PowerDNS Blog

DNSdist as a router-ready solution

Written by Robert Brandt | Apr 12, 2023 3:15:00 PM

As you might have read, with the release of DNSdist 1.8, PowerDNS brings DNS encryption with DNS over TLS (DoT) and DNS over HTTPS (DoH) to CPEs and therefore protects the confidentiality and integrity of traffic in the first mile of the internet access. The reason for our efforts to make DNSdist CPE-ready is obvious: DNS acts as the address book of the internet and is a key element in making services accessible by providing human-readable domain names for internet services. For consumers, any action on the internet starts with the client looking up the IP addresses of the service using the domain name system. These lookups are sent to the CPE[1] (customer premise equipment), which is the box provided by the internet service provider to facilitate a user’s connection (often called ‘the ISP router’ or modem). The CPE thus represents the initial gateway into a user’s network.

Plaintext DNS requests over UDP or TCP are often simply forwarded by the router to the DNS infrastructure inside the ISP’s network. This could consist of a PowerDNS recursive DNS solution with our Recursor and DNSdist, as well as the Protect DNS security filtering capabilities, residing inside the ISP’s data centers. This is where all the complex features and DNS filtering takes place.

However, with the current release of DNSdist 1.8, it is now possible to run DNSdist on the router or CPE itself. Having DNSdist on the router can bring a range of advantages. For example, the router can act as an encrypted DNS endpoint (with DoH or DoT) and provide additional powerful capabilities such as scripting, rate-limiting, and caching. It also enables DNS-based security filtering on the router, much closer to the end-user.

Technically, making DNSdist ‘router-ready’ was no small feat: Home routers often have very limited CPU-power and RAM available. In the past year, the PowerDNS development team has been working hard on making DNSdist ready for this challenge. This included enabling DNSdist to make efficient use of the resources within the ‘lower-spec’ devices that ISPs typically provide as routers. In addition, DNSdist 1.8 is now available for the open-source router-designated operating system OpenWrt[2]. This means DNSdist can now run on low-end hardware with a limited RAM, storage, and CPU footprint.

At PowerDNS, we are very excited about this development and the possibilities it opens up. We believe that with this, DNSdist will become an invaluable tool to have on routers, which will also help further drive the adoption of encrypted DNS.

With these developments, PowerDNS can work with CPE manufacturers and solution providers to offer security and encrypted DNS functionality on the router, the ‘front door’ into a user’s network of connected devices.

Please reach out to us if you would like to learn more about router-ready DNSdist.

1The CPE often consists of a modem and router in one. This device acts as the connection point between a user’s home network (via Wi-Fi or UTP cables in the house) and the internet providers network (via DSL, cable, or fiber connections).
2OpenWrt is a router-specific Linux-based operating system, see www.openwrt.org.