[dnsdist] PowerDNS DNSdist 2.0.0 released

Remi Gacogne remi.gacogne at powerdns.com
Mon Jul 21 13:10:36 UTC 2025


Hello!

Today we are thrilled to be releasing PowerDNS DNSdist 2.0.0.

This is the first stable release featuring the whole new YAML 
configuration syntax for DNSdist. While the existing Lua configuration 
format will remain supported, the new YAML format is much more 
consistent, tremendously easier to understand, and can easily be 
processed by external tools. A bare-bone configuration file looks like this:

---
binds:
    - listen_address: "192.0.2.1:53"
      reuseport: true
      protocol: Do53
      threads: 2

backends:
    - address: "192.0.2.128:53"
      protocol: Do53

query_rules:
    - name: "Drop queries for drop.dnsdist.org"
      selector:
        type: "QName"
        qname: "drop.dnsdist.org."
      action:
        type: "Drop"

Please be aware that the YAML configuration code has been written in the 
Rust programming language, so if you are compiling DNSdist from the 
source, you will need a Rust compiler to be able to use this optional 
feature.

This new release also comes with several new features compared to 1.9.x:

- the ability to set tags from dynamic block rules, making it possible 
to postpone the actual action to the usual rule mechanism. This means 
that the whole set of selectors and actions can now be used in 
conjunction with dynamic rules
- a new response chain to apply rules to XFR (AXFR, IXFR) responses
- a new query chain to apply rules to queries after a cache miss
- DNS over HTTP3 metadata (headers, query string, path and scheme) can 
now be accessed from selectors and Lua script
- Custom HTTP responses are now supported with DNS over HTTP3
- Server Name Indication is now available for DNS over QUIC and DNS over 
HTTP3 queries, provided that DNSdist was compiled with a recent enough 
version of Quiche (>= 0.23.1)
- a new chain to apply rules on query timeouts has been implemented 
(@pacnal)
- more mitigations against misbehaving TCP and TLS clients have been added
- TLS session ticket keys are not automatically shared between identical 
frontends created using the YAML format, offering better performance
- switching TLS certificates based on the incoming Server Name 
Indication value sent by the client is now supported by the OpenSSL 
provider as well
- DSCP marking towards downstream servers has been implemented (@pacnal)
- it is now possible to call Lua methods just before stopping DNSdist
- the SetEDNSOptionResponseAction response action has been added by 
Samir Aguiar
- the ability to add more meta-data information to protobuf messages via 
the Lua APIs
- a load-balancing policy based on the order then weight of backend 
servers has been implemented by @pacnal

It also yields a big performance improvement for users of the LMDB 
lookup feature.

Packagers will also note that this release is introducing a new build 
mechanism using meson. Meson provides a much cleaner way of detecting 
dependencies, does not generate a huge, almost impossible to read shell 
script, and thus reduces the attack surface for supply-chain attacks. 
While it's still possible to build DNSdist using the existing autotools 
build system, meson is now the preferred way of building DNSdist, and 
new features introduced from now on might not be supported via the 
autotools build system. Our own packages are now built using meson, 
switching to the clang compiler in the process, and we encourage all 
packagers to move to meson if possible.

Other notable changes are the removal of the X-Proxied-For feature, and 
the fact that the h2o library is no longer used in our packages.

We are grateful to the PowerDNS community for the reporting of bugs, 
issues, feature requests, and especially to the submitters of fixes and 
implementations of features.

Please see the DNSdist website [1] for the more complete changelog [2] 
and the current documentation. The upgrade guide is also available there 
[3].

Please send us all feedback and issues you might have via the mailing 
list, or in case of a bug, via GitHub [4].

The release tarball [5] and its signature [6] are available on the 
downloads website, and packages for several distributions are available 
from our repository [7].

[1]: https://dnsdist.org
[2]: https://dnsdist.org/changelog.html#change-2.0.0
[3]: https://dnsdist.org/upgrade_guide.html
[4]: https://github.com/PowerDNS/pdns/issues/new/choose
[5]:
https://downloads.powerdns.com/releases/dnsdist-2.0.0.tar.xz
[6]:
https://downloads.powerdns.com/releases/dnsdist-2.0.0.tar.xz.sig
[7]: https://repo.powerdns.com


Best regards,
-- 
Remi Gacogne
PowerDNS.COM BV - https://www.powerdns.com/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <http://mailman.powerdns.com/pipermail/dnsdist/attachments/20250721/4df4302f/attachment.sig>


More information about the dnsdist mailing list