dnsdist 1.3.2 released

Jul 10, 2018

We are very happy to announce the 1.3.2 release of dnsdist. This release contains a few new features, but is mostly fixing bugs and documentation issues reported since the release of dnsdist 1.3.0. You might be wondering why this release is not numbered 1.3.1, we discovered a build issue on some platforms right after tagging 1.3.1 and therefore decided to release 1.3.2 right away.

Breaking changes

After discussing with several users, we noticed that quite a lot of them were not aware that enabling the dnsdist’s console without a key, even restricted to the local host, could be a security issue and allow privilege escalation by allowing an unprivileged user to connect to the console and execute Lua code as the dnsdist user. We therefore decided to refuse any connection to the console until a key has been set, so please check that you do set a key before upgrading if you use the console.

New features

The DNS over TLS feature introduced in 1.3.0 was missing the ability to support both an RSA and an ECDSA certificate at the same time, and it was not possible to switch to a new certificate without restarting dnsdist. This has now been fixed.

The packet cache has also been improved in this release, with the addition of a negative TTL option to be able to specify how long NODATA and NXDOMAIN answers should be cached, as well as a way to dump the content of the cache. We also made the detection of ECS collisions more robust, preventing two queries for the same name, type and class but a different ECS subnet from colliding even if they did hash to the same value.

This version gained the ability to insert dynamic rules that do nothing, and do not stop the processing of subsequent rules, which is very useful for testing purposes. The optimized DynblockRulesGroup introduced in 1.3.0 also gained the ability to whitelist and blacklist ranges from dynamic rules, for example to prevent some clients from ever being blocked by a rate-limiting rule.

Finally, we introduced the new SetECSAction directive to be able to force the ECS value sent to a downstream server for some or all queries.

Bug fixes

In addition to various documentation and cosmetics fixes, a few annoying bugs have been fixed in this release:

  • If the first connection attempt to a given backend failed, dnsdist didn’t properly reconnect even when the backend became available ;
  • Dynamic blocks were sometimes created with the wrong duration ;
  • The ability to iterate over the results of the Lua exceed*() functions was broken in 1.3.0, preventing manual whitelisting from Lua ;
  • Some statistics were displayed with too many decimals in the web interface ;
  • A backend outstanding queries counter could become wrong if it dropped a lot of queries for a while.

Please see the dnsdist website for the more complete changelog and the current documentation.

Release tarballs are available on the downloads website.

Several packages are also available on our repository.

About the author

Bert Hubert

Bert Hubert

Principal, PowerDNS

Categories

Related Articles

PowerDNS brings encrypted DNS capabilities onto routers for the...

Helps protect confidentiality and integrity of traffic in the first mile CPE (customer premise equipment) manufacturers,...

Chris Holder Jul 5, 2023

DNSdist as a router-ready solution

As you might have read, with the release of DNSdist 1.8, PowerDNS brings DNS encryption with DNS over TLS (DoT) and DNS over...

Bob Brandt Apr 12, 2023

Production-ready PowerDNS Cloud Control available

DNS is one of the vital components of the internet, invisibly making the internet work for everyone for almost four decades....

Alexander ter Haar Dec 5, 2022

PowerDNS @ Network X 2022

This year, for the first time, Network X took place in Amsterdam, the Netherlands. As a new format, Network X combines the...

Cord Stukenberg Oct 25, 2022