[Pdns-announce] dnsdist 1.3.0 released

Remi Gacogne remi.gacogne at powerdns.com
Fri Mar 30 08:37:00 UTC 2018

Hello everyone,

We are very happy to announce the 1.3.0 release of dnsdist, with a huge
emphasis on privacy and scalability.


A lot of users were interested in DNS over TLS [1] support in dnsdist,
to protect the privacy of queries and responses in transit between the
client and dnsdist. We have been supporting DNSCrypt [2] since 1.0.0,
and we improved it in this release by adding support for multiple active
certificates as well as for the new xchacha20 algorithm, but DNS over
TLS is getting more traction and it made complete sense to support it in
dnsdist. Our implementation can use either OpenSSL or GnuTLS, and we
advise to compile with both backends enabled in order to be able to
quickly from one to another should a serious vulnerability in one of
them be found.


As dnsdist is deployed on huge setups, we noticed that it did not scale
as well as we expected over a large number of CPU cores. We investigated
and found several points of contention, which we addressed by going
lockless whenever possible, or by reducing the granularity of the
involved locks when it was not. This led to the optional sharding of the
packet cache and our in-memory ring buffers, as well as a new per-pool
mutex replacing the global Lua one for non-Lua load-balancing policies.
We had known for a while that dnsdist opening a single socket toward
each backend was not playing well in some scenarios, for example in
front of PowerDNS Recursor with multiple threads, reuseport support
enabled and pdns-distribute-queries set to no, because the kernel would
then not distribute queries evenly over the different threads. A known
work-around was to add the same backend several times in the
configuration, but it made metrics hard to understand and caused an
unnecessary amount of contexts switching. Starting with 1.3.0, dnsdist
supports opening a configurable amount of sockets towards a single backend.
Finally we observed that CPU pinning made a huge difference on some
setups, especially on NUMA, so we added the possibility to pin client
and backend facing threads to specific CPU cores.


The solution to pass the client IP on to the backend in dnsdist has
always been to add an EDNS Client Subnet option to the query. While it
does work nicely, ECS was not designed for this use case and thus lacks
some relevant information like the original source and destination
ports, as well as the original destination IP. It also makes it
impossible to keep any existing ECS information and forward the original
source IP.
In coordination with the nice people from ISC, PowerDNS is working on a
new solution called XPF [3], whose current draft is now implemented in


In addition to our existing protocol buffer-based solution to export
live information on queries and responses processed by dnsdist, Justin
Valentini and Chris Hofstaedtler contributed support for exporting
queries and responses over the dnstap [4] protocol, which is supported
by several other open source DNS servers and can be processed by third
party tools.

Older versions

With the release of 1.3.0 today, we are also announcing that the 1.0 and
1.1 branches of dnsdist are now end of life and will not receive any
updates, not even security fixes.
Note: Users with a commercial agreement with PowerDNS.COM BV or
Open-Xchange can receive extended support for releases which are End Of
Life. If you are such a user, these EOL statements do not apply to you.

Other Changes

As a final note, please be aware of three noteworthy changes in this new
- First we removed the --daemon option, in which we kept finding new
bugs. Very few users were actually using it, and since most OS provide
at least one supervisor we decided to simply remove it ;
- Secondly we added the possibility to restrict access to the console
using an ACL when it's bound to a non-loopback IP. The default ACL
allows connections from and ::1 only, so you might need to
update it to keep using the console over the network. Please make sure
that you have enabled encryption before doing so ;
- We finally removed some functions that were deprecated in 1.2.0
because they were redundant and made it harder to understand how the
rules and actions actually work. Please have a look at the documentation
to update your configuration.

Please see the dnsdist website [5] for the more complete changelog [6]
and the current documentation.

Release tarballs are available on the downloads website [7].

Several packages are also available on our repository [8].

[1]: https://tools.ietf.org/html/rfc7858
[2]: https://dnscrypt.info
[3]: https://tools.ietf.org/html/draft-bellis-dnsop-xpf-04
[4]: http://dnstap.info/
[5]: https://dnsdist.org
[6]: https://dnsdist.org/changelog.html
[7]: https://downloads.powerdns.com/releases/dnsdist-1.3.0.tar.bz2
[8]: https://repo.powerdns.com/

Best regards,

Remi Gacogne
PowerDNS.COM BV - https://www.powerdns.com/

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <http://mailman.powerdns.com/pipermail/pdns-announce/attachments/20180330/968b2b35/attachment.sig>

More information about the Pdns-announce mailing list