DNSdist as a router-ready solution

Apr 12, 2023

DNSdist_blog

As you might have read, with the release of DNSdist 1.8, PowerDNS brings DNS encryption with DNS over TLS (DoT) and DNS over HTTPS (DoH) to CPEs and therefore protects the confidentiality and integrity of traffic in the first mile of the internet access. The reason for our efforts to make DNSdist CPE-ready is obvious: DNS acts as the address book of the internet and is a key element in making services accessible by providing human-readable domain names for internet services. For consumers, any action on the internet starts with the client looking up the IP addresses of the service using the domain name system. These lookups are sent to the CPE[1] (customer premise equipment), which is the box provided by the internet service provider to facilitate a user’s connection (often called ‘the ISP router’ or modem). The CPE thus represents the initial gateway into a user’s network.

Plaintext DNS requests over UDP or TCP are often simply forwarded by the router to the DNS infrastructure inside the ISP’s network. This could consist of a PowerDNS recursive DNS solution with our Recursor and DNSdist, as well as the Protect DNS security filtering capabilities, residing inside the ISP’s data centers. This is where all the complex features and DNS filtering takes place.

However, with the current release of DNSdist 1.8, it is now possible to run DNSdist on the router or CPE itself. Having DNSdist on the router can bring a range of advantages. For example, the router can act as an encrypted DNS endpoint (with DoH or DoT) and provide additional powerful capabilities such as scripting, rate-limiting, and caching. It also enables DNS-based security filtering on the router, much closer to the end-user.

Technically, making DNSdist ‘router-ready’ was no small feat: Home routers often have very limited CPU-power and RAM available. In the past year, the PowerDNS development team has been working hard on making DNSdist ready for this challenge. This included enabling DNSdist to make efficient use of the resources within the ‘lower-spec’ devices that ISPs typically provide as routers. In addition, DNSdist 1.8 is now available for the open-source router-designated operating system OpenWrt[2]. This means DNSdist can now run on low-end hardware with a limited RAM, storage, and CPU footprint.

At PowerDNS, we are very excited about this development and the possibilities it opens up. We believe that with this, DNSdist will become an invaluable tool to have on routers, which will also help further drive the adoption of encrypted DNS.

With these developments, PowerDNS can work with CPE manufacturers and solution providers to offer security and encrypted DNS functionality on the router, the ‘front door’ into a user’s network of connected devices.

Please reach out to us if you would like to learn more about router-ready DNSdist.


1The CPE often consists of a modem and router in one. This device acts as the connection point between a user’s home network (via Wi-Fi or UTP cables in the house) and the internet providers network (via DSL, cable, or fiber connections).
2OpenWrt is a router-specific Linux-based operating system, see www.openwrt.org.

About the author

Bob Brandt

Bob Brandt

VP PowerDNS Engineering

Categories

Related Articles

Customer Focus: Yvan Knapp, Chief Strategy Officer at Hostpoint

Hostpoint has been shaping the internet in Switzerland since 2001 and is now the country’s largest web hosting provider and...

Chris Holder Oct 5, 2023

PowerDNS brings encrypted DNS capabilities onto routers for the...

Helps protect confidentiality and integrity of traffic in the first mile CPE (customer premise equipment) manufacturers,...

Chris Holder Jul 5, 2023

DNSdist as a router-ready solution

As you might have read, with the release of DNSdist 1.8, PowerDNS brings DNS encryption with DNS over TLS (DoT) and DNS over...

Bob Brandt Apr 12, 2023

Production-ready PowerDNS Cloud Control available

DNS is one of the vital components of the internet, invisibly making the internet work for everyone for almost four decades....

Alexander ter Haar Dec 5, 2022