dnsdist 1.1.0 released

We are very pleased to announce the availability of dnsdist 1.1.0. There have been very few changes since 1.1.0-beta2, the most significant ones being that we now handle header-only responses, and that “Refused” responses are now handled by the cache in the same way as “ServFail” ones.

dnsdist 1.1.0 has seen a significant amount of development, mostly based on feedback from they many 1.0 deployments. The majority of the new features have already been taken into production by pre-release and beta users.

Highlights include:

  • TeeAction: send queries to a second nameserver, but ignore responses. Used to test new installations on existing traffic. Also used by the Yeti rootserver project.
  • Response rules which act on received responses
  • AXFR/IXFR support, including filtering options
  • Linux kernel based query type and query name filtering (eBPF), for very high speed packet rejection. Includes counters and statistics
  • Query counting infrastructure (contributed by TransIP’s Reinier Schoof)

For the many other new features, improvements and bug fixes, please see the dnsdist website for the more complete changelog and the current documentation.

Release tarballs are available on the downloads website.

Several packages are also available on our repository.

PowerDNS: 2016 in review

Hi everyone,

As 2016 draws to a close, we’d like to share a few words on what has been achieved over the past year, our second year within Open-Xchange. This post will cover both our technical and commercial efforts, including the PowerDNS Platform which provides per-subscriber malware filtering & parental control. And, we are hiring!

At the end of 2015, we released ‘Technology Preview Releases’ of PowerDNS Authoritative Server 4, PowerDNS Recursor 4 and dnsdist 1.0. This was done to somewhat keep our promise of releasing those versions in 2015, but fell short of what we had hoped to achieve.

Now at the end of 2016 the news is a lot better. The actual 4.0 and 1.0 (dnsdist) releases have happened and are being deployed far faster than we’d been hoping for. This is probably due to some of the exciting new features:

  • RPZ for security & DNS filtering purposes (including IXFR)
  • dnsdist for reliability, flexibility and DoS protection
  • pdnsutil edit-zone for a pretty awesome way to edit DNS zones
  • DNSSEC validation in Recursor
  • Vastly more powerful Lua engines
  • ALIAS record type that now powers many of the .GOV search engines DNSSEC (including the White House!)

A notable DNSSEC deployment is over at our friends of xs4all who not only sign domains with the PowerDNS Authoritative Server, but recently have also turned on validation on their PowerDNS Recursors for their large userbase.

4.0 and dnsdist were both part of a ‘spring cleaning’ exercise. It is good to realize how rare it is for a software project to go through such an exercise. 4.0 and dnsdist are based on a much cleaned up and improved codebase.

We are also very grateful for our community that stepped up to contribute to 4.x in the form of code, great bug reports, design ideas, documentation and actual bug fixes. Our meagre offering of ‘PowerDNS Crew’ mugs is the least we could do!

Some stats that bear out the community involvement: In 2016, our Github repository was forked over a 100 times, yielding almost a 1000 Pull Requests most of which were merged, for a total of over 2500 new commits. These commits closed 1300 issue tickets.

As you may recall, since 2015 PowerDNS is part of OX, together with our cousins from Dovecot. When we announced the merger, some voiced fear about what this would mean for PowerDNS. We can now safely say that the state of the PowerDNS source in 2016 is way stronger than it was in 2015.

Besides finishing the spring cleaning of our open source products, 2016 also saw the release of the PowerDNS Platform which, unusually for us, is not fully open source. We explained this in our blog post as follows:

Putting it more strongly: we have learned that many organizations simply no longer have the time or desire to assemble all the technologies themselves around our Open Source products.

We will therefore be marketing the additional functionalities we have been delivering to our customers as a product tentatively called the “PowerDNS Platform”

The “PowerDNS Platform” as we ship it consists of our core unmodified Open Source products, plus loads of other open source technologies, combined with a management shell that is not an Open Source product that we’ll in fact sell.

The PowerDNS Platform is described here. Feedback on the move to supply the Platform has been good, both from our commercial users and from the PowerDNS development  and wider DNS community, for which we are grateful.

Now at the end of 2016 we can report that the PowerDNS Platform has been selected to provide a malware & parental control enabled DNS solution for over 10 million Internet subscribers in Europe. We will be displacing a fully closed solution, which is a win for an open internet.

In addition, this commercial progress provides a healthy & sustainable basis on which to continue to develop the PowerDNS nameservers and dnsdist.


We have regained control over powerdns.org. As outlined in our blogpost:

Recently we decided it was time to get the .org back anyhow and after negotiating for a few days we finally paid up, and shortly after that we were back in control of powerdns.org, at a cost of $1000.

This personally left me with a bad aftertaste since effectively we have paid a chain of people that specialise in taking over domains for ransom purposes.


To compensate for all this, we’ve decided to donate €1000 to the Doctors without Borders charity.


We have shipped close to 500 PowerDNS Release mugs to contributors, friends and conference visitors. If you missed out on our giveaway, you can order PowerDNS mugs online from our friends over at Mugbug, who have been an absolute joy to work with.

Root-server speedup

We also had a good time working with the fine people of the RIPE NCC. Anand Buddhdev there decided to do some benchmarking to determine the root-server suitability of a bunch of nameservers. And lo, during his testing, he found that PowerDNS 4.0 was not very suitable. After a good month of investigations & improvements, we managed to achieve a 400% speedup in the PowerDNS Authoritative Server which actually also helped the PowerDNS Recursor.

We shared our learnings on modern optimization in this Medium post which at >10k visits is the second best read post we have ever done. These speedups will be available in the 4.1 releases of our software.


PowerDNS grew this year! Open-Xchange gained a product manager (Alexander ter Haar) and we are also benefiting greatly from Nico Cartron (previously of EfficientIP) and Andrea Tosatto who are helping with automation, deployability and pre-sales work. In addition, we continue to work happily with members of the extended PowerDNS family who we contract with for development, training, documentation and professional services.

But.. it is not enough. We are still looking for two permanent positions, one in professional services, one in front-end development with a smattering of backend. For more details, please head to our careers page.


Thank you for being involved with PowerDNS, the software and the community. Reading this post to the end means you really care. 🙂

We wish you a great 2017!

dnsdist 1.1.0 Beta 2 released

We are pleased to announce the availability of the second beta release of dnsdist 1.1.0. We fixed several bugs since beta 1, especially in the TCP area, and added a few new features:

  • EDNS Client Subnet can be configured per-query
  • The UDP timeout is now configurable
  • Dynamic blocks can send a REFUSED response instead of simply dropping the query
  • A ServFail response can be returned when no server are available, instead of dropping the query
  • Our internal statistics counters are readable from Lua
  • The configuration engine can include every configuration files found in a given directory
  • ACL rules can be edited via the API
  • The percentage of the cache scanned to expunge expired entries can be configured

See the dnsdist website for the more complete changelog and the current documentation.

Release tarballs are available on the downloads website.

Several packages are also available on our repository.

Some good news on powerdns.org

Way way back in the history of PowerDNS, we bought the full suite of domain names for our new company: powerdns.com, powerdns.net, powerdns.org. Alternate names for the company we considered at the time were ‘SuperDNS’ and ‘UltraDNS’. We later found out that SuperDNS was the internal name over at Verisign for what is now the Atlas software that powers the COM and NET servers. And UltraDNS eventually became a DNS company in its own right!

Over time we no longer used powerdns.org and eventually the domain lapsed by accident and was quickly picked up by folks that held it ransom for a decade or so, without ever using it. I (Bert) personally always had issues with paying up to get the domain back, and over the years some very unsavoury parties ended up owning powerdns.org.

Recently we decided it was time to get the .org back anyhow and after negotiating for a few days we finally paid up, and shortly after that we were back in control of powerdns.org, at a cost of $1000.

This personally left me with a bad aftertaste since effectively we have paid a chain of people that specialise in taking over domains for ransom purposes.

To compenmsfsate for all this, we’ve decided to donate $1000 to the Doctors without Borders charity. On doing the currency conversion I felt bad about that too, so we turned it into a €1000 donation.

So welcome back powerdns.org and hopefully we’ve atoned for our mistake a decade ago!

OX Summit 2016: 13th-14th October, Frankfurt

Hi everybody,

Like last year, this year PowerDNS will again be part of the OX/Dovecot/PowerDNS summit. This time round we visit Frankfurt on the 13th and 14th of October. This is already in a few weeks!

All information is on: http://summit.open-xchange.com/oxs16-frankfurt.html

Many users of Dovecot, PowerDNS and AppSuite will be there. Specifically for PowerDNS, on Friday we will be hosting a 90 minute long session on malware filtering and parental control with DNS, with per-user settings, opt-in, opt-out, all with a single set of nameserver IP addresses.

Attendance is free! Please register here. When you register, you can also sign up for our malware session, which might even allow you to sell this trip to your company as ‘work’. The summit also involves (free) lunch and drinks.

If you are a PowerDNS user, or want to be, we hope to meet you there!


PowerDNS Recursor 4.0.3 released

A new release for the PowerDNS Recursor with version 4.0.3 is available. This release has many fixes and improvements in the Policy Engine (RPZ) and the Lua bindings to it. Therefore, we recommend users of RPZ to upgrade to this release. We would like to thank Wim (42wim on github) for testing and reporting on the RPZ module.

The full changelog is as follows:

Bug fixes

  • #4350: Call gettag() for TCP queries
  • #4376: Fix the use of an uninitialized filtering policy
  • #4381: Parse query-local-address before lua-config-file
  • #4383: Fix accessing an empty policyCustom, policyName from Lua
  • #4387: ComboAddress: don’t allow invalid ports
  • #4388: Fix RPZ default policy not being applied over IXFR
  • #4391: DNSSEC: Actually follow RFC 7646 §2.1
  • #4396: Add boost context ldflags so freebsd builds can find the libs
  • #4402: Ignore NS records in a RPZ zone received over IXFR
  • #4403: Fix build with OpenSSL 1.1.0 final
  • #4404: Don’t validate when a Lua hook took the query
  • #4425: Fix a protobuf regression (requestor/responder mix-up)

Additions and Enhancements

  • #4394: Support Boost 1.61+ fcontext
  • #4402: Add Lua binding for DNSRecord::d_place

The source tarball (signature) can be downloaded from the downloads website. Packages for several distributions are available in our repositories.

Authoritative Server 3.4.10

Hi everybody,

We’re pleased to announce version 3.4.10 of our Authoritative Server.

This release fixes several bugs, decreases CPU usage and allows better interoperability with PowerDNS 4.0.X databases. It also adds a feature to limit AXFR sizes in response to CVE-2016-6172.

Tar.gz and packages are available on:

Warning: Version 3.4.10 of the PowerDNS Authoritative Server is a major upgrade if you are coming from 2.9.x. Additionally, if you are coming from any 3.x version (including 3.3.1), there is a mandatory SQL schema upgrade. Please refer to the Upgrade documentation for important information on correct and stable operation, as well as notes on performance and memory use.

Find the downloads on our download page, https://www.powerdns.com/downloads.html

Changes since 3.4.9:

  • commit 1f8078c: Enable mbedtls threading abstraction layer (Kees Monshouwer)
  • commit 63a6800: Update polarssl 1.3.9 to mbedtls 1.3.17 (Kees Monshouwer)
  • commit dc73734: Report DHCID type (Kees Monshouwer)
  • commit 2c6e628: Fix TSIG for single thread distributor (Kees Monshouwer)
  • commit 09bdd9f: Don’t send covering nsec records for direct nsec queries (Kees Monshouwer)
  • commit da231a4: Ignore trailing dot in signer name (Kees Monshouwer)
  • commit a014f4c: Add limits to the size of received AXFR, in megabytes
  • commit 881b5b0: Reject qnames with wirelength > 255, chopOff() handle dot inside labels
  • commit 210fb15: Gmysql get-order-after-query was slow (Kees Monshouwer)
  • commit 7bab770: Sync boost.m4 with upstream (Kees Monshouwer)
  • commit 9740371: Fix shorter best matching names in getAuth() (Kees Monshouwer)
  • commit 991528c: change default for any-to-tcp to yes (Kees Monshouwer)