[dnsdist] First alpha release of dnsdist 1.5.0

Remi Gacogne remi.gacogne at powerdns.com
Fri Mar 20 13:32:34 UTC 2020


Hello everyone,

We are very happy to announce the 1.5.0 alpha 1 release of dnsdist. This
version contains several new exciting features detailed below, but also
a few breaking changes so please take the time to read the next section.
Your feedback will be much appreciated so we can deliver a stable 1.5.0
final release!

We took the opportunity of this new release to clean up a few things
that might require updating your existing configuration.

First, in systemd environments, dnsdist used to be started as root
before dropping privileges and switching to an unprivileged user, which
could lead to weird issues where files where readable during startup but
not after, or the other way around. This is no longer the case, and
dnsdist is now directly started as an unprivileged user. This might
require updating the permissions on the files accessed during startup.
It is therefore recommended to recursively chown directories used by
dnsdist:

chown -R root:dnsdist /etc/dnsdist

Packages provided on the PowerDNS Repository [1] will chown directories
created by them accordingly in the post-installation steps.

We also updated the default behaviour of our DNS over HTTPS
implementation. DoH endpoints specified in the fourth parameter of
addDOHLocal are now specified as exact paths instead of path prefixes.
For example,

addDOHLocal('2001:db8:1:f00::1', '/etc/ssl/certs/example.com.pem',
'/etc/ssl/private/example.com.key', { "/dns-query" })

will now only accept queries for /dns-query and no longer for
/dns-query/foo/bar.

The default endpoint also switched from / to /dns-query. That can be
overridden through the fourth parameter of addDOHLocal().

Finally the default SSL/TLS library used for DNS over TLS was changed
from GnuTLS to OpenSSL / LibreSSL, based on the feedback we received
from our users.

Please see the upgrade guide [2] for more information.


The most exciting new feature is the implementation of the Proxy
Protocol between dnsdist and its backends. Aimed to replace the use of
EDNS Client Subnet and our own XPF, the Proxy Protocol is an existing
standard where a small header is prepended to the query, passing not
only the source and destination addresses and ports along to the
backend, but also custom values. Support for parsing the Proxy Protocol
is already available in the development tree of the PowerDNS Recursor.

We implemented a new spoofRawAction(), which makes it possible to spoof
any kind of response from dnsdist, instead of the existing limitation to
A, AAAA and CNAME records. This new action requires submitting the
response in DNS wire-format.

While it has always been possible to write custom selectors and actions
in Lua, there was a huge performance gap between built-in rules written
in C++ and the Lua ones. This release adds the ability to use the Lua
FFI interface available in LuaJIT to write high-performance selectors
and rules, as well as load-balancing policies. With carefully written
Lua, this delivers performances almost on par with the built-in C++
rules and actions, with greater flexibility.

Several very large-scale users reported that the load-balancing policies
based on a hash of the qname could lack a bit of fairness when the
traffic was heavily skewed toward a few names, leading to some backends
receiving much more traffic than others. In order to address this
shortcoming, we added the ability to set load bounds to the chashed and
whashed policies so that queries will be dispatched to a different
backend if the one selected based on the qname is already handling more
queries than it should.

Our DNS over HTTPS implementation received several improvements,
including the ability to send cache-control headers, and to parse
X-Forwarded-For headers sent by a frontend.

Users with a large number of backends will be happy to know that we
refactored the handling of health checks so that they can now be
performed in parallel instead of sequentially, leading to a huge
performance improvement.

Finally our remote logging features using DNSTAP or our own protobuf saw
several performance enhancements, a better handling of re-connection
events, and the addition of the source and destination ports of the
query whenever possible.


We want to once again thank everyone that contributed to the testing of
the previous release candidates!

Please see the dnsdist website [3] for the more complete changelog [4]
and the current documentation.

Release tarballs are available on the downloads website [5].

Several packages are also available in our repository [1]. Please be
aware that we have enabled a few additional features in our packages,
like DNS over HTTPS, DNS over TLS and DNSTAP support, on distributions
where the required dependencies were available.


[1]: https://repo.powerdns.com
[2]: https://dnsdist.org/upgrade_guide.html#x-to-1-5-0
[3]: https://dnsdist.org
[4]: https://dnsdist.org/changelog.html#change-1.5.0
[5]: https://downloads.powerdns.com/releases/dnsdist-1.5.0-alpha1.tar.bz2


Best regards,
-- 
Remi Gacogne
PowerDNS.COM BV - https://www.powerdns.com/

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <http://mailman.powerdns.com/pipermail/dnsdist/attachments/20200320/47ebc59c/attachment.sig>


More information about the dnsdist mailing list