Tagged: dnsdist

Third release candidate for dnsdist 1.4.0

We are very happy to announce the third, and hopefully last, release candidate of the 1.4.0 version of dnsdist.

This version adds the ability to accept DNS over HTTPS queries over HTTP, in order to be able to use dnsdist behind a TLS-offloading device, and improves the management of TLS session ticket keys for DNS over HTTPS.

It also fixes several minor issues, and improves the DoH-related metrics in our prometheus export.

We want to thank everyone that contributed to the testing of the beta release, and invite you to contribute to the testing of this release candidate!

Please see the dnsdist website for the more complete changelog and the current documentation.

Release tarballs are available on the downloads website.

Several packages are also available on our repository.

Second release candidate for dnsdist 1.4.0

We are very happy to announce the second release candidate of the 1.4.0 version of dnsdist.

This version adds one experimental feature, the ability to look into a Key-Value store like CDB or LMDB and to route a query based on the result of this lookup.

It also makes it possible to require a minimum TLS version for DNS over TLS and DNS over HTTPS, and to send custom HTTP responses even for queries received on the DoH port that are valid HTTP queries but not necessarily valid DoH queries.

Note that starting with 1.4.0-rc2, our packages are now built against the latest 2.2.6 version of libh2o, fixing several remote denial of service issues (CVE-2019-9512, CVE-2019-9514 and CVE-2019-9515).

We want to thank everyone that contributed to the testing of the beta release, and invite you to contribute to the testing of this release candidate!

Please see the dnsdist website for the more complete changelog and the current documentation.

Release tarballs are available on the downloads website.

Several packages are also available on our repository.

First release candidate for dnsdist 1.4.0

We are proud to announce the first release candidate of the 1.4.0 version of dnsdist. 1.4.0 brings a much more scalable way of handling DNS over TCP and DNS over TLS connections since the first alpha release. A major new feature since alpha2, and marquee feature of 1.4.0 compared to 1.3.x, is the new DNS-over-HTTPS functionality.

Following a round of testing from several large scale users, this version fixes several issues, most of them related to DNS over HTTPS (7894, 7917, 7927, 8112), DNS over TCP (7974, 7979, 8003, 8030, 8067, 8078, 8079, 8113), or both (7915).

In addition to minor improvements, it also introduces several new features:

  • a new ContinueAction allowing to keep processing rules even after calling a normally terminal action, like PoolAction (8117) ;
  • OCSP stapling for DNS over TLS and DNS over HTTPS (8141) ;
  • custom HTTP headers for DNS over HTTPS responses (contributed by Melissa Voegeli, 8148) ;
  • actions, rules and Lua binding to interact with DNS over HTTPS queries and generate responses from dnsdist (8153).

We want to thank everyone that contributed to the testing of the beta release, and invite you to contribute to the testing of this release candidate!

Please see the dnsdist website for the more complete changelog and the current documentation.

Release tarballs are available on the downloads website.

Several packages are also available on our repository.

dnsdist 1.2.1 released

We are very pleased to announce the availability of dnsdist 1.2.1, fixing several issues that were found in 1.2.0:

  • #5647: Make dnsdist dynamic truncate do right thing on TCP/IP
  • #5686: Add missing QPSAction
  • #5847: Don’t create a Remote Logger in client mode
  • #5858: Use libsodium’s CFLAGS, we might need them to find the includes
  • #6012: Keep the TCP connection open on cache hit, generated answers
  • #6041: Add the missing <sys/time.h> include to mplexer.hh for struct timeval
  • #6043: Sort the servers based on their ‘order’ after it has been set
  • #6073: Quiet unused variable warning on macOS (Chris Hofstaedtler)
  • #6094: Fix the outstanding counter when an exception is raised
  • #6164: Do not connect the snmpAgent from a dnsdist client

One new feature has also been added by Dan McCombs, allowing to work around an issue when dnsdist is compiled with IP_BIND_ADDRESS_NO_PORT enabled but run on a kernel that does not support it:

  • #5880: Add configuration option to disable IP_BIND_ADDRESS_NO_PORT

Finally, the handling of bracketed IPv6 addresses without port has been improved by Chris Hofstaedtler:

  • #6057: Handle bracketed IPv6 addresses without ports

Please see the dnsdist website for the more complete changelog and the current documentation.

Release tarballs are available on the downloads website.

Several packages are also available on our repository.

dnsdist 1.2.0 released

We are very pleased to announce the availability of dnsdist 1.2.0, bringing a lot of new features and fixes since 1.1.0.

This release also addresses two security issues of low severity, CVE-2016-7069 and CVE-2017-7557. The first issue can lead to a denial of service on 32-bit if a backend sends crafted answers, and the second to an alteration of dnsdist’s ACL if the API is enabled, writable and an authenticated user is tricked into visiting a crafted website. More information can be found in our security advisories 2017-01 and 2017-02.

Highlights include:

  • applying rules on cache hits
  • addition of runtime changeable rules that matches IP address for a certain time: TimedIPSetRule
  • SNMP support, exporting statistics and sending traps
  • preventing the packet cache from ageing responses when deployed in front of authoritative servers
  • TTL alteration capabilities
  • consistent hash results over multiple deployments
  • exporting CNAME records over protobuf
  • tuning the size of the ringbuffers used to keep track of recent queries and responses
  • various DNSCrypt-related fixes and improvements, including automatic key rotation

Users upgrading from a previous version should be aware that:

  •  the truncateTC option is now off by default, to follow the principle of least astonishment
  • the signature of the addLocal() and setLocal() functions has been changed, to make it easier to add new parameters without breaking existing configurations
  • the packet cache does not cache answers without any TTL anymore, to prevent them from being cached forever
  • blockfilter has been removed, since it was completely redundant

This release also deprecates a number of functions, which will be removed in 1.3.0. Those functions had the drawback of making dnsdist’s configuration less consistent by hiding the fact that each rule is composed of a selector and an action. They are still supported in 1.2.0 but a warning is displayed whenever they are used, and a replacement suggested.

For the many other new features, improvements and bug fixes, please see the dnsdist website for the more complete changelog, the current documentation, and the upgrade guide.

Release tarballs are available on the downloads website.

Several packages are also available on our repository.