Hello!

We are happy to announce the second alpha release of dnsdist 1.7.0!

We spent quite some time since alpha1 reproducing an issue reported by Stéphane Bortzmeyer in our new outgoing DNS over TLS feature. The issue turned out to be triggered by the use of the GnuTLS provider, and to be only present with some versions of that library. We are still working with the GnuTLS project to get this issue resolved, but in the meantime we implemented a work-around in dnsdist itself. In addition to that work-around, this release contains a few new features, improvements and bug fixes.

Among the new features is the ability to add a custom EDNS option to a query before forwarding it to a backend, via SetEDNSOptionAction. phonedph1 also contributed a new rule making it possible to route a query based on the number of outstanding queries in a pool, PoolOutstandingRule.

The packet cache has been improved so that one can now configure which EDNS options should be ignored, raising the cache hit ratio behind customer-premises equipment. The incoming and outgoing protocols have been added to the output of the grepq command for a better understanding of the recently processed traffic. We also reduced the memory consumption of dnsdist in constrained environments a bit further.

Denis Machard reported that queries received over UDP and forwarded via a TCP, DoH or DoT were not properly cached. We also noticed that the includeDirectory configuration directive might not properly function if an exception was raised during the processing. Both issues are now fixed.

Please see the dnsdist website for the more complete changelog and the current documentation.

Please send us all feedback and issues you might have via the mailing list, or in case of a bug, via GitHub.

The release tarball and its signature are available on the downloads website, and packages for several distributions are available from our repository.

With the future 1.7.0 final release, the 1.4.x releases will be EOL and the 1.5.x and 1.6.x releases will go into critical security fixes only mode.

Finally, we would like to thank the PowerDNS community and all external contributors for their great work in this release!

Hello!

We are happy to release dnsdist 1.6.1 today, a maintenance release fixing a few bugs reported since 1.6.0:

• Adding ECS failed for queries with records in the answer or additional section (Dimitrios Mavrommatis)
• The transport was not properly set in dnstap and protobuf messages for DoH queries
• The outstanding queries counter was not properly reset when some TCP I/O errors occurred
• The ability to load a new certificate on a DoH frontend was missing
• A missing header could have caused a compilation issue on some platforms

As usual there were also other smaller enhancements and fixes, please see the dnsdist website for the more complete changelog and the current documentation.

Please send us all feedback and issues you might have via the mailing list, or in case of a bug, via GitHub.

We are grateful to the PowerDNS community for the reporting of bugs, issues, feature requests, and especially to the submitters of fixes and implementations of features.

The release tarball (signature) is available on the downloads website, and packages for CentOS 7 and 8, Debian Buster and Bullseye, and Ubuntu Bionic and Focal are available from our repository.

Hello!

We are proud to announce the final release of dnsdist 1.6.0, with no changes since the second release candidate. Compared to 1.5.x, this release contains several new exciting features, as well as improvements and bug fixes.

In our view, the most exciting new feature is the support of out-of-order processing for TCP and DNS over TLS connections. Out-of-order processing makes it possible to have several concurrent queries on the same TCP connection, and to receive the answers to these queries as soon as they are ready. Along with connection reuse, this reduces the overhead of TCP by a huge factor. Starting with 1.6.0, dnsdist will accept up to 65536 concurrent queries on the same incoming TCP connection, and will pass all of these to the backend over a single connection as well, provided that the backend supports it. This feature is not enabled by default, and can be enabled via the maxInFlight parameter of the addLocal/addTLSLocal (client-side) and the newServer (backend-side) commands.

This new version also brings support for accepting a Proxy Protocol header on incoming connections, making it possible for a frontend to provide dnsdist with the initial source and destination ports and addresses, as well as custom values. dnsdist can then process, add and remove values before passing the information to the backend. Chaining two dnsdist instances has never been this easy!

Other new features include the ability to define custom web endpoints in Lua, to extend the existing API, as well as the ability to create blazing-fast, lock-less per-thread custom load-balancing policies using the Lua foreign function interface (FFI).

Among the many improvements, dnsdist’s packet cache no longer hashes EDNS Cookies by default, which means that two queries that are identical except for the content of their cookies will now be served the same answer. Note that it might be necessary to restore the existing behaviour when dnsdist is in front of a backend actually using EDNS Cookies, which can be done via the cookieHashing parameter to newPacketCache.

Users of our own protocol buffer logging mechanism, or of dnstap, will be happy to learn that we replaced our implementation based on Google’s protocol buffer library by a tremendously faster one, based on the protozero library. This change results in much lower CPU utilization and increased scalability in a transparent way.

The memory usage of idle DNS over HTTPS and DNS over TLS connections has also been significantly reduced when the OpenSSL provider is used.

If you are upgrading from a previous version, please be aware that a few actions and commands have been renamed to clear some ambiguities. Almost all actions that allow further processing of rules now start with ‘Set’, to prevent mistakes:

• DisableECSAction to SetDisableECSAction
• DisableValidationAction to SetDisableValidationAction
• ECSOverrideAction to SetECSOverrideAction
• ECSPrefixLengthAction to SetECSPrefixLengthAction
• MacAddrAction to SetMacAddrAction
• NoRecurseAction to SetNoRecurseAction
• SkipCacheAction to SetSkipCacheAction
• TagAction to SetTagAction
• TagResponseAction to SetTagResponseAction
• TempFailureCacheTTLAction to SetAdditionalProxyProtocolValueAction
• SetNegativeAndSOAAction to NegativeAndSOAAction

Some commands changing the order of the rules could have easily been confused with the ones providing insight into the current traffic, and have therefore also been renamed:

• topCacheHitResponseRule to mvCacheHitResponseRuleToTop
• topResponseRule to mvResponseRuleToTop
• topRule to mvRuleToTop
• topSelfAnsweredResponseRule to mvSelfAnsweredResponseRuleToTop

Please also note that the use of additional parameters on the webserver command has been deprecated in favor of using setWebserverConfig.

Regular users should not be impacted by this change, but packagers should be aware that since 1.6.0 dnsdist now uses the C++17 standard instead of the C++11 one it was previously using.

Please see the dnsdist website for the more complete changelog and the current documentation.

Please send us all feedback and issues you might have via the mailing list, or in case of a bug, via GitHub.

The release tarball (signature) is available on the downloads website, and packages for CentOS 7 and 8, Debian Buster and Ubuntu Bionic and Focal are available from our repository.

With this release, the 1.3.x releases are EOL and the 1.4.x releases go into critical security fixes only mode.

We would also like to take this opportunity to announce that we will stop supporting systems using 32-bit time. This includes 32-bit Linux platforms like arm and i386 before kernel version 5.1.

Finally, we would like to thank the PowerDNS community and all external contributors for their great work in this release, and in particular Stephane Bakhos, Stéphane Bortzmeyer, Georgeto, Matti Hiljanen, Andreas Jakum, Nuitari, Oli Schacher, Sukhbir Singh, Thibmac and Mischan Toosarani-Hausberger!

Hello!

We are happy to release dnsdist 1.5.2 today, a maintenance release fixing a few bugs reported since 1.5.1:

• A typo in prometheus metrics dnsdist_frontend_tlshandshakefailures #9728 (AppliedPrivacy)
• A hang when removing a server with more than one socket
• SNI availability on resumed sessions, by acknowledging the name sent by the client
• A crash when a DoH responses map is updated at runtime
• Dynamic Block RCode rules messing up the queries count
• EDNS in ServFail generated when no server is available
• A crash with DynBPF objects in client mode
• Add missing getEDNSOptions and getDO bindings for DNSResponse

As usual there were also other smaller enhancements and fixes, please see the dnsdist website for the more complete changelog and the current documentation.

Please send us all feedback and issues you might have via the mailing list, or in case of a bug, via GitHub.

We are grateful to the PowerDNS community for the reporting of bugs, issues, feature requests, and especially to the submitters of fixes and implementations of features.

The release tarball (signature) is available on the downloads website, and packages for CentOS 7 and 8, Debian Buster and Ubuntu Bionic and Focal are available from our repository.

Hi everyone,

We are happy to announce the second release candidate of what should become dnsdist 1.6.0. This release contains very few changes since the first release candidate, and thanks to the great feedback we received on previous versions we expect to be able to release 1.6.0 final very soon. The changed bits since -rc1 are:

• Only use eBPF for “drop” actions, and clean up the eBPF rules more often
• Fix missing locks in DNSCrypt certificates management
• Make the backend queryLoad and dropRate values atomic

Please see the dnsdist website for the more complete changelog and the current documentation.

Please send us all feedback and issues you might have via the mailing list, or in case of a bug, via GitHub.

We are grateful to the PowerDNS community for the reporting of bugs, issues, feature requests, and especially to the submitters of fixes and implementations of features.

The release tarball (signature) is available on the downloads website, and packages for CentOS 7 and 8, Debian Buster and Ubuntu Bionic and Focal are available from our repository.

With the future 1.6.0 final release, the 1.3.x releases will be EOL and the 1.4.x releases will go into critical security fixes only mode.

We would also like to take this opportunity to announce that we will stop supporting systems using 32-bit time. This includes 32-bit Linux platforms like arm and i386 before kernel version 5.1.

Hi everyone,

We are happy to announce the first release candidate of what should become dnsdist 1.6.0. This release contains very few changes since the third alpha:

• Add missing getEDNSOptions and getDO bindings for DNSResponse
• Fix some issues reported by Thread Sanitizer
• Lua: don’t destroy keys during table iteration
• Disable PMTU for IPv6 as well
• Replace pthread_rwlock with std::shared_mutex

Please see the dnsdist website for the more complete changelog and the current documentation.

Please send us all feedback and issues you might have via the mailing list, or in case of a bug, via GitHub.

We are grateful to the PowerDNS community for the reporting of bugs, issues, feature requests, and especially to the submitters of fixes and implementations of features.

Release tarballs are available on the downloads website, and packages for CentOS 7 and 8, Debian Buster and Ubuntu Bionic and Focal are available from our repository.

With the future 1.6.0 final release, the 1.3.x releases will be EOL and the 1.4.x releases will go into critical security fixes only mode.

We would also like to take this opportunity to announce that we will stop supporting systems using 32-bit time. This includes 32-bit Linux platforms like arm and i386 before kernel version 5.1.

Hi everyone,

We are happy to announce the third alpha release of dnsdist 1.6.0. This release contains a few fixes for issues reported in the second alpha:

• DNS over HTTPS queries with a non-zero ID were not properly handled. Very few DoH clients actually send an ID with a value different than 0 but it does happen and is allowed by RFC 8484. Many thanks to Frank Denis for reporting the issue !
• The connect timeout was not used for outgoing TCP connections, and the write timeout was used instead.

In addition to these fixes, several improvements were made:

• Reduced memory usage for idle DNS over HTTPS and DNS over TLS connections, saving roughly 35 kB per connection.
• Smarter caching of outgoing TCP connections, ability to configure the number of concurrent incoming TCP connections per frontend, with more metrics.
• Sharding has been enabled in the ring buffers and the packet cache by default, leading to better performance in the default configuration.
• TLS renegotiation is now disabled by default, to prevent issues like CVE-2021-3449 in the future.

Please see the dnsdist website for the more complete changelog and the current documentation.

Please send us all feedback and issues you might have via the mailing list, or in case of a bug, via GitHub.

Release tarballs are available on the downloads website, and packages for CentOS 7 and 8, Debian Buster and Ubuntu Bionic and Focal are available from our repository.

With the future 1.6.0 final release, the 1.3.x releases will be EOL and the 1.4.x releases will go into critical security fixes only mode.

We would also like to take this opportunity to announce that we will stop supporting systems using 32-bit time. This includes 32-bit Linux platforms like arm and i386 before kernel version 5.1.

Hi everyone,

We are happy to announce the second alpha release of dnsdist 1.6.0. This release contains mostly fixes for issues reported in the first release candidate:

• A race condition was found to sometimes occur at startup, making it possible for the first TCP connection to happen before the creation of TCP workers and lead to a crash.
• Stéphane Bortzmeyer reported many TCP timeouts with the first alpha that did not happen with 1.5.x. We unfortunately did not manage to reproduce these timeouts, but we spent quite some time expanding the coverage of our TCP code, uncovering several bugs in the process. Although we unfortunately cannot be sure that the issue experienced by Stéphane has been fixed, the resulting code has seen much more testing and we have received excellent feedback from other users in the meantime, leading to this second alpha candidate.
• The cache cleaning algorithm did not properly remove expired entries from all shards, when more than one shard was used and setCacheCleaningPercentage set below 100%. This led to a drop in the cache efficiency in the long run.
• A null pointer dereference has been found when accessing a dynamic BPF block (DynBPF) object in client mode.
• A debug line was not properly removed in the web server code, logging a new line for every HTTP query.

In addition to these fixes, Sander Hoentjen contributed several improvements to allow spoofing answers with multiple records, and Aki Tuomi introduced automatic conversion to string for several objects in Lua. Many thanks to them!

Please see the dnsdist website for the more complete changelog and the current documentation.

Please send us all feedback and issues you might have via the mailing list, or in case of a bug, via GitHub.

Release tarballs are available on the downloads website, and packages for CentOS 7 and 8, Debian Buster and Ubuntu Bionic and Focal are available from our repository.

With the future 1.6.0 final release, the 1.3.x releases will be EOL and the 1.4.x releases will go into critical security fixes only mode.

We would also like to take this opportunity to announce that we will stop supporting systems using 32-bit time. This includes 32-bit Linux platforms like arm and i386 before kernel version 5.1.