Tagged: release

dnsdist 1.7.3 released

Hello!

We are very happy to release dnsdist 1.7.3 today, a maintenance release with no functional changes.

This release strictly serves to bring dnsdist packages to our EL9 and Ubuntu Jammy repositories, and upgrades the dnsdist Docker image from Debian buster to Debian bullseye, as buster is officially EOL.

Please see the dnsdist website for the more complete changelog and the current documentation.

Please send us all feedback and issues you might have via the mailing list, or in case of a bug, via GitHub.

We are grateful to the PowerDNS community for the reporting of bugs, issues, feature requests, and especially to the submitters of fixes and implementations of features.

The release tarball and its signature are available on the downloads website, and packages for several distributions are available from our repository.

dnsdist-1.7.2 released

Hello!

We are very happy to release dnsdist 1.7.2 today, a maintenance release fixing a few bugs reported since 1.7.1:

  • An unhandled exception could happen when an invalid protocol was used in an incoming DNS over HTTPS forwarded-for header and passed to the backend via the proxy protocol, leading to a use-after-free and a crash. Forwarded-for headers are not used by default and should only be used if the client can be trusted (#11667)
  • An invalid proxy-protocol was sent to the backend, over TCP, if a query received via DNS over HTTPS resulted in a truncated UDP response from the backend (#11665)
  • Some metrics lacked a proper description in our Prometheus endpoint (#11664)
  • A side-effect of fixing the health-check timeout in 1.7.1 was leading to a CPU usage increase on devices that are mostly idle. We improved that situation, reducing the CPU usage even below what it was in 1.7.0 (#11579, #11580)

We also added a couple Lua bindings to make it easier to look into the DNS payload from custom Lua rules and actions (#11666).

Please see the dnsdist website for the more complete changelog and the current documentation.

Please send us all feedback and issues you might have via the mailing list, or in case of a bug, via GitHub.

We are grateful to the PowerDNS community for the reporting of bugs, issues, feature requests, and especially to the submitters of fixes and implementations of features.

The release tarball and its signature are available on the downloads website, and packages for several distributions are available from our repository.

dnsdist 1.7.1 released

Hello!

We are very happy to release dnsdist 1.7.1 today, a maintenance release fixing a few bugs reported since 1.7.0:

  • A use-after-free error could happen if a network error occurred in the middle of a XFR query, for a proxy-protocol-enabled backend, leading to a crash
  • The TLS Server Name Indication was not properly set on outgoing DNS over HTTPS or DNS over TLS connections to a backend
  • The health-check timeout was not properly set for outgoing DNS over HTTPS connections, leading to a very long timeout
  • The outgoing protocol was not always properly set in our in-memory ring buffers
  • Outgoing UDP timeouts were sometimes processed a bit too late when the health-check interval was set to more than one second
  • Filtering qnames via eBPF was broken
  • The dynamic block mechanism was not properly switching to eBPF filtering, when available, if the block action was not explicitly set
  • The latency histogram was broken in our prometheus metrics
  • Trying to create a 0-sized packet cache would lead to a crash

In addition to these fixes, our Docker images no longer have capability requirements. More information on that topic is available in our upgrade guide.

We also improved our compatibility with OpenSSL 3.0.0’s API.

As usual there were also other smaller enhancements and fixes, please see the dnsdist website for the more complete changelog and the current documentation.

Please send us all feedback and issues you might have via the mailing list, or in case of a bug, via GitHub.

We are grateful to the PowerDNS community for the reporting of bugs, issues, feature requests, and especially to the submitters of fixes and implementations of features.

The release tarball and its signature are available on the downloads website, and packages for several distributions are available from our repository.

dnsdist 1.7.0 released

Hello!

We are proud to announce the release of dnsdist 1.7.0. This release contains several new exciting features since 1.6.1, as well as improvements and bug fixes. It contains one single change from the first release candidate, a fix for DynBlockRatioRule::warningRatioExceeded provided by Doug Freed.

In our view, the most exciting new feature of 1.7.0 is the support of outgoing DNS over TLS and DNS over HTTPS, as well as the ability to do “cross-protocol” queries, meaning a query received over a given protocol (UDP, TCP, DoT, DoH, …) can be forwarded over a different one. Now that dnsdist is capable of contacting its backend over an encrypted channel, full end-to-end encryption is possible, offering improved confidentiality and integrity.

Among the new features is the ability to add a custom EDNS option to a query before forwarding it to a backend, via SetEDNSOptionAction. phonedph1 also contributed a new rule making it possible to route a query based on the number of outstanding queries in a pool, PoolOutstandingRule.

Pierre Grié from Nameshield contributed an XDP program to reply to blocked UDP queries with a truncated response directly from the kernel, in a similar way to what we were already doing using eBPF socket filters. This version adds support for eBPF pinned maps, allowing dnsdist to populate the maps using our dynamic blocking mechanism, and letting the external XDP program do the actual blocking or response.

The packet cache has been improved so that one can now configure which EDNS options should be ignored, raising the cache hit ratio behind customer-premises equipment. The incoming and outgoing protocols have been added to the output of the grepq command for a better understanding of the recently processed traffic.

Dimitrios Mavrommatis improved the handling of AXFR and IXFR queries, making it possible to reuse a TCP connection used for a zone transfer much more efficiently.

We added support for generating the still experimental SVCB and HTTPS records directly from dnsdist, offering potential benefits to both performance and privacy.

Our LMDB code has gained the ability to do range-based lookups, and is now more performant even for simple lookups.

Extending the per-thread custom load-balancing policies introduced in 1.6.0, it is now possible to write blazing-fast, lock-less per-thread custom actions using the Lua foreign function interface.

Holger Hoffstätte also improved the reporting of an unavailable backend, making sure the existing metrics are no longer reported to prevent any confusion.

This release also reduces the memory footprint of dnsdist in several places, which makes it easier to use in resource-constrained environments.

Please see the dnsdist website for the more complete changelog and the current documentation.

Please send us all feedback and issues you might have via the mailing list, or in case of a bug, via GitHub.

The release tarball and its signature are available on the downloads website, and packages for several distributions are available from our repository.

With this release, the 1.4.x releases become be EOL and the 1.5.x and 1.6.x releases go into critical security fixes only mode.

Finally, we would like to thank the PowerDNS community and all external contributors for their great work in this release!

First release candidate of dnsdist 1.7.0

Hello!

We are happy to announce the first release candidate of what will become dnsdist 1.7.0, with only one fix and one improvement since the second beta.

We fixed a crash introduced in 1.7.0-alpha1 that could occur when a DoH query was forwarded to a backend over TCP, DoT or DoH and the response was dropped by a rule.

We also improved the health-checks queries done over DoT so that we could use any cached TLS ticket when connecting to the server, but also save new tickets so that they can be used for later connections. That reduces the CPU load and improves response time on devices dealing with a low number of queries per second.

Please see the dnsdist website for the more complete changelog and the current documentation.

Please send us all feedback and issues you might have via the mailing list, or in case of a bug, via GitHub.

The release tarball and its signature are available on the downloads website, and packages for several distributions are available from our repository.

With the future 1.7.0 final release, the 1.4.x releases will be EOL and the 1.5.x and 1.6.x releases will go into critical security fixes only mode.

Second beta release of dnsdist 1.7.0

Hello!

We are happy to announce the second beta release of dnsdist 1.7.0, with few fixes since the first beta, the most important one being a memory leak when reusing TLS sessions for outgoing DNS over TLS and DNS over HTTPS connections. During that work we stumbled upon a memory leak in some setups using GnuTLS which will have to be fixed in the library itself. After reporting it upstream we added a warning in dnsdist which will be removed when a fixed version of GnuTLS has been released.

We also fixed an error in the way we check for integer overflows in configuration values, which could have refused valid configurations.

Finally we added a function to see the current configuration of the internal web server.

Please see the dnsdist website for the more complete changelog and the current documentation.

Please send us all feedback and issues you might have via the mailing list, or in case of a bug, via GitHub.

The release tarball and its signature are available on the downloads website, and packages for several distributions are available from our repository.

With the future 1.7.0 final release, the 1.4.x releases will be EOL and the 1.5.x and 1.6.x releases will go into critical security fixes only mode.

First beta release of dnsdist 1.7.0

Hello!

We are happy to announce the first beta release of dnsdist 1.7.0!

We introduced a fair number of improvements and new features since the second alpha, and we will now iron out the documentation and fix any bugs before hopefully releasing the first release candidate very soon.

The main new feature is the ability to use the same outgoing TCP or DNS over TLS connection for queries coming from different clients, leading to a huge decrease of the number of outgoing connections needed when the backend supports out-of-order processing.

We also added the exact transport type to dnstap and protocol buffer messages, making it possible to differentiate between plaintext queries and DNS over HTTPS or DNS over TLS ones.

Recently Pierre Grié from Nameshield contributed an XDP program to reply to blocked UDP queries with a truncated response directly from the kernel, in a similar way to what we were already doing using eBPF socket filters. This beta finally adds support for eBPF pinned maps, allowing dnsdist to populate the maps using our dynamic blocking mechanism, and letting the external XDP program do the actual blocking or response.

Stéphane Bortzmeyer helped us pinpoint a few issues in the encryption between dnsdist and its backends, notably in the way the outgoing connections are cached while waiting to be reused. That could have led to a waste of memory piling up over time.

We also fixed an issue where the threads handling incoming DoH queries could have stopped processing responses when they were completely overloaded by TLS handshakes, leading to a degradation of performance.

The last issue was that a backend was not properly marked as non-available when a certain exception was raised during a health-check attempt.

Finally Rosen Penev contributed a lot of clean up changes to make sure that we make the best of what C++17 can offer.

Please see the dnsdist website for the more complete changelog and the current documentation.

Please send us all feedback and issues you might have via the mailing list, or in case of a bug, via GitHub.

The release tarball and its signature are available on the downloads website, and packages for several distributions are available from our repository.

With the future 1.7.0 final release, the 1.4.x releases will be EOL and the 1.5.x and 1.6.x releases will go into critical security fixes only mode.

Second alpha release of dnsdist 1.7.0

Hello!

We are happy to announce the second alpha release of dnsdist 1.7.0!

We spent quite some time since alpha1 reproducing an issue reported by Stéphane Bortzmeyer in our new outgoing DNS over TLS feature. The issue turned out to be triggered by the use of the GnuTLS provider, and to be only present with some versions of that library. We are still working with the GnuTLS project to get this issue resolved, but in the meantime we implemented a work-around in dnsdist itself. In addition to that work-around, this release contains a few new features, improvements and bug fixes.

Among the new features is the ability to add a custom EDNS option to a query before forwarding it to a backend, via SetEDNSOptionAction. phonedph1 also contributed a new rule making it possible to route a query based on the number of outstanding queries in a pool, PoolOutstandingRule.

The packet cache has been improved so that one can now configure which EDNS options should be ignored, raising the cache hit ratio behind customer-premises equipment. The incoming and outgoing protocols have been added to the output of the grepq command for a better understanding of the recently processed traffic. We also reduced the memory consumption of dnsdist in constrained environments a bit further.

Denis Machard reported that queries received over UDP and forwarded via a TCP, DoH or DoT were not properly cached. We also noticed that the includeDirectory configuration directive might not properly function if an exception was raised during the processing. Both issues are now fixed.

Please see the dnsdist website for the more complete changelog and the current documentation.

Please send us all feedback and issues you might have via the mailing list, or in case of a bug, via GitHub.

The release tarball and its signature are available on the downloads website, and packages for several distributions are available from our repository.

With the future 1.7.0 final release, the 1.4.x releases will be EOL and the 1.5.x and 1.6.x releases will go into critical security fixes only mode.

Finally, we would like to thank the PowerDNS community and all external contributors for their great work in this release!

First alpha release of dnsdist 1.7.0

Hello!

We are proud to announce the first alpha release of dnsdist 1.7.0. This release contains several new exciting features, as well as improvements and bug fixes.

In our view, the most exciting new feature is the support of outgoing DNS over TLS and DNS over HTTPS, as well as the ability to do “cross-protocol” queries, meaning a query received over a given protocol (UDP, TCP, DoT, DoH, …) can be forwarded over a different one. Now that dnsdist is capable of contacting its backend over an encrypted channel, full end-to-end encryption is possible, offering improved confidentiality and integrity.

This release also reduces the memory footprint of dnsdist in several places, which makes it easier to use in resource-constrained environments.

We added support for generating the still experimental SVCB and HTTPS records directly from dnsdist, offering potential benefits to both performance and privacy.

Our LMDB code has gained the ability to do range-based lookups, and is now more performant even for simple lookups.

Extending the per-thread custom load-balancing policies introduced in 1.6.0, it is now possible to write blazing-fast, lock-less per-thread custom actions using the Lua foreign function interface.

Dimitrios Mavrommatis improved the handling of AXFR and IXFR queries, making it possible to reuse a TCP connection used for a zone transfer much more efficiently.

Holger Hoffstätte also improved the reporting of an unavailable backend, making sure the existing metrics are no longer reported to prevent any confusion.

Please see the dnsdist website for the more complete changelog and the current documentation.

Please send us all feedback and issues you might have via the mailing list, or in case of a bug, via GitHub.

Release tarballs are available on the downloads website, and packages for CentOS 7 and 8, Debian Buster, Bullseye, and Ubuntu Bionic and Focal are available from our repository.

With the future 1.7.0 final release, the 1.4.x releases will be EOL and the 1.5.x releases will go into critical security fixes only mode.

Finally, we would like to thank the PowerDNS community and all external contributors for their great work in this release!

dnsdist 1.6.1 released

Hello!

We are happy to release dnsdist 1.6.1 today, a maintenance release fixing a few bugs reported since 1.6.0:

  • Adding ECS failed for queries with records in the answer or additional section (Dimitrios Mavrommatis)
  • The transport was not properly set in dnstap and protobuf messages for DoH queries
  • The outstanding queries counter was not properly reset when some TCP I/O errors occurred
  • The ability to load a new certificate on a DoH frontend was missing
  • A missing header could have caused a compilation issue on some platforms

As usual there were also other smaller enhancements and fixes, please see the dnsdist website for the more complete changelog and the current documentation.

Please send us all feedback and issues you might have via the mailing list, or in case of a bug, via GitHub.

We are grateful to the PowerDNS community for the reporting of bugs, issues, feature requests, and especially to the submitters of fixes and implementations of features.

The release tarball (signature) is available on the downloads website, and packages for CentOS 7 and 8, Debian Buster and Bullseye, and Ubuntu Bionic and Focal are available from our repository.