DNSdist 1.5.0 delivers enhancements for DoH and better performance

Jul 31, 2020

Open-Xchange has launched the latest version of DNSdist – our unique DNS proxy and load balancer that optimizes the internet experience of hundreds of millions of internet subscribers.

It is a major driver of DNS encryption and powers some significant production DNS over HTTPS (DoH) environments, as well as pilots for a range of international big telcos. It also ensures the best possible performance of DNS deployments and optimizes DNS traffic in front of the PowerDNS Recursor (or existing legacy recursive DNS servers), delivering low latency responses to subscribers based on location, time and content.

In addition, DNSdist is highly optimized to protect against malicious and abusive traffic such as DDoS attacks and DNS tunneling, and includes a flexible policy engine to enable new rules and filters to be created and combined to suit the characteristics of local traffic.

PowerDNS DNSdist 1.5.0 comes with performance enhancements and offers improvements in areas including DNS encryption and per device security.

DNSdist 1.4.0, which launched in November 2019, introduced two standards to encrypt DNS traffic, DNS over TLS (DoT) and DoH. Both of these protocols provide privacy and integrity protection for DNS traffic and are used to encrypt the traffic between the DNS client (e.g. laptop, mobile device, IoT device, etc.) and the DNS resolver.

DNSdist 1.4.0 is currently involved in a range of trials with large network providers, including BT in the UK, which understands the importance of keeping DNS available at the Internet Service Provider. This brings advantages to both to end-users, in terms of latency and access to local content caches, and the network itself, as it offers better control over CDN caching and control over the end-to-end latency experience for subscribers.

To further support the use of DNS encryption, DNSdist 1.5.0 comes with a number of DoH improvements, such as the interaction with generic HTTPS caches through a cache control header. The cache control header allows setting the lowest DNS time to live (TTL) for the generic cache, forcing the cache to be cleared at the minimum expiration time.

DNSdist 1.5.0 also further extends PowerDNS’ endpoint security capabilities and enables specific per device filtering options for parental controls and malware protection. This is done via a proxy protocol, which provides the information needed for automated decision-making and autonomous actions.

Finally, DNSdist 1.5.0 also improves the overall load balancer’s performance to ensure the best possible performance is gained in every DNS installation. This includes:

  • Custom Lua rules that now enable DNSdist to adapt to individual needs without impacting performance;
  • The ability to balance traffic over all backends equally when desired, so that no individual backend handles significantly more traffic than others;
  • Quicker overall checkups based on parallel – instead of sequential – health checks for installations with a large number of backends;
  • Overall performance improvement for logging queries.

For more information on PowerDNS DNSdist 1.5.0 please contact us.


About the author

Alexander ter Haar

Alexander ter Haar

PowerDNS Product Management


Related Articles

PowerDNS DNSdist 1.9.4 released

We released PowerDNS DNSdist 1.9.4 today. This release fixes CVE-2024-25581, a denial of service security issue affecting...

Remi Gacogne May 13, 2024

PowerDNS DNSdist 1.9.3 released

Less than an hour after the release of PowerDNS DNSdist 1.9.2 today, we received reports of DNSdist crashing in some setups....

Remi Gacogne Apr 5, 2024

PowerDNS DNSdist 1.9.2 released

We released PowerDNS DNSdist 1.9.2 today. This release fixes several issues:

Remi Gacogne Apr 5, 2024

Improving DNSdist performance with AF_XDP

This is the second in a series of three blog posts we are publishing about recent innovative developments with respect to...

Neil Cook Mar 15, 2024