[dnsdist] PowerDNS DNSdist 2.0.0 released
Remi Gacogne
remi.gacogne at powerdns.com
Mon Jul 21 13:10:36 UTC 2025
Hello!
Today we are thrilled to be releasing PowerDNS DNSdist 2.0.0.
This is the first stable release featuring the whole new YAML
configuration syntax for DNSdist. While the existing Lua configuration
format will remain supported, the new YAML format is much more
consistent, tremendously easier to understand, and can easily be
processed by external tools. A bare-bone configuration file looks like this:
---
binds:
- listen_address: "192.0.2.1:53"
reuseport: true
protocol: Do53
threads: 2
backends:
- address: "192.0.2.128:53"
protocol: Do53
query_rules:
- name: "Drop queries for drop.dnsdist.org"
selector:
type: "QName"
qname: "drop.dnsdist.org."
action:
type: "Drop"
Please be aware that the YAML configuration code has been written in the
Rust programming language, so if you are compiling DNSdist from the
source, you will need a Rust compiler to be able to use this optional
feature.
This new release also comes with several new features compared to 1.9.x:
- the ability to set tags from dynamic block rules, making it possible
to postpone the actual action to the usual rule mechanism. This means
that the whole set of selectors and actions can now be used in
conjunction with dynamic rules
- a new response chain to apply rules to XFR (AXFR, IXFR) responses
- a new query chain to apply rules to queries after a cache miss
- DNS over HTTP3 metadata (headers, query string, path and scheme) can
now be accessed from selectors and Lua script
- Custom HTTP responses are now supported with DNS over HTTP3
- Server Name Indication is now available for DNS over QUIC and DNS over
HTTP3 queries, provided that DNSdist was compiled with a recent enough
version of Quiche (>= 0.23.1)
- a new chain to apply rules on query timeouts has been implemented
(@pacnal)
- more mitigations against misbehaving TCP and TLS clients have been added
- TLS session ticket keys are not automatically shared between identical
frontends created using the YAML format, offering better performance
- switching TLS certificates based on the incoming Server Name
Indication value sent by the client is now supported by the OpenSSL
provider as well
- DSCP marking towards downstream servers has been implemented (@pacnal)
- it is now possible to call Lua methods just before stopping DNSdist
- the SetEDNSOptionResponseAction response action has been added by
Samir Aguiar
- the ability to add more meta-data information to protobuf messages via
the Lua APIs
- a load-balancing policy based on the order then weight of backend
servers has been implemented by @pacnal
It also yields a big performance improvement for users of the LMDB
lookup feature.
Packagers will also note that this release is introducing a new build
mechanism using meson. Meson provides a much cleaner way of detecting
dependencies, does not generate a huge, almost impossible to read shell
script, and thus reduces the attack surface for supply-chain attacks.
While it's still possible to build DNSdist using the existing autotools
build system, meson is now the preferred way of building DNSdist, and
new features introduced from now on might not be supported via the
autotools build system. Our own packages are now built using meson,
switching to the clang compiler in the process, and we encourage all
packagers to move to meson if possible.
Other notable changes are the removal of the X-Proxied-For feature, and
the fact that the h2o library is no longer used in our packages.
We are grateful to the PowerDNS community for the reporting of bugs,
issues, feature requests, and especially to the submitters of fixes and
implementations of features.
Please see the DNSdist website [1] for the more complete changelog [2]
and the current documentation. The upgrade guide is also available there
[3].
Please send us all feedback and issues you might have via the mailing
list, or in case of a bug, via GitHub [4].
The release tarball [5] and its signature [6] are available on the
downloads website, and packages for several distributions are available
from our repository [7].
[1]: https://dnsdist.org
[2]: https://dnsdist.org/changelog.html#change-2.0.0
[3]: https://dnsdist.org/upgrade_guide.html
[4]: https://github.com/PowerDNS/pdns/issues/new/choose
[5]:
https://downloads.powerdns.com/releases/dnsdist-2.0.0.tar.xz
[6]:
https://downloads.powerdns.com/releases/dnsdist-2.0.0.tar.xz.sig
[7]: https://repo.powerdns.com
Best regards,
--
Remi Gacogne
PowerDNS.COM BV - https://www.powerdns.com/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <http://mailman.powerdns.com/pipermail/dnsdist/attachments/20250721/4df4302f/attachment.sig>
More information about the dnsdist
mailing list