[Pdns-users] dnsdist 1.7.0 released

Remi Gacogne remi.gacogne at powerdns.com
Mon Jan 17 13:01:02 UTC 2022

Hi everyone!

We are proud to announce the release of dnsdist 1.7.0. This release 
contains several new exciting features since 1.6.1, as well as 
improvements and bug fixes. It contains one single change from the first 
release candidate, a fix for DynBlockRatioRule::warningRatioExceeded 
provided by Doug Freed.

In our view, the most exciting new feature of 1.7.0 is the support of 
outgoing DNS over TLS and DNS over HTTPS, as well as the ability to do 
"cross-protocol" queries, meaning a query received over a given protocol 
(UDP, TCP, DoT, DoH, ...) can be forwarded over a different one. Now 
that dnsdist is capable of contacting its backend over an encrypted 
channel, full end-to-end encryption is possible, offering improved 
confidentiality and integrity.

Among the new features is the ability to add a custom EDNS option to a 
query before forwarding it to a backend, via SetEDNSOptionAction. 
phonedph1 also contributed a new rule making it possible to route a 
query based on the number of outstanding queries in a pool, 

Pierre Grié from Nameshield contributed an XDP program to reply to 
blocked UDP queries with a truncated response directly from the kernel, 
in a similar way to what we were already doing using eBPF socket 
filters. This version adds support for eBPF pinned maps, allowing 
dnsdist to populate the maps using our dynamic blocking mechanism, and 
letting the external XDP program do the actual blocking or response.

The packet cache has been improved so that one can now configure which 
EDNS options should be ignored, raising the cache hit ratio behind 
customer-premises equipment. The incoming and outgoing protocols have 
been added to the output of the grepq command for a better understanding 
of the recently processed traffic.

Dimitrios Mavrommatis improved the handling of AXFR and IXFR queries, 
making it possible to reuse a TCP connection used for a zone transfer 
much more efficiently.

We added support for generating the still experimental SVCB and HTTPS 
records directly from dnsdist, offering potential benefits to both 
performance and privacy.

Our LMDB code has gained the ability to do range-based lookups, and is 
now more performant even for simple lookups.

Extending the per-thread custom load-balancing policies introduced in 
1.6.0, it is now possible to write blazing-fast, lock-less per-thread 
custom actions using the Lua foreign function interface.

Holger Hoffstätte also improved the reporting of an unavailable backend, 
making sure the existing metrics are no longer reported to prevent any 

This release also reduces the memory footprint of dnsdist in several 
places, which makes it easier to use in resource-constrained environments.

Please see the dnsdist website [1] for the more complete changelog [2] 
and the current documentation.

Please send us all feedback and issues you might have via the mailing 
list, or in case of a bug, via GitHub [3].

The release tarball [4] and its signature [5] are available on the 
downloads website, and packages for several distributions are available 
from our repository [6].

With this release, the 1.4.x releases become EOL and the 1.5.x and 1.6.x 
releases go into critical security fixes only mode.

Finally, we would like to thank the PowerDNS community and all external 
contributors for their great work in this release!

[1]: https://dnsdist.org
[2]: https://dnsdist.org/changelog.html#change-1.7.0
[3]: https://github.com/PowerDNS/pdns/issues/new/choose
[6]: https://repo.powerdns.com

Best regards,
Remi Gacogne
PowerDNS.COM BV - https://www.powerdns.com/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <http://mailman.powerdns.com/pipermail/pdns-users/attachments/20220117/13329d26/attachment.sig>

More information about the Pdns-users mailing list