Changelog¶
1.9.0-alpha3¶
Released: 20th of October 2023Please review the Upgrade Guide before upgrading.
New Features¶
Add support for incoming DNS over QUIC¶
References: pull request 13280
Log Extended DNS Errors (EDE) to protobuf¶
References: pull request 13185
Improvements¶
Display the rule name, if any, in the web interface¶
References: pull request 13335
Add Lua binding to downstream address (Denis Machard)¶
References: #13201, pull request 13275
Set proper levels when logging messages¶
References: pull request 13305
Fix several cosmetic issues in eBPF dynamic blocks, update documentation¶
References: pull request 13310
Bug Fixes¶
Fix a typo in ‘Client timeouts’ (phonedph1)¶
References: pull request 13302
Netmask: Normalize subnet masks coming from a string¶
References: pull request 13340
Prevent DNS header alignment issues¶
References: #13280, pull request 13372
misc¶
Fix timeouts on incoming DoH connections with nghttp2¶
References: pull request 13298
Enable back h2o support in our packages¶
References: pull request 13274
1.9.0-alpha2¶
Released: Never1.8.2¶
Released: 11th of October 2023This release fixes the HTTP2 rapid reset attack for the packages we provide. If you are compiling DNSdist yourself or using the packages provided by your distribution, please check that the h2o library has been patched to mitigate this vulnerability.
Please review the Upgrade Guide before upgrading from versions < 1.8.x.
Bug Fixes¶
Switch to our fork of h2o to mitigate the HTTP2 rapid reset attack¶
References: pull request #13349
1.7.5¶
Released: 11th of October 2023This release fixes the HTTP2 rapid reset attack for the packages we provide. If you are compiling DNSdist yourself or using the packages provided by your distribution, please check that the h2o library has been patched to mitigate this vulnerability.
Please review the Upgrade Guide before upgrading from versions < 1.7.x.
Bug Fixes¶
Switch to our fork of h2o to mitigate the HTTP2 rapid reset attack¶
References: pull request #13351
1.9.0-alpha1¶
Released: 18th of September 2023Please review the Upgrade Guide before upgrading.
New Features¶
Add Lua bindings to access selector and action¶
References: #13007, pull request 13013
Add an option to write grepq’s output to a file¶
References: pull request 12689
Improvements¶
Add support for incoming DoH via nghttp2¶
References: pull request 12678
Add metrics for health-check failures¶
References: pull request 13009
Fix building our fuzzing targets from a dist tarball¶
References: pull request 13145
Add a DNSHeader:getTC() Lua binding¶
References: pull request 13135
Stop passing -u dnsdist -g dnsdist on systemd’s ExecStart¶
References: pull request 13088
Use arc4random only for random values¶
References: pull request 12931
Removals¶
Change the default for building with net-snmp from auto to no¶
References: pull request 13168
1.8.1¶
Released: 8th of September 2023Please review the Upgrade Guide before upgrading from versions < 1.8.x.
New Features¶
Allow declaring custom metrics at runtime¶
References: pull request 13123
Improvements¶
Stop using the now deprecated ERR_load_CRYPTO_strings() to detect OpenSSL¶
References: pull request 13121
Automatically load Lua FFI inspection functions¶
References: pull request 13122
Increment the “dyn blocked” counter for eBPF blocks as well¶
References: pull request 13125
Make DNSQType.TSIG available (Jacob Bunk)¶
References: pull request 13133
Bug Fixes¶
Fix a crash when X-Forwarded-For overrides the initial source IP¶
References: pull request 12977
Fix a memory leak when processing TLS tickets w/ OpenSSL 3.x¶
References: pull request 13130
Fix cache hit and miss metrics with DoH queries¶
References: #12762, pull request 13131
Fix a race when creating the first TLS connections¶
References: pull request 13178
Print the received, invalid health-check response ID¶
References: pull request 12820
Account for the health-check run time between two runs¶
References: pull request 12821
Properly set the size of the UDP health-check response¶
References: pull request 12822
Add the query ID to health-check log messages, fix nits¶
References: pull request 12823
Stop setting SO_REUSEADDR on outgoing UDP client sockets¶
References: pull request 12824
Properly handle short reads on backend upgrade discovery¶
References: pull request 13116
Undo an accidentally change of disableZeroScope to disableZeroScoping (Winfried Angele)¶
References: pull request 13117
Fix the group of the dnsdist.conf file when installed via RPM¶
References: #13027, pull request 13118
Work around Red Hat 8 messing up OpenSSL’s headers and refusing to fix it¶
References: #12926, pull request 13119
Fix a typo for libedit in the dnsdist features list¶
References: pull request 13120
Fix webserver config template for our docker container (Houtworm)¶
References: pull request 13124
YaHTTP: Prevent integer overflow on very large chunks¶
References: pull request 13127
Fix the console description of PoolAction and QPSPoolAction (phonedph1)¶
References: pull request 13128
Properly handle reconnection failure for backend UDP sockets¶
References: #12711, pull request 13129
SpoofAction: copy the QClass from the request (Christof Chen)¶
References: pull request 13132
Properly record self-answered UDP responses with recvmmsg¶
References: pull request 13150
1.7.4¶
Released: 14th of April 2023Please review the Upgrade Guide before upgrading from versions < 1.7.x.
New Features¶
Add getPoolNames() function, returning a list of pool names (Christof Chen)¶
References: #12074, pull request 12621
Bug Fixes¶
Skip invalid OCSP files after issuing a warning¶
References: #12341, pull request 12421
Fix the health-check timeout computation for DoH backend¶
References: pull request 12327
Ignore unclean TLS session shutdown¶
References: #12236, pull request 12237
Properly encode json strings containing binary data¶
References: #9349, pull request 12260
Properly update rcode-related metrics on RCodeAction hits¶
References: #11498, pull request 12484
Fix building with boost < 1.56¶
References: #12177, pull request 12183
lock.hh: include <stdexcept>¶
References: #12453, pull request 12460
dnsdist-protocols.hh: include <cstdint> (Sander Hoentjen)¶
References: pull request 12569
Fix the formatting of ‘showServers’¶
References: pull request 12535
Properly record the incoming flags on a timeout¶
References: #11905, pull request 12529
Prevent an underflow of the TCP d_queued counter¶
References: #12357, pull request 12365
Properly handle single-SOA XFR responses¶
References: #12099, pull request 12100
Also reconnect on ENETUNREACH. (Asgeir Storesund Nilsen)¶
References: #4155, pull request 11830
Fix a bug in SetEDNSOptionAction¶
References: #11728, pull request 11729
Fix the number of concurrent queries on a backend TCP conn¶
References: pull request 11718
1.8.0¶
Released: 30th of March 2023Please review the Upgrade Guide before upgrading from versions < 1.8.x.
Bug Fixes¶
Fix ‘Unknown key’ issue for actions and rules parameters¶
References: pull request 12687
Fix a dnsheader unaligned case¶
References: pull request 12672
secpoll: explicitly include necessary ctime header for time_t¶
References: pull request 12654
1.8.0-rc3¶
Released: 16th of March 2023Please review the Upgrade Guide before upgrading from versions < 1.8.x.
Improvements¶
Report per-incoming transport latencies in the web interface¶
References: pull request 12638
Report the TCP latency for TCP-only Do53, DoT and DoH backends¶
References: pull request 12648
Count hits in the StatNode¶
References: pull request 12626
Bug Fixes¶
Use the correct source address when harvesting failed¶
References: pull request 12641
Fix a race when a cross-protocol query triggers an IO error¶
References: pull request 12639
1.8.0-rc2¶
Released: 9th of March 2023Please review the Upgrade Guide before upgrading from versions < 1.8.x.
Improvements¶
Add Lua bindings for PB requestorID, deviceName and deviceID¶
References: pull request 12615
Clean up the fortify and LTO m4 by not directly editing flags¶
References: pull request 12593
YaHTTP: Better detection of whether C++11 features are available¶
References: pull request 12589
Skip signal-unsafe logging when we are about to exit, with TSAN¶
References: pull request 12587
Bug Fixes¶
Fix compilation with DoH disabled (Adam Majer)¶
References: pull request 12588
Only increment the ‘servfail-responses’ metric on backend responses (phonedph1)¶
References: pull request 12592
Fix the harvesting of destination addresses¶
References: pull request 12586
1.8.0-rc1¶
Released: 23rd of February 2023Please review the Upgrade Guide before upgrading from versions < 1.8.x.
New Features¶
Allow randomly selecting a backend UDP socket and query ID¶
References: pull request 11163
Dynamic discovery and upgrade of backends¶
References: pull request 11293
Add support for password protected PKCS12 files for TLS configuration¶
References: pull request 11027
Add experimental support for TLS asynchronous engines¶
References: pull request 10734
Add an API endpoint to remove entries from caches¶
References: #10468, #6154, pull request 12473
Add support for user defined metrics¶
References: pull request 11674
Add the ability to change the qname and owner names in DNS packets¶
References: pull request 12417
Implement async processing of queries and responses¶
References: pull request 12388
Add the ability to cap the TTL of records after insertion into the cache¶
References: pull request 12384
Add SetReducedTTLResponseAction¶
References: pull request 12400
Add a Lua FFI interface for metrics¶
References: pull request 12385
Add a new chain of rules triggered after cache insertion¶
References: pull request 12280
Added XDP middleware for dropped/redirected queries logging (Mini Pierre)¶
References: pull request 11020
Implement a ‘lazy’ health-checking mode¶
References: pull request 12065
Add getPoolNames() function, returning a list of pool names (Christof Chen)¶
References: #12073, pull request 12074
Cleaner way of getting the IP/masks associated to a network interface¶
References: pull request 12082
Add Lua helpers to look into the content of DNS payloads¶
References: pull request 12022
Add more Lua bindings for network-related operations¶
References: pull request 11994
Add Lua binding for inspecting the in-memory ring buffers¶
References: pull request 12008
Add Lua bindings to look up domain and IP addresses from the cache¶
References: pull request 12007
Implement SuffixMatchTree::getBestMatch() to get the name that matched¶
References: pull request 11698
Use BPF_MAP_TYPE_LPM_TRIE for range matching (Y7n05h)¶
References: pull request 11526
Add getVerbose() function¶
References: pull request 11637
Add Lua bindings to access the DNS payload as a string¶
References: pull request 11606
Add setVerbose() to switch the verbose mode at runtime¶
References: pull request 11567
Add a ‘getAddressAndPort()’ method to DOHFrontend and TLSFrontend objects¶
References: #11434, pull request 11547
Add setTCPFastOpenKey() (Y7n05h)¶
References: #9994, pull request 11497
Add Lua FFI helpers for protocol and MAC address access, proxy protocol payload generation¶
References: pull request 11173
Add support to store mac address in query rings¶
References: pull request 11184
Add newThread() function¶
References: pull request 11126
Lua support to remove resource records from a response¶
References: pull request 11098
Add support to spoof a full self-generated response from lua¶
References: pull request 11051
Add a Lua FFI helper to generate proxy protocol payloads¶
References: pull request 10949
Add Lua bindings to get the list of network interfaces, addresses¶
References: pull request 11017
Add lua support to limit TTL values of responses¶
References: pull request 11059
Improvements¶
OpenSSL 3.0: Offer TLS providers as an alternative to TLS engines¶
References: pull request 12423
Skip invalid OCSP files after issuing a warning¶
References: #12341, pull request 12421
Gracefully handle a failure to create a TLS server context¶
References: pull request 12435
Merge the ‘main’ and ‘client’ DoH threads in single acceptor mode¶
References: pull request 12386
Skip DoT/DoH frontend when a tls configuration error occurs¶
References: pull request 11675
Speed up DoH handling by preventing allocations and copies¶
References: pull request 12000
More useful default ports for DoT/DoH backends¶
References: pull request 11415
Libssl: Load only the ciphers and digests needed for TLS, not all of them¶
References: pull request 11166
Ignore unclean TLS session shutdown¶
References: #12236, pull request 12237
Add support for metadata in protobuf messages¶
References: pull request 12520
Enable experimental kTLS support with OpenSSL on Linux¶
References: pull request 12545
Improve the scalability of MaxQPSIPRule()¶
References: pull request 12537
Reduce useless wake-ups from the event loop¶
References: pull request 12276
Faster cache-lookups for DNS over HTTPS queries¶
References: pull request 11901
Add a ‘single acceptor thread’ build option, reducing the number of threads¶
References: pull request 12003
Make recording queries/responses in the ringbuffers optional¶
References: pull request 11883
Slightly reduce contention around a pool’s servers¶
References: pull request 11852
Only call getsockname() once per incoming DoH connection¶
References: pull request 11851
Set TCP_NODELAY on the TCP connection to backends¶
References: pull request 11734
Avoid allocating memory in LB policies for small number of servers¶
References: pull request 11689
SuffixMatchTree: Improve lookup performance¶
References: pull request 11624
Change dns_tolower() and dns_toupper() to use a table¶
References: pull request 11655
Scan the UDP buckets only when we have outstanding queries¶
References: #11576, pull request 11577
Prevent allocations in two corner cases¶
References: pull request 11531
Only allocate the health-check mplexer when needed¶
References: #11422, pull request 11437
Defer the actual allocation of the ring buffer entries¶
References: pull request 11171
Add an option for unauthenticated access to the dashboard¶
References: #10360, pull request 12474
Add support for custom prometheus names in custom metrics¶
References: pull request 12553
Slightly reduce the number of allocations in API calls¶
References: pull request 11987
Add more detailed metrics¶
References: pull request 11716
Compute backend latency earlier, to avoid internal latency¶
References: pull request 11707
Add ‘statistics’ to the general API endpoint¶
References: pull request 11659
Add a counter for the number of cache cleanups¶
References: pull request 11656
Add an option for unauthenticated access to the API¶
References: pull request 11514
Enable Link-Time Optimization for our packages¶
References: pull request 12543
Stop using the deprecated boost::optional::get_value_or¶
References: pull request 12538
List version number early¶
References: #10932, pull request 12530
Remove duplicate code in xdp (Y7n05h)¶
References: pull request 12518
Warn on unsupported parameters (Aki Tuomi)¶
References: pull request 10115
Add unit tests for the Lua FFI interface¶
References: #12417, pull request 12469
Refactor ‘cannot be used at runtime’ handling¶
References: pull request 12492
Fail if we can’t check the configuration file¶
References: #7611, pull request 12481
Add a configure option to enable LTO¶
References: pull request 12441
Add a new configure option to initialize automatic variables¶
References: pull request 12427
Enable FORTIFY_SOURCE=3 when supported by the compiler¶
References: pull request 12381
Proper accounting of response and cache hits¶
References: pull request 12405
Support OpenSSL 3.0 for ipcipher CA6 encryption/decryption¶
References: pull request 12411
Stronger guarantees against data race in the UDP path¶
References: pull request 12383
Add bindings for the current and query times in DQ/DR¶
References: pull request 12402
Raise RLIMIT_MEMLOCK automatically when eBPF is requested (Yogesh Singh)¶
References: pull request 11554
Systemd: Add “After” dependency on time-sync.target (Kevin P. Fleming)¶
References: #11153, pull request 12248
DNSName constructor use memchr instead of strchr and cleanup with string_view (Axel Viala)¶
References: pull request 11863
Fix building with boost < 1.56¶
References: #12142, pull request 12177
Retain output when expunging from multiple caches (Christof Chen)¶
References: #12075, pull request 12077
Add build-time options to disable the dynamic blocks and UDP response delay¶
References: pull request 11993
Add missing thread names¶
References: pull request 11992
Add a build option (define) to prevent loading OpenSSL’s errors¶
References: pull request 11988
Properly load ciphers and digests with OpenSSL 3.0¶
References: #11853, pull request 11862
Add local ComboAddress parameter for SBind() at TeeAction() (@FredericDT)¶
References: pull request 11889
Do not keep the mplexer created for the initial health-check around¶
References: pull request 11844
Use getrandom() if available¶
References: pull request 11723
Implement a limit of concurrent connections to a backend¶
References: pull request 11713
Fill ringbuffers with responses served from the cache¶
References: #11585, pull request 11712
Bind to the requested src interface without a src address¶
References: pull request 11696
Log listening addresses and version at the ‘info’ level¶
References: pull request 11711
Refactor sendfromto (Y7n05h)¶
References: pull request 11651
Optionally send ‘verbose’ messages to a file, and log them at ‘DEBUG’ level otherwise¶
References: pull request 11668
Log when exiting due to a SIGTERM signal¶
References: pull request 11669
Add the protocol (Do53, DoT, DoH, …) of backends in the API¶
References: pull request 11673
Remove implicit type conversion (Y7n05h)¶
References: #11619, pull request 11620
Log when a console message exceeds the maximum size¶
References: #11488, pull request 11543
Include the address of the backend in ‘relayed to’ messages¶
References: pull request 11578
Better log message when no downstream server are available¶
References: pull request 11573
Raise the number of entries in a packet cache to at least 1¶
References: #11383, pull request 11546
Merge multiple parameters in newBPFFilter (Y7n05h)¶
References: #11526, pull request 11535
Reject BPFFilter::attachToAllBinds() at configuration time (Y7n05h)¶
References: pull request 11523
Add more build-time options to select features¶
References: pull request 11515
Multiplexer: Take the maximum number of events as a hint¶
References: pull request 11517
Add –log-timestamps flag¶
References: pull request 11388
Add a parameter to PoolAction to keep processing rules¶
References: pull request 11174
Fix build with OpenSSL 3.0.0¶
References: pull request 11196
Build with -fvisibility=hidden by default¶
References: pull request 11178
Add a lot more of build-time options to select features¶
References: pull request 10950
Bug Fixes¶
Apply the max number of concurrent conns per client to DoH¶
References: #12019, pull request 12483
Fix the health-check timeout computation for DoH backend¶
References: pull request 12327
Fix a crash on a invalid protocol in DoH forwarded-for header¶
References: #11604, pull request 11621
Better handling of multiple carbon servers¶
References: #10517, #11216, pull request 12424
Include <cstdint> in dnsdist-protocols.hh (Sander Hoentjen)¶
References: pull request 12569
Fix the formatting of ‘showServers’¶
References: pull request 12535
Properly record the incoming flags on a timeout¶
References: #11905, pull request 12529
Properly update rcode-related metrics on RCodeAction hits¶
References: #11498, pull request 12484
Handle out-of-memory exceptions in the UDP receiver thread¶
References: pull request 12387
Prevent an underflow of the TCP d_queued counter¶
References: #12357, pull request 12365
Properly handle single-SOA XFR responses¶
References: #12099, pull request 12100
Fix a bug in SetEDNSOptionAction¶
References: #11728, pull request 11729
Also reconnect on ENETUNREACH. (Asgeir Storesund Nilsen)¶
References: #4155, pull request 11830
Keep retained capabilities even when switching user/group¶
References: pull request 11761
Fix the number of concurrent queries on a backend TCP conn¶
References: pull request 11718
Fix invalid proxy protocol payload on a DoH TC to TCP retry¶
References: pull request 11604
Use the correct outgoing protocol in our ring buffers¶
References: #11501, pull request 11545
Removals¶
Remove the leak warning with GnuTLS >= 3.7.3¶
References: #11201, pull request 11324
1.7.3¶
Released: 2nd of November 2022Please review the Upgrade Guide before upgrading from versions < 1.7.x.
dnsdist 1.7.3 contains no functional changes or bugfixes. This release strictly serves to bring dnsdist packages to our EL9 and Ubuntu Jammy repositories, and upgrades the dnsdist Docker image from Debian buster to Debian bullseye, as buster is officially EOL.
Improvements¶
add el9/9stream targets¶
References: pull request 11948
docker images: upgrade to Debian bullseye¶
References: pull request 11974
dh_builddeb: force gzip compression (this makes the Ubuntu Jammy packages compatible with our Debian-hosted repositories)¶
References: pull request 11742
1.7.2¶
Released: 14th of June 2022Please review the Upgrade Guide before upgrading from versions < 1.7.x.
Improvements¶
Scan the UDP buckets only when we have outstanding queries¶
References: #11576, pull request 11579
Only allocate the health-check mplexer when needed¶
References: #11422, pull request 11580
Add Lua bindings to access the DNS payload as a string¶
References: #11606, pull request 11666
Bug Fixes¶
Fix invalid proxy protocol payload on a DoH TC to TCP retry¶
References: #11604, pull request 11665
Fix a crash on a invalid protocol in DoH forwarded-for header¶
References: #11621, pull request 11667
Add missing descriptions for prometheus metrics¶
References: #11602, pull request 11664
1.7.1¶
Released: 25th of April 2022Please review the Upgrade Guide before upgrading from versions < 1.7.x.
Improvements¶
Remove the leak warning with GnuTLS >= 3.7.3¶
References: #11201, pull request 11324
Fix compilation with OpenSSL 3.0.0¶
References: pull request 11195
Docker images: remove capability requirements¶
References: #11081, pull request 11094
Docker image: install ca-certificates¶
References: #11290, pull request 11292
Work around a compiler bug seen on OpenBSD/amd64 using clang-13¶
References: #11113, pull request 11176
Stop using the now deprecated and useless std::binary_function¶
References: pull request 11197
Add a ‘getAddressAndPort()’ method to DOHFrontend and TLSFrontend objects¶
References: #11434, pull request 11547
Bug Fixes¶
Set Server Name Indication on outgoing TLS connections (DoT, DoH)¶
References: #11249, pull request 11251
Fix the health-check timeout for outgoing DoH connections¶
References: #11250, pull request 11253
Fix the latency-count metric¶
References: #11239, pull request 11323
Fix a use-after-free in case of a network error in the middle of a XFR query¶
References: #11330, pull request 11335
Properly use eBPF when the DynBlock is not set¶
References: #11504, pull request 11550
Fix ‘inConfigCheck()’¶
References: #11254, pull request 11255
Use the correct outgoing protocol in our ring buffers¶
References: #11501, pull request 11545
Raise the number of entries in a packet cache to at least 1¶
References: #11383, pull request 11546
Fix wrong eBPF values (qtype, counter) being inserted for qnames¶
References: pull request 11565
The check interval applies to health-check, not timeouts¶
References: #11375, pull request 11572
1.7.0¶
Released: 17th of January 2022Please review the Upgrade Guide before upgrading from versions < 1.7.x.
Bug Fixes¶
Test the correct member in DynBlockRatioRule::warningRatioExceeded (Doug Freed)¶
References: #11131, pull request 11156
1.7.0-rc1¶
Released: 22nd of December 2021Please review the Upgrade Guide before upgrading from versions < 1.7.x.
Improvements¶
Reuse and save the TLS session tickets in DoT healthchecks¶
References: pull request 11037
Bug Fixes¶
Fix a double-free when a DoH cross-protocol response is dropped¶
References: pull request 11075
Check the size of the query when re-sending a DoH query¶
References: pull request 11079
1.7.0-beta2¶
Released: 29th of November 2021Improvements¶
Add a function to know how many TLS sessions are currently cached¶
References: pull request 10997
Warn that GnuTLS 3.7.x leaks memory when validating certs¶
References: pull request 11001
Add a function to set the UDP recv/snd buffer sizes¶
References: #10898, pull request 11008
Add ‘showWebserverConfig’¶
References: #10135, pull request 11006
Bug Fixes¶
Fix a memory leak when reusing TLS tickets for outgoing connections¶
References: pull request 10999
Fix compiler/static analyzer warnings¶
References: #10988, pull request 10993
Fix Lua parameters bound checks¶
References: pull request 11007
Add missing visibility attribute on dnsdist_ffi_dnsquestion_get_qname_hash¶
References: pull request 11031
1.7.0-beta1¶
Released: 16th of November 2021Please review the Upgrade Guide before upgrading from versions < 1.7.x.
New Features¶
Implement filesystem pinning for eBPF maps, drop and truncate via XDP (Pierre Grié)¶
References: pull request 10498, pull request 10883
Add range support for dynamic blocks¶
References: #4993, pull request 10815
Add the ability to retain select capabilities at runtime¶
References: pull request 10923
Improvements¶
Support DoT, DoH and DNSCrypt transports for protobuf and dnstap¶
References: #9103, pull request 10879
Use the same outgoing TCP connection for different clients¶
References: pull request 10862
Read as many DoH responses as possible before yielding¶
References: pull request 10875
Stop over-allocating for DoH queries¶
References: pull request 10876
Convert make_pair to emplace (Rosen Penev)¶
References: pull request 10646
Add syslog identifier to service file¶
References: #10651, pull request 10795
Get rid of make_pair (Rosen Penev)¶
References: pull request 10868
Use make_unique instead of new (Rosen Penev)¶
References: pull request 10870
Handle existing EDNS content for SetMacAddrAction/SetEDNSOptionAction¶
References: #4670, pull request 10907
Bug Fixes¶
Keep watching idle DoH backend connections¶
References: pull request 10845
Fix the cleaning of TCP, DoT and DoH connections to the backend¶
References: pull request 10920
Properly handle I/O exceptions in the health checker¶
References: pull request 10874
NetmaskTree: Drop the ‘noexcept’ qualifier on the TreeNode ctor¶
References: pull request 10900
Fix build without nghttp2¶
References: pull request 10922
Remove debug print line flooding logs (Eugen Mayer)¶
References: pull request 10935
Credentials: EVP_PKEY_CTX_set1_scrypt_salt() takes an unsigned char*¶
References: #10938, pull request 10943
1.7.0-alpha2¶
Released: 19th of October 2021Please review the Upgrade Guide before upgrading from versions < 1.7.x.
New Features¶
Add lua support for SetEDNSOptionAction¶
References: pull request 10814
Rule for basing decisions on outstanding queries in a pool (phonedph1)¶
References: pull request 10832
Improvements¶
Disable TLS renegotiation, release buffers for outgoing TLS¶
References: pull request 10823
Don’t create SSLKEYLOGFILE files with wide permissions¶
References: pull request 10760
Update existing tags when calling setTagAction and setTagResponseAction¶
References: pull request 10767
Fix the unit tests to handle v4-only or v6-only connectivity¶
References: #10403, pull request 10775
Improve the coverage of the outgoing DoH code¶
References: pull request 10782
Allow skipping arbitrary EDNS options when computing packet hash¶
References: pull request 10791
Add incoming and outgoing protocols to grepq¶
References: pull request 10833
Allow setting the block reason from the SMT callback¶
References: #10559, pull request 10835
Clear the UDP states of TCP-only backends¶
References: pull request 10844
Replace shared by unique ptrs, reduce structs size¶
References: pull request 10846
Bug Fixes¶
Better handling of outgoing DoH workers¶
References: #10771, pull request 10772
Properly cache UDP queries passed to a TCP/DoT/DoH backend¶
References: pull request 10787
Use per-thread credentials for GnuTLS client connections¶
References: pull request 10841
Only set recursion protection once we know we do not return¶
References: pull request 10848
1.7.0-alpha1¶
Released: 23rd of September 2021Please review the Upgrade Guide before upgrading from versions < 1.7.x.
New Features¶
Implementation of DoH between dnsdist and the backend¶
References: pull request 10635
Implement cross-protocol queries, including outgoing DNS over TLS¶
References: pull request 10338
Add support for Lua per-thread FFI rules and actions¶
References: pull request 10501
Add FFI functions to spoof multiple raw values¶
References: #10456, pull request 10532
Add support for range-based lookups into a Key-Value store¶
References: #10520, pull request 10525
Implement SpoofSVCAction to return SVC responses¶
References: #10367, pull request 10597
Improvements¶
Don’t look up the LMDB dbi by name for every query¶
References: pull request 10520
Move to hashed passwords for the web interface¶
References: #7937, pull request 10157
Fix ‘temporary used in loop’ warnings reported by g++ 11.1.0¶
References: pull request 10429
Skip some memory allocations in client mode to reduce memory usage¶
References: pull request 10441
Support multiple ip addresses for dnsdist-resolver lua script (Wim)¶
References: pull request 10414
Make DNSDist XFR aware when transfer is finished (Dimitrios Mavrommatis)¶
References: #10436, pull request 10489
Do not report latency metrics of down upstream servers (Holger Hoffstätte)¶
References: #10500, pull request 10508
Carry the exact incoming protocol (Do53, DNSCrypt, DoT, DoH) in DQ¶
References: #10338, pull request 10537
Implement ‘reload()’ to rotate Log(Response)Action’s log file¶
References: #10502, pull request 10527
Document that setECSOverride has its drawbacks (Andreas Jakum)¶
References: pull request 10626
Convert dnsdist and the recursor to LockGuarded¶
References: pull request 10649
Handle waiting for a descriptor to become readable OR writable¶
References: pull request 10631
Clean up a bit of “cast from type […] casts away qualifiers” warnings¶
References: pull request 10687
¶Reorganize the IDState and Rings fields to reduce memory usageReferences: pull request 10381
Bug Fixes¶
Catch FDMultiplexerException in IOStateHandler’s destructor¶
References: pull request 10656
Resizing LMDB map size while there might be open transactions is unsafe¶
References: pull request 10672
Ignore TCAction over TCP¶
References: #10693, pull request 10695
Stop raising the number of TCP workers to the number of TCP binds¶
References: pull request 10704
Handle exception raised in IOStateGuard’s destructor¶
References: pull request 10724
1.6.1¶
Released: 15th of September 2021Please review the Upgrade Guide before upgrading from versions < 1.6.x.
New Features¶
Add the missing DOHFronted::loadNewCertificatesAndKeys()¶
References: #10418, pull request 10550
Implement a web endpoint to get metrics for only one pool¶
References: #10482, pull request 10560
Bug Fixes¶
Set the dnstap/protobuf transport to TCP for DoH queries¶
References: #10497, pull request 10538
Backport a missing mutex header¶
References: pull request 10438
Properly handle ECS for queries with ancount or nscount > 0¶
References: #10419, pull request 10619
Catch FDMultiplexerException in IOStateHandler’s destructor¶
References: pull request 10656
Fix outstanding counter issue on TCP error¶
References: #10705, pull request 10706
1.6.0¶
Released: 11th of May 20211.5.2¶
Released: 10th of May 2021Please review the Upgrade Guide before upgrading from versions < 1.5.x.
Bug Fixes¶
Fix SNI on resumed sessions by acknowledging the name sent by the client¶
References: #9921, pull request 9922
Fix a crash when a DoH responses map is updated at runtime¶
References: #9934, pull request 9936
Fix the DNSName move assignment operator¶
References: pull request 9749
Fix a typo in prometheus metrics dnsdist_frontend_tlshandshakefailures #9728 (AppliedPrivacy)¶
References: #9728, pull request 9729
Make: two fixes¶
References: pull request 9583
Fix eBPF filtering of long qnames¶
References: #9689, pull request 9717
Fix a hang when removing a server with more than one socket¶
References: pull request 9900
Fix Dynamic Block RCode rules messing up the queries count¶
References: #9756, pull request 9980
Fix EDNS in ServFail generated when no server is available¶
References: #10006, pull request 10012
Prevent a crash with DynBPF objects in client mode¶
References: #10090, pull request 10095
Add missing getEDNSOptions and getDO bindings for DNSResponse¶
References: pull request 10355
1.6.0-rc2¶
Released: 4th of May 2021Please review the Upgrade Guide before upgrading from versions < 1.6.x.
Improvements¶
Make the backend queryLoad and dropRate values atomic¶
References: pull request 10323
Bug Fixes¶
Fix missing locks in DNSCrypt certificates management¶
References: pull request 10346
Only use eBPF for “drop” actions, clean up more often¶
References: #10324, pull request 10327
1.6.0-rc1¶
Released: 20th of April 2021Please review the Upgrade Guide before upgrading from versions < 1.6.x.
Improvements¶
Replace pthread_rwlock with std::shared_mutex¶
References: #10209, pull request 10216
Also disable PMTU for v6¶
References: pull request 10264
Bug Fixes¶
Lua: don’t destroy keys during table iteration¶
References: pull request 10171
Add missing getEDNSOptions and getDO bindings for DNSResponse¶
References: #10262, pull request 10267
Fix some issues reported by Thread Sanitizer¶
References: pull request 10274
1.6.0-alpha3¶
Released: 29th of March 2021Please review the Upgrade Guide before upgrading from versions < 1.6.x.
Improvements¶
Set OpenSSL to release buffers when idle, saves 35 kB per connection¶
References: pull request 10179
Disable TLS renegotiation by default¶
References: pull request 10218
Unify certificate reloading syntaxes¶
References: pull request 10214
Improve TCP connection reuse, add metrics¶
References: pull request 10156
Using DATA to report memory usage is unreliable, start using RES instead, as it seems reliable and relevant¶
References: #7591, pull request 10161
Add a metric for TCP listen queue full events¶
References: pull request 10184
Enable sharding by default, greater pipe buffer sizes¶
References: pull request 10204
Add limits for cached TCP connections, metrics¶
References: pull request 10207
Bug Fixes¶
Fix the handling of DoH queries with a non-zero ID¶
References: pull request 10208
Fix the TCP connect timeout, add metrics¶
References: pull request 10201
1.6.0-alpha2¶
Released: 4th of March 2021Please review the Upgrade Guide before upgrading from versions < 1.6.x.
New Features¶
Add option to spoofRawAction to spoof multiple answers (Sander Hoentjen)¶
References: pull request 10063
Add ‘spoof’ and ‘spoofRaw’ Lua bindings¶
References: pull request 10073
Improvements¶
Make NetmaskTree::fork() a bit easier to understand¶
References: #10035, pull request 10046
Do not update the TCP error counters on idle states¶
References: pull request 10131
¶Bind __tostring instead of toString for Lua, so that conversion to string works automatically (Aki Tuomi)References: pull request 9361
Bug Fixes¶
Remove forgotten debug line in the web server¶
References: #10049, pull request 10050
Create TCP worker threads before acceptors ones¶
References: pull request 10088
Prevent a crash with DynBPF objects in client mode¶
References: #10090, pull request 10095
Fix several bugs in the TCP code path, add unit tests¶
References: pull request 10108
Fix size check during trailing data addition, regression tests¶
References: pull request 10139
Clean up expired entries from all the packet cache’s shards¶
References: pull request 10133
1.6.0-alpha1¶
Released: 2nd of February 2021Please review the Upgrade Guide before upgrading from versions < 1.6.x.
New Features¶
Add per-thread Lua FFI load-balancing policies¶
References: pull request 9175
Implement Lua custom web endpoints¶
References: #9120, pull request 9676
Implement TCP out-of-order¶
References: pull request 9582
Add support for incoming Proxy Protocol¶
References: pull request 9616
Add SkipCacheResponseAction¶
References: #9536, pull request 9960
Improvements¶
Use more of systemd’s sandboxing options when available¶
References: pull request 8969
Prioritize ChaCha20-Poly1305 when client does (Sukhbir Singh)¶
References: pull request 9510
Add an option to allow sub-paths for DoH¶
References: pull request 9962
Start all TCP worker threads on startup¶
References: pull request 9957
Use protozero for Protocol Buffer operations¶
References: #9780, #9781, pull request 9843
Speed up the round robin policy¶
References: pull request 9382
Avoid unnecessary allocations and copies with DNSName::toDNSString()¶
References: pull request 9424
Get rid of allocations in the packet cache’s fast path¶
References: #8993, pull request 9420
Fix the DNSName move assignment operator¶
References: pull request 9749
Don’t copy the policy for every query¶
References: pull request 9850
UUID: Use the non-cryptographic variant of the boost::uuid¶
References: pull request 9832
Use an eBPF filter for Dynamic blocks when available¶
References: #6763, #9756, pull request 9782
Limit the number of concurrent console and web connections¶
References: #4978, pull request 9997
Add prometheus metrics for top Dynamic Blocks entries¶
References: pull request 9756
Add per connection queries count and duration stats for DoH¶
References: pull request 9738
Add Lua bindings to get a server’s latency¶
References: pull request 9273
Wrap more FILE objects in smart pointers¶
References: pull request 9225
Set the default EDNS buffer size on generated answers to 1232¶
References: pull request 9049
Add support for FreeBSD’s SO_REUSEPORT_LB¶
References: #9156, pull request 9157
Accept string in DNSDistPacketCache:expungeByName¶
References: pull request 9428
DNSName: add toDNSString convenience function¶
References: pull request 9466
Skip EDNS Cookies in the packet cache¶
References: #5131, pull request 8993
Add the query payload size to the verbose log over TCP¶
References: pull request 9677
Add the response code in the packet cache dump¶
References: #9274, pull request 9737
Add an optional name to rules¶
References: pull request 9746
Add the ability to set ACL from a file (Matti Hiljanen)¶
References: pull request 9822
Add a Lua binding for the number of queries dropped by a server¶
References: #9861, pull request 9862
Move to c++17¶
References: pull request 9913
Fix warnings on autoconf 2.70¶
References: #9918, pull request 9920
Reduce diff to upstream yahttp, fixing a few CodeQL reports¶
References: pull request 9955
Handle syslog facility as string, document the numerical one¶
References: #9383, pull request 9989
Deprecate parameters to webserver(), add ‘statsRequireAuthentication’ parameter¶
References: #8710, #9311, pull request 9972
Add a counter for queries truncated because of a rule¶
References: #9357, pull request 9992
Replace offensive terms in our code and documentation¶
References: pull request 9993
Use aligned atomics to prevent false sharing¶
References: #9455, pull request 9998
Unify non-terminal actions as SetXXXAction()¶
References: #8118, pull request 9974
Accept a NMG to fill DynBlockRulesGroup ranges¶
References: #9545, pull request 10015
Silence clang 12 warning¶
References: pull request 10023
Fix a few warnings reported by clang’s static analyzer and cppcheck¶
References: pull request 10035
Bug Fixes¶
Fix a crash when a DoH responses map is updated at runtime¶
References: #9927, pull request 9934
Fix SNI on resumed sessions by acknowledging the name sent by the client¶
References: pull request 9921
Use toStringWithPort instead of manual addr/port concat (Mischan Toosarani-Hausberger)¶
References: #9075, pull request 9222
Force a reconnection when a downstream transitions to the UP state (Nuitari, Stephane Bakhos)¶
References: pull request 9275
Handle EINTR in DelayPipe¶
References: pull request 9381
Handle empty DNSNames in grepq()¶
References: pull request 9431
Make: two fixes¶
References: pull request 9583
Fix eBPF filtering of long qnames¶
References: #9626, pull request 9689
Improve const-correctness of Lua bindings (Georgeto)¶
References: pull request 9721
Fix a hang when removing a server with more than one socket¶
References: pull request 9900
Appease clang++ 12 ASAN on macOS¶
References: pull request 9925
Bunch of signed vs unsigned warnings¶
References: pull request 9937
Send a NotImp answer on empty (qdcount=0) queries¶
References: #9961, pull request 9991
Don’t apply QPS to backend server on cache hits¶
References: #7038, pull request 9999
Fix EDNS in ServFail generated when no server is available¶
References: #10006, pull request 10012
Removals¶
Rename topRule() and friends¶
References: pull request 9532
Remove useless second argument for SpoofAction¶
References: #9783, pull request 9784
1.5.1¶
Released: 1st of October 2020Please review the Upgrade Guide before upgrading from versions < 1.5.x.
Improvements¶
Add the ‘clearConsoleHistory’ command¶
References: #9372, pull request 9540
Bug Fixes¶
Stop the related responder thread when a backend is removed¶
References: #9372, pull request 9541
Fix getEDNSOptions() for {AN,NS}COUNT != 0 and ARCOUNT = 0¶
References: pull request 9542
Fix building with LLVM11 (@RvdE)¶
References: pull request 9543
Only add EDNS on negative answers if the query had EDNS¶
References: pull request 9555
1.5.0¶
Released: 30th of July 2020Please review the Upgrade Guide before upgrading from versions < 1.5.x.
Improvements¶
Use explicit flag for the specific version of c++ we are targeting.¶
References: pull request 9231
Prevent a copy of a pool’s backends when selecting a server.¶
References: pull request 9360
Bug Fixes¶
Fix compilation with h2o_socket_get_ssl_server_name().¶
References: pull request 9344
Prevent a possible overflow via large Proxy Protocol values. (Valentei Sergey)¶
References: pull request 9320
Avoid name clashes on Solaris derived systems.¶
References: #9279, pull request 9348
Resize hostname to final size in getCarbonHostname(). (Aki Tuomi)¶
References: pull request 9343
Fix compilation on OpenBSD/amd64.¶
References: pull request 9346
Handle calling PacketCache methods on a nil object.¶
References: pull request 9356
1.5.0-rc4¶
Released: 7th of July 2020Please review the Upgrade Guide before upgrading from versions < 1.5.x.
Bug Fixes¶
Prevent a race between the DoH handling threads¶
References: pull request 9278
1.5.0-rc3¶
Released: 18th of June 2020Please review the Upgrade Guide before upgrading from versions < 1.5.x.
New Features¶
Implement an ACL in the internal web server¶
References: pull request 9229
Improvements¶
Less negatives in secpoll error messages improves readability.¶
References: pull request 9100
Use std::string_view when available (Rosen Penev)¶
References: pull request 9207
Clean up dnsdistconf.lua as a default configuration file¶
References: #8038, pull request 9238
Add optional masks to KeyValueLookupKeySourceIP¶
References: pull request 9244
Bug Fixes¶
Use non-blocking pipes to pass DoH queries/responses around¶
References: #9206, pull request 9211
Fix compilation on systems that do not define HOST_NAME_MAX¶
References: #9125, pull request 9127
Do not use using namespace std;¶
References: pull request 9213
1.5.0-rc2¶
Released: 13th of May 2020Please review the Upgrade Guide before upgrading from versions < 1.5.x.
Improvements¶
Add the unit to the help for latency buckets¶
References: pull request 9084
Avoid copies in for loops¶
References: pull request 9042
Build with -Wmissing-declarations -Wredundant-decls¶
References: pull request 9054
Use std::shuffle instead of std::random_shuffle¶
References: #9004, pull request 9016
Get rid of a naked pointer in the /dev/poll event multiplexer¶
References: pull request 9053
A few warnings fixed, reported by clang on OpenBSD¶
References: pull request 9059
Wrap pthread objects¶
References: pull request 9067
NetmaskTree: do not test node for null, the loop guarantees node is not null.¶
References: pull request 9078
Bug Fixes¶
Fix duplicated HTTP/1 counter in ‘showDOHFrontends()’¶
References: pull request 9068
Fix compilation of the ports event multiplexer¶
References: #9025, pull request 9031
Gracefully handle a failure to remove FD on (re)-connection¶
References: pull request 9057
1.5.0-rc1¶
Released: 16th of April 2020Please review the Upgrade Guide before upgrading from versions < 1.5.x.
Improvements¶
Expose SuffixMatchNode::remove in Lua¶
References: pull request 8956
Remove a std::move() preventing Return-Value Optimization in lmdb-safe.cc¶
References: pull request 8962
Drop responses with the QR bit set to 0¶
References: pull request 8996
Add an option to control the size of the TCP listen queue¶
References: #8986, pull request 8994
Bug Fixes¶
Keep accepting fragmented UDP datagrams on DNSCrypt binds¶
References: pull request 8974
Accept UDP datagrams larger than 1500 bytes for DNSCrypt¶
References: #8974, pull request 8976
On OpenBSD string_view is both in boost and std¶
References: pull request 8955
1.5.0-alpha1¶
Released: 20th of March 2020Please review the Upgrade Guide before upgrading from versions < 1.5.x.
New Features¶
Implement LuaFFIRule, LuaFFIAction and LuaFFIResponseAction¶
References: #7617, pull request 8505
Add SetNegativeAndSOAAction() and its Lua binding¶
References: #4747, pull request 8171
Implement dynamic blocking on ratio of rcode/total responses¶
References: pull request 8274
Add bounded loads to the consistent hashing policy¶
References: #7387, pull request 8567
LogResponseAction (phonedph1)¶
References: pull request 8654
Add spoofRawAction() to craft answers from raw bytes¶
References: pull request 8722
Add support for Proxy Protocol between dnsdist and the recursor¶
References: pull request 8874
Implement bounded loads for the whashed and wrandom policies¶
References: pull request 8909
Improvements¶
Don’t accept sub-paths of configured DoH URLs¶
References: #8573, pull request 8760
Implement Cache-Control headers in DoH¶
References: #8586, pull request 8762
Document that the ‘keyLogFile’ option requires OpenSSL >= 1.1.1¶
References: #8806, pull request 8899
Change the default DoH path from / to /dns-query¶
References: #8819, pull request 8905
Add support for the processing of X-Forwarded-For headers¶
References: #8661, pull request 8945
Switch the default DoT provider from GnuTLS to OpenSSL¶
References: pull request 8380
Add the source and destination ports to the protobuf msg¶
References: pull request 8702
Better handling of reconnections in Remote Logger¶
References: pull request 8887
Rework NetmaskTree for better CPU and memory efficiency. (Stephan Bosch)¶
References: pull request 8355
Implement parallel health checks¶
References: pull request 8491
Use move semantics when updating the content of the StateHolder¶
References: pull request 8538
Keep a masked network in the Netmask class¶
References: pull request 8812
Make FrameStream IO parameters configurable¶
References: pull request 8937
Add backend status to prometheus metrics¶
References: #8746, pull request 8772
Add ‘IO wait’ and ‘steal’ metrics on Linux¶
References: pull request 8783
Don’t start as root within a systemd environment¶
References: pull request 7820
Separate the check-config and client modes¶
References: pull request 8456
Add the number of received bytes to StatNode entries¶
References: pull request 8529
Support setting the value of AA, AD and RA when self-generating answers¶
References: #8534, pull request 8556
pthread_rwlock_init() should be matched by pthread_rwlock_destroy()¶
References: pull request 8580
Replace include guard ifdef/define with pragma once (Chris Hofstaedtler)¶
References: pull request 8631
Allow retrieving and deleting a backend via its UUID¶
References: pull request 8657
Load an openssl configuration file, if any, during startup¶
References: pull request 8733
Add get*BindCount() functions¶
References: pull request 8848
Add sessionTimeout setting for TLS session lifetime (Matti Hiljanen)¶
References: pull request 8882
Detect {Libre,Open}SSL functions availability during configure¶
References: #8739, pull request 8900
Warn on startup about low weight values with chashed¶
References: #8669, pull request 8950
Bug Fixes¶
Set the DoH ticket rotation delay before loading tickets¶
References: pull request 8949
Display the correct DoT provider¶
References: pull request 8662
Use ref counting for the DoT TLS context¶
References: pull request 8761
Add ‘queue full’ metrics for our remote logger, log at debug only¶
References: #8629, pull request 8883
Fix ECS addition when the OPT record is not the last one¶
References: #8098, pull request 8115
Wait longer for the TLS ticket to arrive in our tests¶
References: pull request 8591
Add missing exception message in KVS error¶
References: pull request 8604
Add getTag()/setTag() Lua bindings for a DNSResponse¶
References: pull request 8782
Fix key logging for DNS over TLS¶
References: #8442, pull request 8787
Fix a typo in the help/completion for getDNSCryptBindCount¶
References: pull request 8855
Implement rmACL() (swoga)¶
References: pull request 8856
Remove unused lambda capture reported by clang++¶
References: pull request 8879
1.4.0¶
Released: 20th of November 2019Please review the Upgrade Guide before upgrading from versions < 1.4.x.
Improvements¶
Fix the default value of
setMaxUDPOutstandingin the console’s help (phonedph1)¶References: pull request 8531
Add bindings for the noerrors and drops members of StatNode¶
References: pull request 8522
Fix -Wshadow warnings (Aki Tuomi)¶
References: pull request 8440
Fix typo: settting to setting (Chris Hofstaedtler)¶
References: pull request 8509
Bug Fixes¶
Lowercase the name blocked by a SMT dynamic block¶
References: pull request 8524
misc¶
Prefer the cipher suite from the server by default (DoH, DoT)¶
References: pull request 8526
1.4.0-rc5¶
Released: 30th of October 2019Please review the Upgrade Guide before upgrading from versions < 1.4.x.
Improvements¶
Rename the ‘address’ label to ‘frontend’ for DoH metrics¶
References: pull request 8465
Bug Fixes¶
Increment the DOHUnit ref count when it’s set in the IDState¶
References: pull request 8471
1.4.0-rc4¶
Released: 25th of October 2019Please review the Upgrade Guide before upgrading from versions < 1.4.x.
New Features¶
Add support dumping TLS keys via keyLogFile¶
References: pull request 8442
Improvements¶
Implement reference counting for the DOHUnit object¶
References: pull request 8416
Merge the setup of TLS contexts in DoH and DoT¶
References: pull request 8383
Add a ‘preferServerCiphers’ option for DoH and DoT¶
References: pull request 8382
Lowercase custom DoH header names¶
References: #8353, pull request 8365
Add metrics about TLS handshake failures for DoH and DoT¶
References: pull request 8447
Add metrics about unknown/inactive TLS ticket keys¶
References: pull request 8406
Add metrics about TLS versions with DNS over TLS¶
References: pull request 8387
Count the number of concurrent connections for DoH as well¶
References: pull request 8395
Refactor DoH prometheus metrics again¶
References: pull request 8361
Add more options to LogAction (non-verbose mode, timestamps)¶
References: #8390, pull request 8411
Fix formatting in showTCPStats()¶
References: pull request 8415
Use SO_BINDTODEVICE when available for newServer’s source interface¶
References: pull request 8372
Check the address supplied to ‘webserver’ in check-config¶
References: #8362, pull request 8364
Bug Fixes¶
Clear the DoH session ticket encryption key in the ctor¶
References: pull request 8388
Add missing prometheus descriptions for cache-related metrics¶
References: pull request 8409
Add a prometheus ‘thread’ label to distinguish identical frontends¶
References: pull request 8381
Fix a typo in the prometheus description of ‘senderrors’¶
References: pull request 8378
More prometheus fixes¶
References: pull request 8368
Fix the caching of large entries¶
References: pull request 8408
Work around cmsg_space somehow not being a constexpr on macOS¶
References: #8412, pull request 8413
Fix the creation order of rules when inserted via setRules()¶
References: pull request 8359
1.4.0-rc3¶
Released: 30th of September 2019Please review the Upgrade Guide before upgrading from versions < 1.4.x.
Improvements¶
Display the DoH and DoT binds in the web view¶
References: pull request 8264
Allow accepting DoH queries over HTTP instead of HTTPS¶
References: pull request 8267
Implement TLS session ticket keys management for DoH¶
References: pull request 8349
Clean up our interactions with errno¶
References: #7845, pull request 8083
Remove the ‘blockfilter’ stat from the web view¶
References: #5514, pull request 8265
Fix some spelling mistakes noticed by lintian (Chris Hofstaedtler)¶
References: pull request 8268
dnsdistconf.lua use non-deprecated versions for 1.4.0 (phonedph1)¶
References: pull request 8285
Better use of labels in our DoH prometheus export¶
References: pull request 8318
Bug Fixes¶
Fix the newCDBKVStore console completion when LMDB is not enabled (phonedph1)¶
References: pull request 8281
Allow configure CDB_CFLAGS to work (phonedph1)¶
References: pull request 8283
Fix the warning message on an invalid secpoll answer¶
References: pull request 8303
Don’t connect to remote logger in client/command mode¶
References: #8300, pull request 8304
1.4.0-rc2¶
Released: 2nd of September 2019Please review the Upgrade Guide before upgrading from versions < 1.4.x.
New Features¶
Add support for early DoH HTTP responses¶
References: pull request 8206
Add a KeyValueStoreLookup action based on CDB or LMDB¶
References: pull request 8139
Improvements¶
Add minTLSVersion for DoH and DoT¶
References: #8202, pull request 8207
Split dnsdist-lua-bindings.cc to reduce memory consumption during compilation¶
References: pull request 8250
Add a Lua binding for dynBlockRulesGroup:setQuiet(quiet)¶
References: pull request 8252
misc¶
Update h2o to 2.2.6, fixing CVE-2019-9512, CVE-2019-9514 and CVE-2019-9515 for repo.powerdns.com packages¶
References: pull request 8200
1.4.0-rc1¶
Released: 12th of August 2019Please review the Upgrade Guide before upgrading from versions < 1.4.x.
New Features¶
Add OCSP stapling (from files) for DoT and DoH¶
References: #7812, pull request 8141
Add support for custom DoH headers (Melissa Voegeli)¶
References: #7900, #7957, pull request 8148
Add lua bindings, rules and action for DoH¶
References: #8133, pull request 8153
Implement ContinueAction()¶
References: pull request 8117
Improvements¶
Send better HTTP status codes, handle ACL drops earlier¶
References: pull request 7917
Add more stats about DoH HTTP responses¶
References: #7898, pull request 7933
Improve error messages for DoT issues¶
References: pull request 7978
Accept more than one certificate in addDNSCryptBind()¶
References: #8020, pull request 8042
Disallow TCP disablement¶
References: pull request 7860
Update boost.m4 to the latest version¶
References: pull request 7862
Print stats from expungeByName (Matti Hiljanen)¶
References: pull request 7909
Squelch unused function warning¶
References: #7950, pull request 7952
SuffixMatchNode:add(): accept more types¶
References: pull request 7985
Explicitly align the buffer used for cmsgs¶
References: #7981, pull request 7990
Add quiet parameter to NetmaskGroupRule¶
References: pull request 7992
Clear cmsg_space(sizeof(data)) in cmsghdr to appease Valgrind¶
References: #7981, pull request 7996
Add static assertions for the size of the src address control buffer¶
References: pull request 8007
Don’t create temporary strings to escape DNSName labels¶
References: pull request 8013
Display TCP/DoT queries and responses in verbose mode, opcode in grepq¶
References: pull request 8024
Be a bit more explicit about what failed in testCrypto()¶
References: pull request 8025
Update URLs to use HTTPS scheme (Chris Hofstaedtler)¶
References: pull request 8110
Double-check we only increment the outstanding counter once¶
References: pull request 8113
ext/ipcrypt: ship license in tarballs (Chris Hofstaedtler)¶
References: #8108, pull request 8135
Use a counter to mark IDState usage instead of the FD¶
References: pull request 8154
Increase the default value of setMaxUDPOutstanding to 65535¶
References: pull request 8175
Bug Fixes¶
Properly override the HTTP Server header for DoH¶
References: #7894, pull request 7911
Exit when requested DoT/DoH support is not compiled in¶
References: pull request 7915
Proper HTTP response for timeouts over DoH¶
References: #7917, pull request 7927
Prevent a dangling DOHUnit pointer when send() failed¶
References: pull request 8112
Skip non-dnscrypt binds in showDNSCryptBinds()¶
References: #8014, pull request 8015
SuffixMatchTree: fix root removal, partial match of non-leaf nodes¶
References: pull request 7886
Deduplicate frontends entries with carbon and prometheus¶
References: #7933, pull request 7934
Update boost.m4¶
References: #6942, #8084, pull request 7951
Fix short IOs over TCP¶
References: #7971, pull request 7974
Fix handling of backend connection failing over TCP¶
References: pull request 7979
Insert the response into the ringbuffer right after sending it¶
References: pull request 8003
Handle ENOTCONN on read() over TCP¶
References: #8021, pull request 8030
Make sure we always compile with BOOST_CB_ENABLE_DEBUG set to 0¶
References: pull request 8067
Catch exceptions thrown when handling a TCP response¶
References: pull request 8078
Fix unlimited retries when TCP Fast Open is enabled¶
References: pull request 8079
M4/systemd.m4: fail when systemctl is not available¶
References: pull request 8081
Fix a typo in the Server’s latency description for Prometheus (phonedph1)¶
References: pull request 8105
Console: flush cout after printing g_outputbuffer (Doug Freed)¶
References: #8130, pull request 8131
Fix signedness issue in isEDNSOptionInOpt()¶
References: pull request 8158
1.4.0-beta1¶
Released: 6th of June 2019Please review the Upgrade Guide before upgrading from versions < 1.4.x.
New Features¶
Implement SNIRule for DoT and DoH¶
References: #7210, pull request 7825
Improvements¶
Support Prometheus latency histograms (Marlin Cremers)¶
References: #6088, pull request 7853
Bug Fixes¶
DoH: Don’t let ‘self’ dangling while parsing the request’s qname, this could lead to a crash¶
References: #7810, pull request 7814
Fix minor issues reported by Coverity¶
References: pull request 7823
Remove second, incomplete copy of lua EDNSOptionCode table¶
References: pull request 7833
1.4.0-alpha2¶
Released: 26th of April 2019Please review the Upgrade Guide before upgrading from versions < 1.4.x.
New Features¶
Add DNS over HTTPS support based on libh2o¶
References: #6911, #7526, pull request 7726
Improvements¶
Ignore Path MTU discovery on UDP server socket¶
References: pull request 7410
Alternative solution to the unaligned accesses.¶
References: pull request 7708
Bug Fixes¶
Exit when setting ciphers fails (GnuTLS)¶
References: pull request 7718
1.4.0-alpha1¶
Released: 12th of April 2019Please review the Upgrade Guide before upgrading from versions < 1.4.x.
New Features¶
Make recursor & dnsdist communicate (ECS) ‘variable’ status¶
References: pull request 7209
Add namespace and instance variable to carbon key (Gibheer)¶
References: #2362, #6941, pull request 6959
Allow NoRecurse for use in dynamic blocks or Lua rules (phonedph1)¶
References: pull request 7087
Expose secpoll status¶
References: #7194, pull request 7197
Add an optional ‘checkTimeout’ parameter to ‘newServer()’¶
References: #7236, pull request 7323
Add a ‘rise’ parameter to ‘newServer()’¶
References: #7237, pull request 7322
Add a ‘keepStaleData’ option to the packet cache¶
References: #7239, pull request 7310
Expose trailing data (Richard Gibson)¶
References: #6846, #6897, pull request 6967
Add option to set interval between health checks (1848)¶
References: pull request 7142
Add EDNS unknown version handling (Dmitry Alenichev)¶
References: pull request 7406
DNSNameSet and QNameSetRule (Andrey)¶
References: pull request 7537
Add support for encrypting ip addresses #gdpr¶
References: #6242, pull request 7481
Add ‘setSyslogFacility()’¶
References: #5653, pull request 7677
Add ‘reloadAllCertificates()’¶
References: pull request 7676
Improvements¶
Fix warnings, mostly unused parameters, reported by -wextra¶
References: pull request 7168
Add optional uuid column to showServers()¶
References: pull request 7191
Configure –enable-pdns-option –with-third-party-module (Josh Soref)¶
References: pull request 7026
Drop remaining capabilities after startup¶
References: pull request 7138
More sandboxing using systemd’s features¶
References: pull request 6634
Reduce systemcall usage in Protobuf logging¶
References: pull request 7428
Resync YaHTTP code to cmouse/yahttp@11be77a1fc4032 (Chris Hofstaedtler)¶
References: pull request 7433
Pass empty response (Dmitry Alenichev)¶
References: pull request 7431
Change the way getRealMemusage() works on linux (using statm)¶
References: pull request 7502
Prevent 0-ttl cache hits¶
References: #7534, pull request 7585
Add addDynBlockSMT() support to dynBlockRulesGroup¶
References: #7139, pull request 7343
Add frontend response statistics (Matti Hiljanen)¶
References: pull request 7578
Remove addLuaAction and addLuaResponseAction¶
References: pull request 7670
Refactoring of the TCP stack¶
References: #4814, #7526, pull request 7559
Prevent a conflict with BADSIG being clobbered¶
References: #7556, pull request 7692
Switch to the new ‘newPacketCache()’ syntax for 1.4.0¶
References: pull request 7689
Move constants to proper namespace¶
References: pull request 7678
Unify the management of DNS/DNSCrypt/DoT frontends¶
References: pull request 7694
¶Fix compiler warning about returning garbage (Adam Majer)References: pull request 7167
Bug Fixes¶
Protect GnuTLS tickets key rotation with a read-write lock¶
References: pull request 7256
Check that
SO_ATTACH_BPFis defined before enabling eBPF¶References: pull request 7267
Fix off-by-one in mvRule counting¶
References: pull request 7426
Don’t convert nsec to usec if we need nsec¶
References: pull request 7520
Fix setRules()¶
References: pull request 7594
Handle EAGAIN in the GnuTLS DNS over TLS provider¶
References: pull request 7560
Gracefully handle a null latency in the webserver’s js¶
References: #7461, pull request 7586
EDNSOptionView improvements¶
References: pull request 7652
Honor libcrypto include path¶
References: #7481, pull request 7674
1.3.3¶
Released: 8th of November 2018Please review the Upgrade Guide before upgrading from versions < 1.3.x.
New Features¶
Add consistent hash builtin policy¶
References: #6932, pull request 6737, pull request 6939
Add EDNSOptionRule¶
References: pull request 6803
Add DSTPortRule (phonedph1)¶
References: pull request 6813
Make getOutstanding usable from both lua and console (phonedph1)¶
References: pull request 6826
Added :excludeRange and :includeRange methods to DynBPFFilter class (Reinier Schoof)¶
References: pull request 6856
Add Prometheus stats support (Pavel Odintsov, Kai S)¶
References: #4947, #6002, pull request 3935, pull request 6343, pull request 6901, pull request 7007, pull request 7089
Name threads in the programs¶
References: #6974, pull request 6997
Support the NXDomain action with dynamic blocks¶
References: #6908, pull request 7075
Add security polling¶
References: pull request 7115
Add a PoolAvailableRule to easily add backup pools (Robin Geuze)¶
References: pull request 7140
Improvements¶
Get rid of some allocs/copies in DNS parsing¶
References: pull request 6831
Set a correct EDNS OPT RR for self-generated answers¶
References: #4857, #6348, pull request 6847
Fix a sign-comparison warning in isEDNSOptionInOPT()¶
References: pull request 6877
Add warning rates to DynBlockRulesGroup rules¶
References: #6907, pull request 6986
Add support for exporting a server id in protobuf¶
References: #6990, #7004, pull request 7015
dnsdist did not set TCP_NODELAY, causing needless latency¶
References: pull request 7030
Add a setting to control the number of stored sessions¶
References: pull request 7062
Wrap GnuTLS and OpenSSL pointers in smart pointers¶
References: #7060, pull request 7064
Add a ‘creationOrder’ field to rules¶
References: #6909, pull request 7078
Fix return-type detection with boost 1.69’s tribool¶
References: #7091, pull request 7092
Fix format string issue on 32bits ARM¶
References: #7096, pull request 7104
Wrap TCP connection objects in smart pointers¶
References: pull request 7108
Add the setConsoleOutputMaxMsgSize function¶
References: #7084, pull request 7109
Add the ability to update webserver credentials¶
References: #7112, pull request 7117
Bug Fixes¶
Display dynblocks’ default action, None, as the global one¶
References: pull request 6835
Fix compilation when SO_REUSEPORT is not defined¶
References: pull request 6956
Release memory on DNS over TLS handshake failure¶
References: pull request 7060
Handle trailing data correctly when adding OPT or ECS info¶
References: #6896, pull request 7165
1.3.2¶
Released: 10th of July 2018Please review the Upgrade Guide before upgrading from versions < 1.3.x.
Bug Fixes¶
Add missing include for PRId64, fix build on CentOS 6 / SLES 12¶
References: pull request 6785
1.3.1¶
Released: 10th of July 2018Please review the Upgrade Guide before upgrading from versions < 1.3.x.
New Features¶
Add support for more than one TLS certificate¶
References: #6450, pull request 6524
Add a negative ttl option to the packet cache¶
References: #6579, pull request 6740
Add the ability to dump a summary of the cache content¶
References: pull request 6749
Add netmask-based {ex,in}clusions to DynblockRulesGroup¶
References: pull request 6760
Add DNSAction.NoOp to debug dynamic blocks¶
References: #6703, pull request 6776
Add SetECSAction to set an arbitrary outgoing ecs value¶
References: #6404, pull request 6734
Add support for rotating certificates and keys¶
References: pull request 6764
Improvements¶
Remove thelog and thel and replace this with a global g_log¶
References: #6357, pull request 6358
Fix two small nits on the documentation¶
References: pull request 6422
Move the el6 dnsdist package to upstart¶
References: #6394, pull request 6426
CLI option improvements (Chris Hofstaedtler)¶
References: #6433, pull request 6435
Split pdns_enable_unit_tests (Chris Hofstaedtler)¶
References: pull request 6436
Re-do lua detection¶
References: #6423, pull request 6445, pull request 6457, pull request 6470
Docs: fix missing ref in the dnsdist docs¶
References: pull request 6460
Be more permissive in wrandom tests, log values on failure¶
References: pull request 6502
Tests: avoid failure on not-so-optimal distribution¶
References: #6430, pull request 6523
Add syntax to dns.proto to silence compilation warning.¶
References: pull request 6577
Fix warnings reported by gcc 8.1.0¶
References: pull request 6590
Document setVerboseHealthchecks()¶
References: #6483, pull request 6592
Update dq.rst (phonedph1)¶
References: pull request 6615
Fix rpm scriptlets¶
References: pull request 6641
Don’t copy unitialized values of SuffixMatchTree¶
References: pull request 6637
Expose toString of various objects to Lua (Chris Hofstaedtler)¶
References: pull request 6684
Remove ‘expired’ states from MaxQPSIPRule¶
References: pull request 6674
Mark the remote member of DownstreamState as const¶
References: #6664, pull request 6688
Test the content of dynamic blocks using the API¶
References: #6706, pull request 6710
Default set “connection: close” header for web requests¶
References: #6532, pull request 6711
Update timedipsetrule.rst (phonedph1)¶
References: pull request 6717
Don’t access the TCP buffer vector past its size¶
References: #6712, pull request 6716
Show droprate in API output¶
References: pull request 6563
Refuse console connection without a proper key set¶
References: #6683, #6709, pull request 6715
Use LRU to clean the MaxQPSIPRule’s store¶
References: pull request 6726
Disable maybe uninitialized warnings with boost optional¶
References: pull request 6769
Luawrapper: report caught std::exception as lua_error¶
References: #6541, pull request 6658
Dnstap.rst: fix some editing errors (Chris Hofstaedtler)¶
References: pull request 6602
Allow known exception types to be converted to string¶
References: #6535, pull request 6541
Bug Fixes¶
Initialize the done variable in the rings’ unit tests¶
References: pull request 6425
Reorder headers to fix OpenBSD build¶
References: pull request 6429
Restrict value range for weight parameter, avoid sum overflows dropping queries (Dan McCombs)¶
References: pull request 6448
Fix reconnection handling¶
References: pull request 6672
Dynamic blocks were being created with the wrong duration (David Freedman)¶
References: pull request 6706
Limit qps and latency to two decimals in the web view¶
References: #6442, pull request 6718
Check the flags to detect collisions in the packet cache¶
References: pull request 6747
Fix iterating over the results of exceed*() functions¶
References: pull request 6762
Fix duration false positive in the dynblock regression tests¶
References: pull request 6767
Implement NoneAction()¶
References: #6758, pull request 6775
Detect ECS collisions in the packet cache¶
References: #6747, pull request 6754
Fix an outstanding counter race when reusing states¶
References: pull request 6773
1.3.0¶
Released: 30th of March 2018Please review the Upgrade Guide before upgrading from versions < 1.3.x.
New Features¶
Add an optional status parameter to
Server:setAuto().¶References: pull request 5625
Add
inClientStartup()function.¶References: pull request 6072
Add tag-based routing of queries.¶
References: pull request 6037
Add experimental DNS-over-TLS support.¶
References: pull request 6117, pull request 6175, pull request 6176, pull request 6177, pull request 6189
Add simple dnstap support (Justin Valentini, Chris Hofstaedtler).¶
References: pull request 5201, pull request 6170
Add experimental XPF support based on draft-bellis-dnsop-xpf-04.¶
References: #5079, #5654, pull request 5594, pull request 6220
Add
ERCodeRule()to match on extended RCodes (Chris Hofstaedtler).¶References: pull request 6147
Add
TempFailureCacheTTLAction()(Chris Hofstaedtler).¶References: pull request 6003
Add DynBlockRulesGroup to improve processing speed of the
maintenance()function by reducing memory usage and not walking the ringbuffers multiple times.¶References: pull request 6391
Add
console ACLfunctions.¶References: #4654, pull request 6399
Allow adding
EDNS Client Subnet informationto a query before looking in the cache. This allows serving ECS enabled answers from the cache when all servers in a pool are down.¶References: #6098, pull request 6400
Improvements¶
Add cache sharding,
recvmmsgand CPU pinning support. With these, the scalability of dnsdist is drastically improved.¶References: #5202, #5859, pull request 5576, pull request 5860
Add burst option to
MaxQPSIPRule()(42wim).¶References: pull request 5970
Add Pools, cacheHitResponseRules to the API.¶
References: pull request 6022
Add a class option to health checks.¶
References: #5748, pull request 5929
Add UUIDs to rules, this allows tracking rules through modifications and moving them around.¶
References: pull request 6030
Apply ResponseRules to locally generated answers (Chris Hofstaedtler).¶
References: #6182, pull request 6185
Report
LuaAction()andLuaResponseAction()failures in the log and send SERVFAIL instead of not answering the query (Chris Hofstaedtler).¶References: pull request 6283
Unify global statistics accounting (Chris Hofstaedtler).¶
References: pull request 6289
Speed up the processing of large ring buffers. This change will make dnsdist more scalable with a large number of different clients.¶
References: pull request 6350, pull request 6366
Make custom
addLuaAction()andaddLuaResponseAction()callback’s second return value optional.¶References: #6346, pull request 6363
Add “server-up” metric count to Carbon Reporting (Lowell Mower).¶
References: pull request 6327
Add xchacha20 support for DNSCrypt.¶
References: pull request 6045, pull request 6382
Scalability improvement: Add an option to use several source ports towards a backend.¶
References: pull request 6317
Add ‘?’ and ‘help’ for providing help() output on
dnsdist -c(Kirill Ponomarev, Chris Hofstaedtler).¶References: #4845, pull request 5866, pull request 6375
Replace the Lua mutex with a rw lock to limit contention. This improves the processing speed and parallelism of the policies.¶
References: pull request 6190, pull request 6381
Ensure dnsdist compiles on NetBSD (Tom Ivar Helbekkmo).¶
References: pull request 6146
Also log eBPF dynamic blocks, as regular dynamic block already are.¶
References: #5845, pull request 5845
Ensure large numbers are shown correctly in the API.¶
References: #6211, pull request 6401
Add option to
showRules()to truncate the output length.¶References: #5763, pull request 6402
Fix several warnings reported by clang’s analyzer and cppcheck, should lead to small performance increases.¶
References: pull request 6407
Bug Fixes¶
Handle SNMP alarms so we can reconnect to the daemon.¶
References: #5327, pull request 5328
Fix signed/unsigned comparison warnings on ARM.¶
References: #5489, pull request 5597
Keep trying if the first connection to the remote logger failed¶
References: pull request 5770
Fix escaping unusual DNS label octets in DNSName is off by one (Kees Monshouwer).¶
References: pull request 6018
Avoid assertion errors in
NewServer()(Chris Hofstaedtler).¶References: pull request 6403
Removals¶
Remove the
--daemonoption from dnsdist.¶References: #6329, pull request 6394
1.2.1¶
Released: 16th of February 2018Please review the Upgrade Guide before upgrading from versions < 1.2.x.
New Features¶
Add configuration option to disable IP_BIND_ADDRESS_NO_PORT (Dan McCombs).¶
References: pull request 5880
Improvements¶
Handle bracketed IPv6 addresses without ports (Chris Hofstaedtler).¶
References: pull request 6057
Bug Fixes¶
Make dnsdist dynamic truncate do right thing on TCP/IP.¶
References: pull request 5647
Add missing QPSAction¶
References: pull request 5686
Don’t create a Remote Logger in client mode.¶
References: pull request 5847
Use libsodium’s CFLAGS, we might need them to find the includes.¶
References: pull request 5858
Keep the TCP connection open on cache hit, generated answers.¶
References: pull request 6012
Add the missing <sys/time.h> include to mplexer.hh for struct timeval.¶
References: pull request 6041
Sort the servers based on their ‘order’ after it has been set.¶
References: pull request 6043
Quiet unused variable warning on macOS (Chris Hofstaedtler).¶
References: pull request 6073
Fix the outstanding counter when an exception is raised.¶
References: #5652, pull request 6094
Do not connect the snmpAgent from a dnsdist client.¶
References: #6163, pull request 6164
1.2.0¶
Released: 21st of August 2017Please review the Upgrade Guide before upgrading from versions < 1.2.x.
New Features¶
Add an option to export CNAME records over protobuf.¶
References: #4709, pull request 4776
Add TCP management options from RFC 7766 section 10.¶
References: pull request 4611
Add an option to ‘mute’ UDP responses per bind.¶
References: #4527, pull request 4536
Save history to home-dir, only use CWD as a last resort.¶
References: #4562, pull request 4779
Add the
setRingBuffersSize()directive to allows changing the ringbuffer size.¶References: pull request 4898
Allow TTL alteration via Lua.¶
References: #4707, pull request 4787
Add
RDRule()to match queries with theRDflag set.¶References: pull request 4837
Add
setWHashedPertubation()for consistentwhashedresults.¶References: pull request 4897
Add
tcpConnectTimeouttonewServer().¶References: pull request 4818
Add cache hit response rules.¶
References: #4708, pull request 4788, pull request 5036
Add SNMP support.¶
References: pull request 4989, pull request 5123, pull request 5204
Allow passing
DNSNames as DNSRules.¶References: pull request 5070
Add support for setting the server selection policy on a per pool basis (Robin Geuze).¶
References: pull request 5113
Add a
suffixMatchparameter toPacketCache:expungeByName()(Robin Geuze).¶References: pull request 5159
Add an option so the packet cache entries don’t age.¶
References: #5126, pull request 5136
Add
QNameRule().¶References: pull request 5235
Add an optional action to
addDynBlocks().¶References: pull request 5337
Add an optional interface parameter to
addLocal()/setLocal().¶References: pull request 5344
Make a
truncateaction available to DynBlock and Lua.¶References: pull request 5386
Implement a runtime changeable rule that matches IP address for a certain time called
TimedIPSetRule().¶References: pull request 5336
Add support for returning several IPs to spoof from Lua.¶
References: pull request 5496
Add Lua bindings to be able to rotate DNSCrypt keys, see DNSCrypt.¶
References: #5420, #5507, pull request 5490, pull request 5508
Add the capability to set arbitrary tags in protobuf messages.¶
References: pull request 5396, pull request 5577
Add setConsoleConnectionsLogging().¶
References: #5565, pull request 5581
Improvements¶
Merge the client and server nonces to prevent replay attacks.¶
References: pull request 4815
Store the computed shared key and reuse it for the response for DNSCrypt messages.¶
References: pull request 4813, pull request 4926
Add
setTCPUseSinglePipe()to use a single TCP waiting queue.¶References: pull request 4817
Add
sendSizeAndMsgWithTimeoutto send size and data in a single call and use it for TCP Fast Open towards backends.¶References: #5494, pull request 4985, pull request 5501
Tune systemd unit-file for medium-sized installations (Winfried Angele).¶
References: pull request 4958
Add the possibility to fill a
NetmaskGroup(usingNetmaskGroup:addMask()) from exceeds* results.¶References: pull request 5185
Add labels count to StatNode, only set the name once.¶
References: pull request 5353
DNSName: Check that both first two bits are set in compressed labels.¶
References: #4851, pull request 4852
Handle unreachable servers at startup, reconnect stale sockets¶
References: #4131, #4155, pull request 4285
Gracefully handle invalid addresses in
newServer().¶References: #4471, pull request 4474
Use
IP_BIND_ADDRESS_NO_PORTwhen available.¶References: pull request 4786
Add an optional
secondsparameter tostatNodeRespRing().¶References: #4660, #4775, pull request 4780
Report a more specific lua version and report luajit in
--version.¶References: pull request 4910
Prevent issues by unshadowing variables.¶
References: pull request 5056
Register DNSName::chopOff (@plzz).¶
References: pull request 4920
Make
includeDirectory()work sorted (Robin Geuze).¶References: #5053, pull request 5150, pull request 5171
Allow embedded NULs in strings received from Lua.¶
References: pull request 5147
Cleanup closed TCP downstream connections.¶
References: pull request 5163
Improve reporting of C++ exceptions that bubble up via Lua.¶
References: pull request 5230
Add better logging on queries that get dropped, timed out or received.¶
References: pull request 5253
Print useful messages when query and response actions are mixed.¶
References: pull request 5342
Add
DNSRule::toString()and add virtual destructors to DNSRule, DNSAction and DNSResponseAction so the destructors of derived classes are run even when deleted via the base type.¶References: pull request 5497
Don’t use square brackets for IPv6 in Carbon metrics.¶
References: #5538, pull request 5579
Bug Fixes¶
Unified
-kandsetKey()behaviour for client and server mode now.¶References: pull request 5199
Refactor SuffixMatchNode using a SuffixMatchTree.¶
References: #4761, pull request 4950
Get rid of
std::move()calls preventing copy elision.¶References: pull request 5359
Send an HTTP 404 on unknown API paths.¶
References: pull request 5089
LuaWrapper: Use the correct index when storing a function.¶
References: pull request 4775
Send a latency of 0 over carbon, null over API for down servers.¶
References: #4689, pull request 4785
Fix negative port detection for IPv6 addresses on 32-bit.¶
References: pull request 4911
Fix crashed on SmartOS/Illumos (Roman Dayneko).¶
References: #4579, pull request 4877
Change
truncateTCto defaulting to off, having it enabled by default causes an compatibility with RFC 6891 (Robin Geuze).¶References: #4857, pull request 4859
Don’t cache answers without any TTL (like SERVFAIL).¶
References: #4983, pull request 4987, pull request 5037
Fix destination port reporting on “any” binds.¶
References: pull request 5194
Correctly truncate EDNS Client Subnetmasks.¶
References: pull request 5320
Fix
RecordsTypeCountRule()’s handling of the # of records in a section.¶References: #5365, pull request 5369
Change stats functions to always return lowercase names (Robin Geuze).¶
References: #5287, pull request 5383
Only use TCP Fast Open when supported and prevent compiler warnings.¶
References: pull request 5449, pull request 5454
Skip timeouts on the response latency graph.¶
References: #5559, pull request 5563
Copy the DNS header before encrypting it in place.¶
References: #5566, pull request 5580
Removals¶
Remove BlockFilter.¶
References: #5513, pull request 5514
Deprecate syntactic sugar functions.¶
References: #5069, pull request 5526
misc¶
Fix potential pointer wrap-around on 32 bits.¶
References: pull request 5630
Make the API available with an API key only.¶
References: pull request 5631
1.1.0-beta2¶
Released December 14th 2016
Changes since 1.1.0-beta1:
New features¶
- #4518: Fix dynblocks over TCP, allow refusing dyn blocked queries
- #4519: Allow altering the ECS behavior via rules and Lua
- #4535: Add
DNSQuestion:getDO() - #4653:
getStatisticsCounters()to access counters from Lua - #4657: Add
includeDirectory(dir) - #4658: Allow editing the ACL via the API
- #4702: Add
setUDPTimeout(n) - #4726: Add an option to return ServFail when no server is available
- #4748: Add
setCacheCleaningPercentage()
Improvements¶
- #4533: Fix building with clang on OS X and FreeBSD
- #4537: Replace luawrapper’s std::forward/std::make_tuple combo with std::forward_as_tuple (Sangwhan “fish” Moon)
- #4596: Change the default max number of queued TCP conns to 1000
- #4632: Improve dnsdist error message on a common typo/config mistake
- #4694: Don’t use a const_iterator for erasing (fix compilation with some versions of gcc)
- #4715: Specify that dnsmessage.proto uses protobuf version 2
- #4765: Some service improvements
Bug fixes¶
- #4425: Fix a protobuf regression (requestor/responder mix-up) caused by a94673e
- #4541: Fix insertion issues in SuffixMatchTree, move it to dnsname.hh
- #4553: Flush output in single command client mode
- #4578: Fix destination address reporting
- #4640: Don’t exit dnsdist on an exception in maintenance
- #4721: Handle exceptions in the UDP responder thread
- #4734: Add the TCP socket to the map only if the connection succeeds. Closes #4733
- #4742: Decrement the queued TCP conn count if writing to the pipe fails
- #4743: Ignore newBPFFilter() and newDynBPFFilter() in client mode
- #4753: Fix FD leak on TCP connection failure, handle TCP worker creation failure
- #4764: Prevent race while creating new TCP worker threads
1.1.0-beta1¶
Released September 1st 2016
Changes since 1.0.0:
New features¶
- #3762 Teeaction: send copy of query to second nameserver, sponge responses
- #3876 Add
showResponseRules(),{mv,rm,top}ResponseRule() - #3936 Filter on opcode, records count/type, trailing data
- #3975 Make dnsdist {A,I}XFR aware, document possible issues
- #4006 Add eBPF source address and qname/qtype filtering
- #4008 Node infrastructure for querying recent traffic
- #4042 Add server-side TCP Fast Open support
- #4050 Add
clearRules()andsetRules() - #4114 Add
QNameLabelsCountRule()andQNameWireLengthRule() - #4116 Added src boolean to NetmaskGroupRule to match destination address (Reinier Schoof)
- #4175 Implemented query counting (Reinier Schoof)
- #4244 Add a
setCDparameter to set cd=1 on health check queries - #4284 Add RCodeRule(), Allow, Delay and Drop response actions
- #4305 Add an optional Lua callback for altering a Protobuf message
- #4309 Add showTCPStats function (RobinGeuze)
- #4329 Add options to LogAction() so it can append (instead of truncate) (Duane Wessels)
Improvements¶
- #3714 Add documentation links to dnsdist.service (Ruben Kerkhof)
- #3754 Allow the use of custom headers in the web server
- #3826 Implement a ‘quiet’ mode for SuffixMatchNodeRule()
- #3836 Log the content of webserver’s exceptions
- #3858 Only log YaHTTP’s parser exceptions in verbose mode
- #3877 Increase max FDs in systemd unit, warn if clearly too low
- #4019 Add an
optional
addECSoption toTeeAction() - #4029 Add version and feature information to version output
- #4079 Return an error on RemoteLog{,Response}Action() w/o protobuf
- #4246 API now sends pools as a JSON array instead of a string
- #4302 Add
help()andshowVersion() - #4286 Add response rules to the API and Web status page
- #4068 Display the dyn eBPF filters stats in the web interface
Bug fixes¶
- #3755 Fix RegexRule example in dnsdistconf.lua
- #3773 Stop copying the HTTP request headers to the response
- #3837 Remove dnsdist service file on trusty
- #3840 Catch WrongTypeException in client mode
- #3906 Keep the servers ordered inside pools
- #3988 Fix
grepq()output in the README - #3992 Fix some typos in the AXFR/IXFR documentation
- #3995 Fix comparison between signed and unsigned integer
- #4049 Fix dnsdist rpm building script #4048 (Daniel Stirnimann)
- #4065 Include editline/readline.h instead of readline.h/history.h
- #4067 Disable eBPF support when BPF_FUNC_tail_call is not found
- #4069 Fix a buffer overflow when displaying an OpcodeRule
- #4101 Fix $ expansion in build-dnsdist-rpm
- #4198 newServer setting maxCheckFailures makes no sense (stutiredboy)
- #4205 Prevent the use of “any” addresses for downstream server
- #4220 Don’t log an error when parsing an invalid UDP query
- #4348 Fix invalid outstanding count for {A,I}XFR over TCP
- #4365 Reset origFD asap to keep the outstanding count correct
- #4375 Tuple requires make_tuple to initialize
- #4380 Fix compilation with clang when eBPF support is enabled
1.0.0¶
Released April 21st 2016
Changes since 1.0.0-beta1:
Improvements¶
- #3700 Create user from the RPM package to drop privs
- #3712 Make check should run testrunner
- #3713 Remove contrib/dnsdist.service (Ruben Kerkhof)
- #3722 Use LT_INIT and disable static objects (Ruben Kerkhof)
- #3724 Include PDNS_CHECK_OS in configure (Chris Hofstaedtler)
- #3728 Document libedit Ctrl-R workaround for CentOS 6
- #3730 Make
topBandwidth()behave like other top* functions - #3731 Clarify a bit the documentation of load-balancing policies
1.0.0-beta1¶
Released April 14th 2016
Changes since 1.0.0-alpha2:
New features¶
- Per-pool packet cache
- Some actions do not stop the processing anymore when they match, allowing more complex setups: Delay, Disable Validation, Log, MacAddr, No Recurse and of course None
- The new RE2Rule() is available, using the RE2 regular expression library to match queries, in addition to the existing POSIX-based RegexRule()
- SpoofAction() now supports multiple A and AAAA records
- Remote logging of questions and answers via Protocol Buffer
Improvements¶
- #3405 Add health
check logging,
maxCheckFailuresto backend - #3412 Check config
- #3440 Client operation improvements
- #3466 Add dq binding for skipping packet cache in LuaAction (Jan Broer)
- #3499 Add support for multiple carbon servers
- #3504 Allow accessing the API with an optional API key
- #3556 Add an option to limit the number of queued TCP connections
- #3578 Add a
disable-syslogoption - #3608 Export cache stats to carbon
- #3622 Display the ACL content on startup
- #3627 Remove ECS option from response’s OPT RR when necessary
- #3633 Count “TTL too short” cache events
- #3677 systemd-notify support
Bug fixes¶
- #3388 Lock the Lua context before executing a LuaAction
- #3433 Check that the answer matches the initial query
- #3461 Fix crash when calling rmServer() with an invalid index
- #3550,#3551 Fix build failure on FreeBSD (Ruben Kerkhof)
- #3594 Prevent EOF error for empty console response w/o sodium
- #3634 Prevent dangling TCP fd in case setupTCPDownstream() fails
- #3641 Under threshold, QPS action should return None, not Allow
- #3658 Fix a race condition in MaxQPSIPRule
1.0.0-alpha2¶
Released February 5th 2016
Changes since 1.0.0-alpha1:
New features¶
- Lua functions now receive a DNSQuestion
dqobject instead of several parameters. This adds a greater compatibility with PowerDNS and allows adding more parameters without breaking the API (#3198) - Added a
sourceoption tonewServer()to specify the local address or interface used to contact a downstream server (#3138) - CNAME and IPv6-only support have been added to spoofed responses (#3064)
grepq()can be used to search for slow queries, along withtopSlow()- New Lua functions:
addDomainCNAMESpoof(),AllowAction()by @bearggg,exceedQRate(),MacAddrAction(),makeRule(),NotRule(),OrRule(),QClassRule(),RCodeAction(),SpoofCNAMEAction(),SuffixMatchNodeRule(),TCPRule(),topSlow() NetmaskGroupsupport have been added in Lua (#3144)- Added
MacAddrAction()to add the source MAC address to the forwarded query (#3313)
Bug fixes¶
- An issue in DelayPipe could make dnsdist crash at startup
downstream-timeoutsmetric was not always updatedtruncateTCwas unproperly updating the response length (#3126)- DNSCrypt responses larger than queries were unproperly truncated
- An issue prevented info message from being displayed in non-verbose mode, fixed by Jan Broer
- Reinstating an expired Dynamic Rule was not correctly logged (#3323)
- Initialized counters in the TCP client thread might have cause FD and memory leak, reported by Martin Pels (#3300)
- We now drop queries containing no question (qdcount == 0) (#3290)
- Outstanding TCP queries count was not always correct (#3288)
- A locking issue in exceedRespGen() might have caused crashes (#3277)
- Useless sockets were created in client mode (#3257)
addAnyTCRule()was generating TC=1 responses even over TCP (#3251)
Web interface¶
- Cleanup of the HTML by Sander Hoentjen
- Fixed an XSS reported by @janeczku (#3217)
- Removed remote images
- Set the charset to UTF-8, added some security-related and CORS HTTP headers
- Added server latency by Jan Broer (#3201)
- Switched to official minified versions of JS scripts, by Sander Hoentjen (#3317)
- Don’t log unauthenticated HTTP request as an authentication failure
Various documentation updates and minor cleanups:¶
- Added documentation for Advanced DNS Protection features (Dynamic
rules,
maintenance()) - Make
topBandwidth()default to the top 10 clients - Replaced readline with libedit
- Added GPL2 License (#3200)
- Added incbin License (#3269)
- Updated completion rules
- Removed wrong option
--daemon-noby Stefan Schmidt