Tagged: dnsdist

DNSDist 1.5.1 released

This release fixes a few issues discovered since 1.5.0:

  • the thread handling responses sent from a backend was not stopped when that backend was removed ;
  • getEDNSOptions() would throw an exception for queries with an empty additional section but records in the answer or authority sections ;
  • SetNegativeAndSOAAction was incorrectly adding EDNS to self-generated responses when there was no EDNS in the query ;
  • building with LLVM11 would generate an error.

It also adds a new command, clearConsoleHistory(), to prevent setups issuing a very large number of console commands from consuming too much memory.

Please see the dnsdist website for the more complete changelog and the current documentation.

Release tarballs are available on the downloads website.

Several packages are also available in our repository. Please be aware that we have enabled a few additional features in our packages, like DNS over HTTPS, DNS over TLS and DNSTAP support, on distributions where the required dependencies were available.

dnsdist 1.5.0 released

After four release candidates, we are thrilled to announce the final release of dnsdist 1.5.0! This new release contains several new exciting features and a few breaking changes since 1.4.0, so please read the upgrade guide if you are upgrading from 1.4.0 or earlier. We described the changes made since 1.4.0 in details in the blog post announcing the first release candidate so will only do a quick summary below.

Important changes

In systemd environments, dnsdist used to be started as root before dropping privileges and switching to an unprivileged user, which could lead to weird issues where files where readable during startup but not after, or the other way around. This is no longer the case, and dnsdist is now directly started as an unprivileged user. This might require updating the permissions on the files accessed during startup.

We updated the default behavior of our DNS over HTTPS implementation. DoH endpoints specified in the fourth parameter of addDOHLocal() are now specified as exact paths instead of path prefixes. The default endpoint also switched from / to /dns-query. That can be overridden through the fourth parameter of addDOHLocal().

An ACL was added to the internal web server to further restrict access to authorized users.

The default SSL/TLS library used for DNS over TLS was changed from GnuTLS to OpenSSL / LibreSSL, based on the feedback we received from our users.

New features and improvements

The most exciting new feature is the implementation of the Proxy Protocol between dnsdist and its backends. Aimed to replace the use of EDNS Client Subnet and our own XPF, the Proxy Protocol is an existing standard where a small header is prepended to the query, passing not only the source and destination addresses and ports along to the backend, but also custom values. Support for parsing the Proxy Protocol is already available in the development tree of the PowerDNS Recursor ;

We implemented a new spoofRawAction(), which makes it possible to spoof any kind of response from dnsdist, instead of the existing limitation to A, AAAA and CNAME records. This new action requires submitting the response in DNS wire-format.

While it has always been possible to write custom selectors and actions in Lua, there was a huge performance gap between built-in rules written in C++ and the Lua ones. This release adds the ability to use the Lua FFI interface available in LuaJIT to write high-performance selectors and rules, as well as load-balancing policies. With carefully written Lua, this delivers performance almost on par with the built-in C++ rules and actions, with greater flexibility.

Several very large-scale users reported that the load-balancing policies based on a hash of the qname could lack a bit of fairness when the traffic was heavily skewed toward a few names, leading to some backends receiving much more traffic than others. In order to address this shortcoming, we added the ability to set load bounds to the chashed and whashed policies so that queries will be dispatched to a different backend if the one selected based on the qname is already handling more queries than it should.

Our DNS over HTTPS implementation received several improvements, including the ability to send cache-control headers, and to parse X-Forwarded-For headers sent by a frontend.

Users with a large number of backends will be happy to know that we refactored the handling of health checks so that they can now be performed in parallel instead of sequentially, leading to a huge performance improvement.

Finally our remote logging features using DNSTAP or our own protobuf saw several performance enhancements, a better handling of re-connection events, and the addition of the source and destination ports of the query whenever possible.

Bug Fixes

Several issues were fixed, most of them about compilation on very specific systems or setups. One notable fix was a regression introduced in 1.4.0 for DNSCrypt users, with our thanks to Frank Denis for reporting the issue and suggesting ways to fix it.

We want to once again thank everyone that contributed to the testing of the previous release candidates!

Please see the dnsdist website for the more complete changelog and the current documentation.

Release tarballs are available on the downloads website.

Several packages are also available in our repository. Please be aware that we have enabled a few additional features in our packages, like DNS over HTTPS, DNS over TLS and DNSTAP support, on distributions where the required dependencies were available. Building packages for Raspberry Pi OS (previously called Raspbian) takes a bit longer so those might only become available in a couple days.

Fourth release candidate for dnsdist 1.5.0

While we expected the third release candidate for dnsdist 1.5.0 to be the last one, a race condition that could lead to a crash was discovered by Tomas Krizek from CZ.NIC with the DNS Shotgun tool, leading to a new release candidate. This new release candidate has no changes except for the fix for this issue.

We want to once again thank everyone that contributed to the testing of the alpha and the first three release candidates! Many thanks to Tomas in particular this time!

Please see the dnsdist website for the more complete changelog and the current documentation.

Release tarballs are available on the downloads website.

Several packages are also available in our repository. Please be aware that we have enabled a few additional features in our packages, like DNS over HTTPS, DNS over TLS and DNSTAP support, on distributions where the required dependencies were available.

Third release candidate for dnsdist 1.5.0

We are very happy to announce the third release candidate of dnsdist 1.5.0. 1.5.0 contains several new exciting features and a few breaking changes since 1.4.0 that were detailed in the announcement of alpha1. If you upgrade from 1.4.0, please see the upgrade guide for more information.
This new release candidate has very few changes since the second release candidate except an important bug fix in DoH processing, and a few minor improvements and cleanups:

  • DoH processing could stop working if too many responses were processed at the same time, filling the internal pipe (9211) ;
  • compilation was broken on systems that do not define HOST_NAME_MAX (9127) ;
  • the detection of std::string has been enhanced by Rosen Penev (9207, 9213) ;
  • optional masks were added to KeyValueLookupKeySourceIP (9144) ;
  • an ACL was added to the internal web server (9229) ;
  • and finally the sample configuration file was cleaned up to be more helpful to new installations (9238).

The DoH processing issue was the last pending one we were aware of, so hopefully this release candidate should be the last one!

We want to once again thank everyone that contributed to the testing of alpha1 and the first two release candidates!

Please see the dnsdist website for the more complete changelog and the current documentation.

Release tarballs are available on the downloads website.

Several packages are also available in our repository. Please be aware that we have enabled a few additional features in our packages, like DNS over HTTPS, DNS over TLS and DNSTAP support, on distributions where the required dependencies were available.

Second release candidate for dnsdist 1.5.0

We are very happy to announce the second release candidate of dnsdist 1.5.0. 1.5.0 contains several new exciting features and a few breaking changes since 1.4.0 that were detailed in the announcement of alpha1. If you upgrade from 1.4.0, please see the upgrade guide for more information.
This new release candidate has very few changes except a few minor bug fixes and cleanups since the first release candidate:

  • compilation was broken on SmartOS/illumos, and Solaris (9031) ;
  • the statistics for HTTP/1 were displayed twice instead of showing the HTTP/2 ones (9068) ;
  • if a backend was not reachable when first added, and multiple sockets were configured for that backend, the corresponding socket was not properly closed (9057) ;
  • several minor compilation warnings were fixed, along with some minor cleanups (9016 9042 9053 9054 9059 9067 9078 9084).


We want to once again thank everyone that contributed to the testing of alpha1 and the first release candidate!

Please see the dnsdist website for the more complete changelog and the current documentation.

Release tarballs are available on the downloads website.

Several packages are also available in our repository. Please be aware that we have enabled a few additional features in our packages, like DNS over HTTPS, DNS over TLS and DNSTAP support, on distributions where the required dependencies were available.

First release candidate for dnsdist 1.5.0

We are very happy to announce the first release candidate of dnsdist 1.5.0. 1.5.0 contains several new exciting features and a few breaking changes since 1.4.0 that were detailed in the announcement of alpha1. If you upgrade from 1.4.0, please see the upgrade guide for more information.
This new release candidate has very few changes since alpha1:

  • a compilation issue on OpenBSD was fixed (8955) ;
  • the Lua binding for SuffixMatchNode::remove was added (8956) ;
  • a regression introduced in 1.4.0 for DNSCrypt users was fixed (8974, 8976), with our thanks to Frank Denis for reporting the issue and suggesting ways to fix it ;
  • responses received from a backend with the QR bit not set are now dropped (8996) ;
  • an option to control the size of the TCP listen queue was added (8994).

We want to once again thank everyone that contributed to the testing of alpha1!

Please see the dnsdist website for the more complete changelog and the current documentation.

Release tarballs are available on the downloads website.

Several packages are also available in our repository. Please be aware that we have enabled a few additional features in our packages, like DNS over HTTPS, DNS over TLS and DNSTAP support, on distributions where the required dependencies were available.

First alpha release of dnsdist 1.5.0

We are very happy to announce the 1.5.0 alpha 1 release of dnsdist. This version contains several new exciting features detailed below, but also a few breaking changes so please take the time to read the next section.

Your feedback will be much appreciated so we can deliver a stable 1.5.0 final release!

Important changes

We took the opportunity of this new release to clean up a few things that might require updating your existing configuration.

First, in systemd environments, dnsdist used to be started as root before dropping privileges and switching to an unprivileged user, which could lead to weird issues where files where readable during startup but not after, or the other way around. This is no longer the case, and dnsdist is now directly started as an unprivileged user. This might require updating the permissions on the files accessed during startup. It is therefore recommended to recursively chown directories used by dnsdist:

chown -R root:dnsdist /etc/dnsdist

Packages provided on the PowerDNS Repository will chown directories created by them accordingly in the post-installation steps.

We also updated the default behavior of our DNS over HTTPS implementation. DoH endpoints specified in the fourth parameter of addDOHLocal are now specified as exact paths instead of path prefixes.

For example,

addDOHLocal('2001:db8:1:f00::1', '/etc/ssl/certs/example.com.pem', '/etc/ssl/private/example.com.key', { "/dns-query" })

will now only accept queries for /dns-query and no longer for /dns-query/foo/bar.

The default endpoint also switched from / to /dns-query. That can be overridden through the fourth parameter of addDOHLocal().

Finally the default SSL/TLS library used for DNS over TLS was changed from GnuTLS to OpenSSL / LibreSSL, based on the feedback we received from our users.

Please see the upgrade guide for more information.

New features and improvements

The most exciting new feature is the implementation of the Proxy Protocol between dnsdist and its backends. Aimed to replace the use of EDNS Client Subnet and our own XPF, the Proxy Protocol is an existing standard where a small header is prepended to the query, passing not only the source and destination addresses and ports along to the backend, but also custom values. Support for parsing the Proxy Protocol is already available in the development tree of the PowerDNS Recursor.

We implemented a new spoofRawAction(), which makes it possible to spoof any kind of response from dnsdist, instead of the existing limitation to A, AAAA and CNAME records. This new action requires submitting the response in DNS wire-format.

While it has always been possible to write custom selectors and actions in Lua, there was a huge performance gap between built-in rules written in C++ and the Lua ones. This release adds the ability to use the Lua FFI interface available in LuaJIT to write high-performance selectors and rules, as well as load-balancing policies. With carefully written Lua, this delivers performances almost on par with the built-in C++ rules and actions, with greater flexibility.

Several very large-scale users reported that the load-balancing policies based on a hash of the qname could lack a bit of fairness when the traffic was heavily skewed toward a few names, leading to some backends receiving much more traffic than others. In order to address this shortcoming, we added the ability to set load bounds to the chashed and whashed policies so that queries will be dispatched to a different backend if the one selected based on the qname is already handling more queries than it should.

Our DNS over HTTPS implementation received several improvements, including the ability to send cache-control headers, and to parse X-Forwarded-For headers sent by a frontend.

Users with a large number of backends will be happy to know that we refactored the handling of health checks so that they can now be performed in parallel instead of sequentially, leading to a huge performance improvement.

Finally our remote logging features using DNSTAP or our own protobuf saw several performance enhancements, a better handling of re-connection events, and the addition of the source and destination ports of the query whenever possible.

We want to once again thank everyone that contributed to the testing of the previous release candidates!

Please see the dnsdist website for the more complete changelog and the current documentation.

Release tarballs are available on the downloads website.

Several packages are also available in our repository. Please be aware that we have enabled a few additional features in our packages, like DNS over HTTPS, DNS over TLS and DNSTAP support, on distributions where the required dependencies were available.

dnsdist 1.4.0

After five release candidates, we are thrilled to finally announce the release of dnsdist 1.4.0 !

This new major version has been used in production by several large operators since the first release candidate, including the new DNS over HTTPS feature, providing invaluable feedback.

This release has very few changes since the previous release candidate:

  • names blocked by a SMT dynamic block are now lowercased (8524) ;
  • we went back to selecting the cipher suites based on the server preference instead of the client by default (8526) ;
  • some typo, documentation and help messages have been fixed (8531, 8440, 8509).

For those new to the 1.4.0 train, the main changes between 1.3.3 and 1.4.0 are:

  • a new, much more scalable way of handling DNS over TCP and DNS over TLS (DoT) connections, with a lot of new metrics and options like OCSP stapling ;
  • support for DNS over HTTPS (DoH) ;
  • a new experimental feature, the ability to look into a Key-Value store like CDB or LMDB and to route a query based on the result of this lookup ;
  • new rules and actions to deal with unexpected EDNS version (Dmitry Alenichev) ;
  • a new QNameSetRule rule, along with the DNSNameSet object, to match exact qnames instead of doing suffix matching (Andrey Domas) ;
  • a new ContinueAction has been added as well, allowing to keep processing rules even after calling a normally terminal action, like PoolAction ;
  • we also added a few convenience functions to pseudonymize IP addresses, as several users reported that they needed it to be GDPR-compliant ;
  • the health check mechanism has been improved with the new checkInterval, checkTimeout and rise parameters, thanks notably to “1848” ;
  • and, finally, we also improved the existing LogAction to make it much more useful for debugging and accounting purposes.

Please see the upgrade guide before upgrading from 1.3.x to 1.4.0, as a few things have been cleaned up and might require updating your existing configuration.

We want to once again thank everyone that contributed to the testing of the previous release candidates!

Please see the dnsdist website for the more complete changelog and the current documentation.

Release tarballs are available on the downloads website.

Several packages are also available in our repository.

dnsdist 1.4.0-rc5 released

We are happy to announce the fifth release candidate of the 1.4.0 version of dnsdist. This release fixes a regression introduced in DNS over HTTPS handling in 1.4.0-rc4 that could lead to a crash under heavy load, because of a race condition.

The issue was reported during load-testing by one of our users a few hours after the release and we were able to issue a fix during the week-end. We quickly advised DNS over HTTPS users to delay upgrading for a bit, and after exposing the resulting code to various tests during a couple days we are now confident that the issue has been resolved.

We want to thank everyone that contributed to the testing of the previous release candidates, and invite you to contribute to the testing of this hopefully last one!

Please see the dnsdist website for the more complete changelog and the current documentation.

Release tarballs are available on the downloads website.

Several packages are also available on our repository.

Fourth release candidate for dnsdist 1.4.0

We are very happy to announce the fourth release candidate of the 1.4.0 version of dnsdist. Unless a serious issue is discovered, we plan on releasing the final 1.4.0 release in a couple of weeks with no or very few changes from this release.

This version massively improves the metrics available regarding TLS usage and errors for DNS over HTTPS and DNS over TLS clients, as suggested by several large deployments.

It also fixes several minor issues, and improves the existing LogAction to make it much more useful for debugging and accounting purposes.

We want to thank everyone that contributed to the testing of the previous release candidates, and invite you to contribute to the testing of this hopefully last one!

Please see the dnsdist website for the more complete changelog and the current documentation.

Release tarballs are available on the downloads website.

Several packages are also available on our repository.