DNSdist 1.5.0 delivers enhancements for DoH and better performance

Jul 31, 2020

Open-Xchange has launched the latest version of DNSdist – our unique DNS proxy and load balancer that optimizes the internet experience of hundreds of millions of internet subscribers.

It is a major driver of DNS encryption and powers some significant production DNS over HTTPS (DoH) environments, as well as pilots for a range of international big telcos. It also ensures the best possible performance of DNS deployments and optimizes DNS traffic in front of the PowerDNS Recursor (or existing legacy recursive DNS servers), delivering low latency responses to subscribers based on location, time and content.

In addition, DNSdist is highly optimized to protect against malicious and abusive traffic such as DDoS attacks and DNS tunneling, and includes a flexible policy engine to enable new rules and filters to be created and combined to suit the characteristics of local traffic.

PowerDNS DNSdist 1.5.0 comes with performance enhancements and offers improvements in areas including DNS encryption and per device security.

DNSdist 1.4.0, which launched in November 2019, introduced two standards to encrypt DNS traffic, DNS over TLS (DoT) and DoH. Both of these protocols provide privacy and integrity protection for DNS traffic and are used to encrypt the traffic between the DNS client (e.g. laptop, mobile device, IoT device, etc.) and the DNS resolver.

DNSdist 1.4.0 is currently involved in a range of trials with large network providers, including BT in the UK, which understands the importance of keeping DNS available at the Internet Service Provider. This brings advantages to both to end-users, in terms of latency and access to local content caches, and the network itself, as it offers better control over CDN caching and control over the end-to-end latency experience for subscribers.

To further support the use of DNS encryption, DNSdist 1.5.0 comes with a number of DoH improvements, such as the interaction with generic HTTPS caches through a cache control header. The cache control header allows setting the lowest DNS time to live (TTL) for the generic cache, forcing the cache to be cleared at the minimum expiration time.

DNSdist 1.5.0 also further extends PowerDNS’ endpoint security capabilities and enables specific per device filtering options for parental controls and malware protection. This is done via a proxy protocol, which provides the information needed for automated decision-making and autonomous actions.

Finally, DNSdist 1.5.0 also improves the overall load balancer’s performance to ensure the best possible performance is gained in every DNS installation. This includes:

  • Custom Lua rules that now enable DNSdist to adapt to individual needs without impacting performance;
  • The ability to balance traffic over all backends equally when desired, so that no individual backend handles significantly more traffic than others;
  • Quicker overall checkups based on parallel – instead of sequential – health checks for installations with a large number of backends;
  • Overall performance improvement for logging queries.

For more information on PowerDNS DNSdist 1.5.0 please contact us or, if you’d like more details, please visit the PowerDNS blog.


About the author

Alexander ter Haar

Alexander ter Haar

PowerDNS Product Management


Related Articles

DNS latency in a 5G network

With an estimated 1.5 billion of us expected to be connected to 5G networks by 2024, there’s no doubt that this next...

Neil Cook 06/2/19

Promoting a discussion on DNS-over-HTTPS

In the last few months, we have seen a lot of community discussion around the latest development in the internet’s naming...

Vittorio Bertola 11/6/18

Super-Charge Your 5G Network by Moving DNS to the Edge

The number of 5G subscribers is expected to exceed 580 million by end of 2021, with 3.5 billion subscribers predicted in...

Neil Cook 03/3/22

Interview with John Todd on Quad9’s privacy-oriented global DNS...

Quad9 uses PowerDNS to provide a worldwide encrypted DNS Service, a privacy-friendly public DNS resolving service for...

Oliver Michler 09/3/21