angele. Astoundingly effective, approximately halves CPU usage!
  • commit b13e737: –help now writes to stdout instead of stderr. Thanks Winfried Angele.
  • To aid in limiting DoS attacks, when truncating a response, we actually truncate all the way so only the question remains. Suggested inticket 1092, code in commit add935a.
  • No longer experimental, the switch ‘pdns-distributes-queries’ can improve multi-threaded performance on Linux (various cleanup commits).
  • Update to embedded PolarSSL, plus remove previous AES implementation and shift to PolarSSL (commit e22d9b4commit 990ad9a)
  • commit 92c0733 moves various Lua magic constants into an enum namespace.
  • set group and supplementary groups before chroot (commit 6ee50ceticket 1198).
  • commit 4e9a20e: raise our socket buffer setting so it no longer generates a warning about lowering it.
  • commit 4e9a20e: warn about Linux suboptimal IPv6 settings if we detect them.
  • SIGUSR2 turns on a ‘trace’ of all DNS traffic, a second SIGUSR2 now turns it off again. commit 4f217ce.
  • Various fixes for Lua 5.2.
  • commit 81859ba: No longer attempt to answer questions coming in from port 0, reply would not reach them anyhow. Thanks to Niels Bakker and ‘sid3windr’ for insight & debugging. Closes ticket 844.
  • commit b1a2d6c: now, I’m not one to get OCD over things, but that log message about stats based on 1801 seconds got to me. 1800 now.

Fixes:

  • 0c9de4fc: stay away from getaddrinfo unless we really can’t help it for ascii ipv6 conversions to binary
  • commit 08f3f63: fix average latency calculation, closing ticket 424.
  • commit 75ba907: Some of our counters were still 32 bits, now 64.
  • commit 2f22827: Fix statistics and stability when running with pdns-distributes-queries.
  • commit 6196f90: avoid merging old and new additional data, fixes an issue caused by weird (but probably legal) Akamai behaviour
  • commit 3a8a4d6: make sure we don’t exceed the number of available filedescriptors for mthreads. Raises performance in case of DoS. See this post for further details.
  • commit 7313fe6: implement indexed packet cache wiping for recursor, orders of magnitude faster. Important when reloading all zones, which causes massive cache cleaning.
  • rec_control get-all would include ‘cache-bytes’ and ‘packetcache-bytes’, which were expensive operations, too expensive for frequent polling. Removed in commit 8e42d27.
  • All old workarounds for supporting Windows of the XP era have been removed.
  • Fix issues on S390X based systems which have unsigned characters (commit 916a0fd)

Recursor 3.6.0 Release Candidate 1

This is a performance, feature and bugfix update to 3.5/3.5.3. It contains important fixes for slightly broken domain names, which your users expect to work anyhow. It also brings robust resilience against certain classes of attacks.

New features:

  • commit aadceba: Implement minimum-ttl-override config setting, plus runtime configurability via ‘rec_control set-minimum-ttl’.
  • Lots of work on the JSON API, which is exposed via Aki Tuomi’s ‘yahttp’. Massive thanks to Christian Hofstaedtler for delivering this exciting new functionality. Documentation & demo forthcoming, but code to use it is available on GitHub.
  • Lua modules can now use ‘pdnslog(INFO..’), as described in ticket 1074, implemented in commit 674a305
  • Adopt any-to-tcp feature to the recursor. Based on a patch by Winfried Angele. Closes ticket 836commit 56b4d21 and commit e661a20.
  • commit 2c78bd5: implement built-in statistics dumper using the ‘carbon’ protocol, which is also understood by metronome (our mini-graphite). Use ‘carbon-server’, ‘carbon-ourname’ and ‘carbon-interval’ settings.
  • New setting ‘udp-truncation-threshold’ to configure from how many bytes we should truncate. commit a09a8ce.
  • Proper support for CHaos class for CHAOS TXT queries. commit c86e1f2, addition for lua in commit f94c53d, some warnings in commit 438db54 however.
  • Added support for Lua scripts to drop queries w/o further processing. commit 0478c54.
  • Kevin Holly added qtype statistics to recursor and rec_control (get-qtypelist) (commit 79332bf)
  • Add support for include-files in configuration, also reload ACLs and zones defined in them (commit 829849dcommit 242b90ecommit 302df81).
  • Paulo Anes contributed server-down-max-fails which helps combat Recursive DNS based amplification attacks. Described in this post. Also comes with new metric ‘failed-host-entries’ in commit 406f46f.
  • commit 21e7976: Implement “followCNAMERecords” feature in the Lua hooks.

Improvements:

  • commit 06ea901: make pdns-distributes-queries use a hash so related queries get sent to the same thread. Original idea by Winfried Angele. Astoundingly effective, approximately halves CPU usage!
  • commit b13e737: –help now writes to stdout instead of stderr. Thanks Winfried Angele.
  • To aid in limiting DoS attacks, when truncating a response, we actually truncate all the way so only the question remains. Suggested inticket 1092, code in commit add935a.
  • No longer experimental, the switch ‘pdns-distributes-queries’ can improve multi-threaded performance on Linux (various cleanup commits).
  • Update to embedded PolarSSL, plus remove previous AES implementation and shift to PolarSSL (commit e22d9b4commit 990ad9a)
  • commit 92c0733 moves various Lua magic constants into an enum namespace.
  • set group and supplementary groups before chroot (commit 6ee50ceticket 1198).
  • commit 4e9a20e: raise our socket buffer setting so it no longer generates a warning about lowering it.
  • commit 4e9a20e: warn about Linux suboptimal IPv6 settings if we detect them.
  • SIGUSR2 turns on a ‘trace’ of all DNS traffic, a second SIGUSR2 now turns it off again. commit 4f217ce.
  • Various fixes for Lua 5.2.
  • commit 81859ba: No longer attempt to answer questions coming in from port 0, reply would not reach them anyhow. Thanks to Niels Bakker and ‘sid3windr’ for insight & debugging. Closes ticket 844.
  • commit b1a2d6c: now, I’m not one to get OCD over things, but that log message about stats based on 1801 seconds got to me. 1800 now.

Fixes:

  • 0c9de4fc: stay away from getaddrinfo unless we really can’t help it for ascii ipv6 conversions to binary
  • commit 08f3f63: fix average latency calculation, closing ticket 424.
  • commit 75ba907: Some of our counters were still 32 bits, now 64.
  • commit 2f22827: Fix statistics and stability when running with pdns-distributes-queries.
  • commit 6196f90: avoid merging old and new additional data, fixes an issue caused by weird (but probably legal) Akamai behaviour
  • commit 3a8a4d6: make sure we don’t exceed the number of available filedescriptors for mthreads. Raises performance in case of DoS. See this post for further details.
  • commit 7313fe6: implement indexed packet cache wiping for recursor, orders of magnitude faster. Important when reloading all zones, which causes massive cache cleaning.
  • rec_control get-all would include ‘cache-bytes’ and ‘packetcache-bytes’, which were expensive operations, too expensive for frequent polling. Removed in commit 8e42d27.
  • All old workarounds for supporting Windows of the XP era have been removed.
  • Fix issues on S390X based systems which have unsigned characters (commit 916a0fd)