Changelog¶
1.3.0¶
Released: 30th of March 2018New Features¶
Add an optional status parameter to
Server:setAuto()
.¶References: pull request 5625
Add
inClientStartup()
function.¶References: pull request 6072
Add tag-based routing of queries.¶
References: pull request 6037
Add experimental DNS-over-TLS support.¶
References: pull request 6175, pull request 6117, pull request 6189, pull request 6176, pull request 6177
Add simple dnstap support (Justin Valentini, Chris Hofstaedtler).¶
References: pull request 5201, pull request 6170
Add experimental XPF support based on draft-bellis-dnsop-xpf-04.¶
References: #5654, #5079, pull request 5594, pull request 6220
Add
ERCodeRule()
to match on extended RCodes (Chris Hofstaedtler).¶References: pull request 6147
Add
TempFailureCacheTTLAction()
(Chris Hofstaedtler).¶References: pull request 6003
Add DynBlockRulesGroup to improve processing speed of the
maintenance()
function by reducing memory usage and not walking the ringbuffers multiple times.¶References: pull request 6391
Add
console ACL
functions.¶References: #4654, pull request 6399
Allow adding
EDNS Client Subnet information
to a query before looking in the cache. This allows serving ECS enabled answers from the cache when all servers in a pool are down.¶References: #6098, pull request 6400
Improvements¶
Add cache sharding,
recvmmsg
and CPU pinning support. With these, the scalability of dnsdist is drastically improved.¶References: #5859, #5202, pull request 5576, pull request 5860
Add burst option to
MaxQPSIPRule()
(42wim).¶References: pull request 5970
Add Pools, cacheHitResponseRules to the API.¶
References: pull request 6022
Add a class option to health checks.¶
References: #5748, pull request 5929
Add UUIDs to rules, this allows tracking rules through modifications and moving them around.¶
References: pull request 6030
Apply ResponseRules to locally generated answers (Chris Hofstaedtler).¶
References: #6182, pull request 6185
Report
LuaAction()
andLuaResponseAction()
failures in the log and send SERVFAIL instead of not answering the query (Chris Hofstaedtler).¶References: pull request 6283
Unify global statistics accounting (Chris Hofstaedtler).¶
References: pull request 6289
Speed up the processing of large ring buffers. This change will make dnsdist more scalable with a large number of different clients.¶
References: pull request 6350, pull request 6366
Make custom
addLuaAction()
andaddLuaResponseAction()
callback’s second return value optional.¶References: #6346, pull request 6363
Add “server-up” metric count to Carbon Reporting (Lowell Mower).¶
References: pull request 6327
Add xchacha20 support for DNSCrypt.¶
References: pull request 6382, pull request 6045
Scalability improvement: Add an option to use several source ports towards a backend.¶
References: pull request 6317
Add ‘?’ and ‘help’ for providing help() output on
dnsdist -c
(Kirill Ponomarev, Chris Hofstaedtler).¶References: #4845, pull request 6375, pull request 5866
Replace the Lua mutex with a rw lock to limit contention. This improves the processing speed and parallelism of the policies.¶
References: pull request 6190, pull request 6381
Ensure dnsdist compiles on NetBSD (Tom Ivar Helbekkmo).¶
References: pull request 6146
Also log eBPF dynamic blocks, as regular dynamic block already are.¶
References: #5845, pull request 5845
Ensure large numbers are shown correctly in the API.¶
References: #6211, pull request 6401
Add option to
showRules()
to truncate the output length.¶References: #5763, pull request 6402
Fix several warnings reported by clang’s analyzer and cppcheck, should lead to small performance increases.¶
References: pull request 6407
Bug Fixes¶
Handle SNMP alarms so we can reconnect to the master.¶
References: #5327, pull request 5328
Fix signed/unsigned comparison warnings on ARM.¶
References: #5489, pull request 5597
Keep trying if the first connection to the remote logger failed¶
References: pull request 5770
Fix escaping unusual DNS label octets in DNSName is off by one (Kees Monshouwer).¶
References: pull request 6018
Avoid assertion errors in
NewServer()
(Chris Hofstaedtler).¶References: pull request 6403
Removals¶
Remove the
--daemon
option from dnsdist.¶References: #6329, pull request 6394
1.2.1¶
Released: 16th of February 2018New Features¶
Add configuration option to disable IP_BIND_ADDRESS_NO_PORT (Dan McCombs).¶
References: pull request 5880
Improvements¶
Handle bracketed IPv6 addresses without ports (Chris Hofstaedtler).¶
References: pull request 6057
Bug Fixes¶
Make dnsdist dynamic truncate do right thing on TCP/IP.¶
References: pull request 5647
Add missing QPSAction¶
References: pull request 5686
Don’t create a Remote Logger in client mode.¶
References: pull request 5847
Use libsodium’s CFLAGS, we might need them to find the includes.¶
References: pull request 5858
Keep the TCP connection open on cache hit, generated answers.¶
References: pull request 6012
Add the missing <sys/time.h> include to mplexer.hh for struct timeval.¶
References: pull request 6041
Sort the servers based on their ‘order’ after it has been set.¶
References: pull request 6043
Quiet unused variable warning on macOS (Chris Hofstaedtler).¶
References: pull request 6073
Fix the outstanding counter when an exception is raised.¶
References: #5652, pull request 6094
Do not connect the snmpAgent from a dnsdist client.¶
References: #6163, pull request 6164
1.2.0¶
Released: 21st of August 2017New Features¶
Add an option to export CNAME records over protobuf.¶
References: #4709, pull request 4776
Add TCP management options from RFC 7766 section 10.¶
References: pull request 4611
Add an option to ‘mute’ UDP responses per bind.¶
References: #4527, pull request 4536
Save history to home-dir, only use CWD as a last resort.¶
References: #4562, pull request 4779
Add the
setRingBuffersSize()
directive to allows changing the ringbuffer size.¶References: pull request 4898
Allow TTL alteration via Lua.¶
References: #4707, pull request 4787
Add
RDRule()
to match queries with theRD
flag set.¶References: pull request 4837
Add
setWHashedPertubation()
for consistentwhashed
results.¶References: pull request 4897
Add
tcpConnectTimeout
tonewServer()
.¶References: pull request 4818
Add cache hit response rules.¶
References: #4708, pull request 4788, pull request 5036
Add SNMP support.¶
References: pull request 5123, pull request 5204, pull request 4989
Allow passing
DNSName
s as DNSRules.¶References: pull request 5070
Add support for setting the server selection policy on a per pool basis (Robin Geuze).¶
References: pull request 5113
Add a
suffixMatch
parameter toPacketCache:expungeByName()
(Robin Geuze).¶References: pull request 5159
Add an option so the packet cache entries don’t age.¶
References: #5126, pull request 5136
Add
QNameRule()
.¶References: pull request 5235
Add an optional action to
addDynBlocks()
.¶References: pull request 5337
Add an optional interface parameter to
addLocal()
/setLocal()
.¶References: pull request 5344
Make a
truncate
action available to DynBlock and Lua.¶References: pull request 5386
Implement a runtime changeable rule that matches IP address for a certain time called
TimedIPSetRule()
.¶References: pull request 5336
Add support for returning several IPs to spoof from Lua.¶
References: pull request 5496
Add Lua bindings to be able to rotate DNSCrypt keys, see DNSCrypt.¶
References: #5507, #5420, pull request 5490, pull request 5508
Add the capability to set arbitrary tags in protobuf messages.¶
References: pull request 5577, pull request 5396
Add setConsoleConnectionsLogging().¶
References: #5565, pull request 5581
Improvements¶
Merge the client and server nonces to prevent replay attacks.¶
References: pull request 4815
Store the computed shared key and reuse it for the response for DNSCrypt messages.¶
References: pull request 4813, pull request 4926
Add
setTCPUseSinglePipe()
to use a single TCP waiting queue.¶References: pull request 4817
Add
sendSizeAndMsgWithTimeout
to send size and data in a single call and use it for TCP Fast Open towards backends.¶References: #5494, pull request 5501, pull request 4985
Tune systemd unit-file for medium-sized installations (Winfried Angele).¶
References: pull request 4958
Add the possiblity to fill a
NetmaskGroup
(usingNetmaskGroup:addMask()
) from exceeds* results.¶References: pull request 5185
Add labels count to StatNode, only set the name once.¶
References: pull request 5353
DNSName: Check that both first two bits are set in compressed labels.¶
References: #4851, pull request 4852
Handle unreachable servers at startup, reconnect stale sockets¶
References: #4131, #4155, pull request 4285
Gracefully handle invalid addresses in
newServer()
.¶References: #4471, pull request 4474
Use
IP_BIND_ADDRESS_NO_PORT
when available.¶References: pull request 4786
Add an optional
seconds
parameter tostatNodeRespRing()
.¶References: #4660, #4775, pull request 4780
Report a more specific lua version and report luajit in
--version
.¶References: pull request 4910
Prevent issues by unshadowing variables.¶
References: pull request 5056
Register DNSName::chopOff (@plzz).¶
References: pull request 4920
Make
includeDirectory()
work sorted (Robin Geuze).¶References: #5053, pull request 5150, pull request 5171
Allow embedded NULs in strings received from Lua.¶
References: pull request 5147
Cleanup closed TCP downstream connections.¶
References: pull request 5163
Improve reporting of C++ exceptions that bubble up via Lua.¶
References: pull request 5230
Add better logging on queries that get dropped, timed out or received.¶
References: pull request 5253
Print useful messages when query and response actions are mixed.¶
References: pull request 5342
Add
DNSRule::toString()
and add virtual destructors to DNSRule, DNSAction and DNSResponseAction so the destructors of derived classes are run even when deleted via the base type.¶References: pull request 5497
Don’t use square brackets for IPv6 in Carbon metrics.¶
References: #5538, pull request 5579
Bug Fixes¶
Unified
-k
andsetKey()
behaviour for client and server mode now.¶References: pull request 5199
Refactor SuffixMatchNode using a SuffixMatchTree.¶
References: #4761, pull request 4950
Get rid of
std::move()
calls preventing copy elision.¶References: pull request 5359
Send an HTTP 404 on unknown API paths.¶
References: pull request 5089
LuaWrapper: Use the correct index when storing a function.¶
References: pull request 4775
Send a latency of 0 over carbon, null over API for down servers.¶
References: #4689, pull request 4785
Fix negative port detection for IPv6 addresses on 32-bit.¶
References: pull request 4911
Fix crashed on SmartOS/Illumos (Roman Dayneko).¶
References: #4579, pull request 4877
Change
truncateTC
to defaulting to off, having it enabled by default causes an compatibility with RFC 6891 (Robin Geuze).¶References: #4857, pull request 4859
Don’t cache answers without any TTL (like SERVFAIL).¶
References: #4983, pull request 4987, pull request 5037
Fix destination port reporting on “any” binds.¶
References: pull request 5194
Correctly truncate EDNS Client Subnetmasks.¶
References: pull request 5320
Fix
RecordsTypeCountRule()
’s handling of the # of records in a section.¶References: #5365, pull request 5369
Change stats functions to always return lowercase names (Robin Geuze).¶
References: #5287, pull request 5383
Only use TCP Fast Open when supported and prevent compiler warnings.¶
References: pull request 5454, pull request 5449
Skip timeouts on the response latency graph.¶
References: #5559, pull request 5563
Copy the DNS header before encrypting it in place.¶
References: #5566, pull request 5580
Removals¶
Remove BlockFilter.¶
References: #5513, pull request 5514
Deprecate syntactic sugar functions.¶
References: #5069, pull request 5526
misc¶
Fix potential pointer wrap-around on 32 bits.¶
References: pull request 5630
Make the API available with an API key only.¶
References: pull request 5631
1.1.0-beta2¶
Released December 14th 2016
Changes since 1.1.0-beta1:
New features¶
- #4518: Fix dynblocks over TCP, allow refusing dyn blocked queries
- #4519: Allow altering the ECS behavior via rules and Lua
- #4535: Add
DNSQuestion:getDO()
- #4653:
getStatisticsCounters()
to access counters from Lua - #4657: Add
includeDirectory(dir)
- #4658: Allow editing the ACL via the API
- #4702: Add
setUDPTimeout(n)
- #4726: Add an option to return ServFail when no server is available
- #4748: Add
setCacheCleaningPercentage()
Improvements¶
- #4533: Fix building with clang on OS X and FreeBSD
- #4537: Replace luawrapper’s std::forward/std::make_tuple combo with std::forward_as_tuple (Sangwhan “fish” Moon)
- #4596: Change the default max number of queued TCP conns to 1000
- #4632: Improve dnsdist error message on a common typo/config mistake
- #4694: Don’t use a const_iterator for erasing (fix compilation with some versions of gcc)
- #4715: Specify that dnsmessage.proto uses protobuf version 2
- #4765: Some service improvements
Bug fixes¶
- #4425: Fix a protobuf regression (requestor/responder mix-up) caused by a94673e
- #4541: Fix insertion issues in SuffixMatchTree, move it to dnsname.hh
- #4553: Flush output in single command client mode
- #4578: Fix destination address reporting
- #4640: Don’t exit dnsdist on an exception in maintenance
- #4721: Handle exceptions in the UDP responder thread
- #4734: Add the TCP socket to the map only if the connection succeeds. Closes #4733
- #4742: Decrement the queued TCP conn count if writing to the pipe fails
- #4743: Ignore newBPFFilter() and newDynBPFFilter() in client mode
- #4753: Fix FD leak on TCP connection failure, handle TCP worker creation failure
- #4764: Prevent race while creating new TCP worker threads
1.1.0-beta1¶
Released September 1st 2016
Changes since 1.0.0:
New features¶
- #3762 Teeaction: send copy of query to second nameserver, sponge responses
- #3876 Add
showResponseRules()
,{mv,rm,top}ResponseRule()
- #3936 Filter on opcode, records count/type, trailing data
- #3975 Make dnsdist {A,I}XFR aware, document possible issues
- #4006 Add eBPF source address and qname/qtype filtering
- #4008 Node infrastructure for querying recent traffic
- #4042 Add server-side TCP Fast Open support
- #4050 Add
clearRules()
andsetRules()
- #4114 Add
QNameLabelsCountRule()
andQNameWireLengthRule()
- #4116 Added src boolean to NetmaskGroupRule to match destination address (Reinier Schoof)
- #4175 Implemented query counting (Reinier Schoof)
- #4244 Add a
setCD
parameter to set cd=1 on health check queries - #4284 Add RCodeRule(), Allow, Delay and Drop response actions
- #4305 Add an optional Lua callback for altering a Protobuf message
- #4309 Add showTCPStats function (RobinGeuze)
- #4329 Add options to LogAction() so it can append (instead of truncate) (Duane Wessels)
Improvements¶
- #3714 Add documentation links to dnsdist.service (Ruben Kerkhof)
- #3754 Allow the use of custom headers in the web server
- #3826 Implement a ‘quiet’ mode for SuffixMatchNodeRule()
- #3836 Log the content of webserver’s exceptions
- #3858 Only log YaHTTP’s parser exceptions in verbose mode
- #3877 Increase max FDs in systemd unit, warn if clearly too low
- #4019 Add an
optional
addECS
option toTeeAction()
- #4029 Add version and feature information to version output
- #4079 Return an error on RemoteLog{,Response}Action() w/o protobuf
- #4246 API now sends pools as a JSON array instead of a string
- #4302 Add
help()
andshowVersion()
- #4286 Add response rules to the API and Web status page
- #4068 Display the dyn eBPF filters stats in the web interface
Bug fixes¶
- #3755 Fix RegexRule example in dnsdistconf.lua
- #3773 Stop copying the HTTP request headers to the response
- #3837 Remove dnsdist service file on trusty
- #3840 Catch WrongTypeException in client mode
- #3906 Keep the servers ordered inside pools
- #3988 Fix
grepq()
output in the README - #3992 Fix some typos in the AXFR/IXFR documentation
- #3995 Fix comparison between signed and unsigned integer
- #4049 Fix dnsdist rpm building script #4048 (Daniel Stirnimann)
- #4065 Include editline/readline.h instead of readline.h/history.h
- #4067 Disable eBPF support when BPF_FUNC_tail_call is not found
- #4069 Fix a buffer overflow when displaying an OpcodeRule
- #4101 Fix $ expansion in build-dnsdist-rpm
- #4198 newServer setting maxCheckFailures makes no sense (stutiredboy)
- #4205 Prevent the use of “any” addresses for downstream server
- #4220 Don’t log an error when parsing an invalid UDP query
- #4348 Fix invalid outstanding count for {A,I}XFR over TCP
- #4365 Reset origFD asap to keep the outstanding count correct
- #4375 Tuple requires make_tuple to initialize
- #4380 Fix compilation with clang when eBPF support is enabled
1.0.0¶
Released April 21st 2016
Changes since 1.0.0-beta1:
Improvements¶
- #3700 Create user from the RPM package to drop privs
- #3712 Make check should run testrunner
- #3713 Remove contrib/dnsdist.service (Ruben Kerkhof)
- #3722 Use LT_INIT and disable static objects (Ruben Kerkhof)
- #3724 Include PDNS_CHECK_OS in configure (Christian Hofstaedtler)
- #3728 Document libedit Ctrl-R workaround for CentOS 6
- #3730 Make
topBandwidth()
behave like other top* functions - #3731 Clarify a bit the documentation of load-balancing policies
1.0.0-beta1¶
Released April 14th 2016
Changes since 1.0.0-alpha2:
New features¶
- Per-pool packet cache
- Some actions do not stop the processing anymore when they match, allowing more complex setups: Delay, Disable Validation, Log, MacAddr, No Recurse and of course None
- The new RE2Rule() is available, using the RE2 regular expression library to match queries, in addition to the existing POSIX-based RegexRule()
- SpoofAction() now supports multiple A and AAAA records
- Remote logging of questions and answers via Protocol Buffer
Improvements¶
- #3405 Add health
check logging,
maxCheckFailures
to backend - #3412 Check config
- #3440 Client operation improvements
- #3466 Add dq binding for skipping packet cache in LuaAction (Jan Broer)
- #3499 Add support for multiple carbon servers
- #3504 Allow accessing the API with an optional API key
- #3556 Add an option to limit the number of queued TCP connections
- #3578 Add a
disable-syslog
option - #3608 Export cache stats to carbon
- #3622 Display the ACL content on startup
- #3627 Remove ECS option from response’s OPT RR when necessary
- #3633 Count “TTL too short” cache events
- #3677 systemd-notify support
Bug fixes¶
- #3388 Lock the Lua context before executing a LuaAction
- #3433 Check that the answer matches the initial query
- #3461 Fix crash when calling rmServer() with an invalid index
- #3550,#3551 Fix build failure on FreeBSD (Ruben Kerkhof)
- #3594 Prevent EOF error for empty console response w/o sodium
- #3634 Prevent dangling TCP fd in case setupTCPDownstream() fails
- #3641 Under threshold, QPS action should return None, not Allow
- #3658 Fix a race condition in MaxQPSIPRule
1.0.0-alpha2¶
Released February 5th 2016
Changes since 1.0.0-alpha1:
New features¶
- Lua functions now receive a DNSQuestion
dq
object instead of several parameters. This adds a greater compatibility with PowerDNS and allows adding more parameters without breaking the API (#3198) - Added a
source
option tonewServer()
to specify the local address or interface used to contact a downstream server (#3138) - CNAME and IPv6-only support have been added to spoofed responses (#3064)
grepq()
can be used to search for slow queries, along withtopSlow()
- New Lua functions:
addDomainCNAMESpoof()
,AllowAction()
by @bearggg,exceedQRate()
,MacAddrAction()
,makeRule()
,NotRule()
,OrRule()
,QClassRule()
,RCodeAction()
,SpoofCNAMEAction()
,SuffixMatchNodeRule()
,TCPRule()
,topSlow()
NetmaskGroup
support have been added in Lua (#3144)- Added
MacAddrAction()
to add the source MAC address to the forwarded query (#3313)
Bug fixes¶
- An issue in DelayPipe could make dnsdist crash at startup
downstream-timeouts
metric was not always updatedtruncateTC
was unproperly updating the response length (#3126)- DNSCrypt responses larger than queries were unproperly truncated
- An issue prevented info message from being displayed in non-verbose mode, fixed by Jan Broer
- Reinstating an expired Dynamic Rule was not correctly logged (#3323)
- Initialized counters in the TCP client thread might have cause FD and memory leak, reported by Martin Pels (#3300)
- We now drop queries containing no question (qdcount == 0) (#3290)
- Outstanding TCP queries count was not always correct (#3288)
- A locking issue in exceedRespGen() might have caused crashs (#3277)
- Useless sockets were created in client mode (#3257)
addAnyTCRule()
was generating TC=1 responses even over TCP (#3251)
Web interface¶
- Cleanup of the HTML by Sander Hoentjen
- Fixed an XSS reported by @janeczku (#3217)
- Removed remote images
- Set the charset to UTF-8, added some security-related and CORS HTTP headers
- Added server latency by Jan Broer (#3201)
- Switched to official minified versions of JS scripts, by Sander Hoentjen (#3317)
- Don’t log unauthenticated HTTP request as an authentication failure
Various documentation updates and minor cleanups:¶
- Added documentation for Advanced DNS Protection features (Dynamic
rules,
maintenance()
) - Make
topBandwidth()
default to the top 10 clients - Replaced readline with libedit
- Added GPL2 License (#3200)
- Added incbin License (#3269)
- Updated completion rules
- Removed wrong option
--daemon-no
by Stefan Schmidt