DNSdist 1.5.0 delivers enhancements for DoH and better performance

Jul 31, 2020

Open-Xchange has launched the latest version of DNSdist – our unique DNS proxy and load balancer that optimizes the internet experience of hundreds of millions of internet subscribers.

It is a major driver of DNS encryption and powers some significant production DNS over HTTPS (DoH) environments, as well as pilots for a range of international big telcos. It also ensures the best possible performance of DNS deployments and optimizes DNS traffic in front of the PowerDNS Recursor (or existing legacy recursive DNS servers), delivering low latency responses to subscribers based on location, time and content.

In addition, DNSdist is highly optimized to protect against malicious and abusive traffic such as DDoS attacks and DNS tunneling, and includes a flexible policy engine to enable new rules and filters to be created and combined to suit the characteristics of local traffic.

PowerDNS DNSdist 1.5.0 comes with performance enhancements and offers improvements in areas including DNS encryption and per device security.

DNSdist 1.4.0, which launched in November 2019, introduced two standards to encrypt DNS traffic, DNS over TLS (DoT) and DoH. Both of these protocols provide privacy and integrity protection for DNS traffic and are used to encrypt the traffic between the DNS client (e.g. laptop, mobile device, IoT device, etc.) and the DNS resolver.

DNSdist 1.4.0 is currently involved in a range of trials with large network providers, including BT in the UK, which understands the importance of keeping DNS available at the Internet Service Provider. This brings advantages to both to end-users, in terms of latency and access to local content caches, and the network itself, as it offers better control over CDN caching and control over the end-to-end latency experience for subscribers.

To further support the use of DNS encryption, DNSdist 1.5.0 comes with a number of DoH improvements, such as the interaction with generic HTTPS caches through a cache control header. The cache control header allows setting the lowest DNS time to live (TTL) for the generic cache, forcing the cache to be cleared at the minimum expiration time.

DNSdist 1.5.0 also further extends PowerDNS’ endpoint security capabilities and enables specific per device filtering options for parental controls and malware protection. This is done via a proxy protocol, which provides the information needed for automated decision-making and autonomous actions.

Finally, DNSdist 1.5.0 also improves the overall load balancer’s performance to ensure the best possible performance is gained in every DNS installation. This includes:

  • Custom Lua rules that now enable DNSdist to adapt to individual needs without impacting performance;
  • The ability to balance traffic over all backends equally when desired, so that no individual backend handles significantly more traffic than others;
  • Quicker overall checkups based on parallel – instead of sequential – health checks for installations with a large number of backends;
  • Overall performance improvement for logging queries.

For more information on PowerDNS DNSdist 1.5.0 please contact us.


About the author

Alexander ter Haar

Alexander ter Haar

PowerDNS Product Management


Related Articles

Promoting a discussion on DNS-over-HTTPS

In the last few months, we have seen a lot of community discussion around the latest development in the internet’s naming...

Vittorio Bertola 11/6/18

DoH: (Anti-)Competitive and Network Neutrality aspects

Much has already been written on how moving to centralised DNS is bad for our privacy in 2019, and on that basis alone...

Bert Hubert 12/3/19

DNS encryption in PowerDNS: where we are

Back in 2018, when the IETF introduced two standards on DNS encryption, PowerDNS was amongst the first to adopt and offer...

Alexander ter Haar 07/3/21

On Firefox moving DNS to a third party

DNS lookups occur for every website visited. The processor of DNS requests gets a complete picture of what a household or...

Bert Hubert 09/3/18