Changelog¶
1.7.2¶
Released: 14th of June 2022Improvements¶
Scan the UDP buckets only when we have outstanding queries¶
References: #11576, pull request 11579
Only allocate the health-check mplexer when needed¶
References: #11422, pull request 11580
Add Lua bindings to access the DNS payload as a string¶
References: #11606, pull request 11666
Bug Fixes¶
Fix invalid proxy protocol payload on a DoH TC to TCP retry¶
References: #11604, pull request 11665
Fix a crash on a invalid protocol in DoH forwarded-for header¶
References: #11621, pull request 11667
Add missing descriptions for prometheus metrics¶
References: #11602, pull request 11664
1.7.1¶
Released: 25th of April 2022Improvements¶
Remove the leak warning with GnuTLS >= 3.7.3¶
References: #11201, pull request 11324
Fix compilation with OpenSSL 3.0.0¶
References: pull request 11195
Docker images: remove capability requirements¶
References: #11081, pull request 11094
Docker image: install ca-certificates¶
References: #11290, pull request 11292
Work around a compiler bug seen on OpenBSD/amd64 using clang-13¶
References: #11113, pull request 11176
Stop using the now deprecated and useless std::binary_function¶
References: pull request 11197
Add a ‘getAddressAndPort()’ method to DOHFrontend and TLSFrontend objects¶
References: #11434, pull request 11547
Bug Fixes¶
Fix the health-check timeout for outgoing DoH connections¶
References: #11250, pull request 11253
Set Server Name Indication on outgoing TLS connections (DoT, DoH)¶
References: #11249, pull request 11251
Fix the latency-count metric¶
References: #11239, pull request 11323
Fix a use-after-free in case of a network error in the middle of a XFR query¶
References: #11330, pull request 11335
Properly use eBPF when the DynBlock is not set¶
References: #11504, pull request 11550
Fix ‘inConfigCheck()’¶
References: #11254, pull request 11255
Use the correct outgoing protocol in our ring buffers¶
References: #11501, pull request 11545
Raise the number of entries in a packet cache to at least 1¶
References: #11383, pull request 11546
Fix wrong eBPF values (qtype, counter) being inserted for qnames¶
References: pull request 11565
The check interval applies to health-check, not timeouts¶
References: #11375, pull request 11572
1.7.0¶
Released: 17th of January 2022Bug Fixes¶
Test the correct member in DynBlockRatioRule::warningRatioExceeded (Doug Freed)¶
References: #11131, pull request 11156
1.7.0-rc1¶
Released: 22nd of December 2021Improvements¶
Reuse and save the TLS session tickets in DoT healthchecks¶
References: pull request 11037
Bug Fixes¶
Fix a double-free when a DoH cross-protocol response is dropped¶
References: pull request 11075
Check the size of the query when re-sending a DoH query¶
References: pull request 11079
1.7.0-beta2¶
Released: 29th of November 2021Improvements¶
Add a function to know how many TLS sessions are currently cached¶
References: pull request 10997
Warn that GnuTLS 3.7.x leaks memory when validating certs¶
References: pull request 11001
Add a function to set the UDP recv/snd buffer sizes¶
References: #10898, pull request 11008
Add ‘showWebserverConfig’¶
References: #10135, pull request 11006
Bug Fixes¶
Fix a memory leak when reusing TLS tickets for outgoing connections¶
References: pull request 10999
Fix compiler/static analyzer warnings¶
References: #10988, pull request 10993
Fix Lua parameters bound checks¶
References: pull request 11007
Add missing visibility attribute on dnsdist_ffi_dnsquestion_get_qname_hash¶
References: pull request 11031
1.7.0-beta1¶
Released: 16th of November 2021New Features¶
Implement filesystem pinning for eBPF maps, drop and truncate via XDP (Pierre Grié)¶
References: pull request 10498, pull request 10883
Add range support for dynamic blocks¶
References: #4993, pull request 10815
Add the ability to retain select capabilities at runtime¶
References: pull request 10923
Improvements¶
Support DoT, DoH and DNSCrypt transports for protobuf and dnstap¶
References: #9103, pull request 10879
Use the same outgoing TCP connection for different clients¶
References: pull request 10862
Read as many DoH responses as possible before yielding¶
References: pull request 10875
Stop over-allocating for DoH queries¶
References: pull request 10876
Convert make_pair to emplace (Rosen Penev)¶
References: pull request 10646
Add syslog identifier to service file¶
References: #10651, pull request 10795
Get rid of make_pair (Rosen Penev)¶
References: pull request 10868
Use make_unique instead of new (Rosen Penev)¶
References: pull request 10870
Handle existing EDNS content for SetMacAddrAction/SetEDNSOptionAction¶
References: #4670, pull request 10907
Bug Fixes¶
Keep watching idle DoH backend connections¶
References: pull request 10845
Fix the cleaning of TCP, DoT and DoH connections to the backend¶
References: pull request 10920
Properly handle I/O exceptions in the health checker¶
References: pull request 10874
NetmaskTree: Drop the ‘noexcept’ qualifier on the TreeNode ctor¶
References: pull request 10900
Fix build without nghttp2¶
References: pull request 10922
Remove debug print line flooding logs (Eugen Mayer)¶
References: pull request 10935
Credentials: EVP_PKEY_CTX_set1_scrypt_salt() takes an unsigned char*¶
References: #10938, pull request 10943
1.7.0-alpha2¶
Released: 19th of October 2021New Features¶
Add lua support for SetEDNSOptionAction¶
References: pull request 10814
Rule for basing decisions on outstanding queries in a pool (phonedph1)¶
References: pull request 10832
Improvements¶
Disable TLS renegotiation, release buffers for outgoing TLS¶
References: pull request 10823
Don’t create SSLKEYLOGFILE files with wide permissions¶
References: pull request 10760
Update existing tags when calling setTagAction and setTagResponseAction¶
References: pull request 10767
Fix the unit tests to handle v4-only or v6-only connectivity¶
References: #10403, pull request 10775
Improve the coverage of the outgoing DoH code¶
References: pull request 10782
Allow skipping arbitrary EDNS options when computing packet hash¶
References: pull request 10791
Add incoming and outgoing protocols to grepq¶
References: pull request 10833
Allow setting the block reason from the SMT callback¶
References: #10559, pull request 10835
Clear the UDP states of TCP-only backends¶
References: pull request 10844
Replace shared by unique ptrs, reduce structs size¶
References: pull request 10846
Bug Fixes¶
Better handling of outgoing DoH workers¶
References: #10771, pull request 10772
Properly cache UDP queries passed to a TCP/DoT/DoH backend¶
References: pull request 10787
Use per-thread credentials for GnuTLS client connections¶
References: pull request 10841
Only set recursion protection once we know we do not return¶
References: pull request 10848
1.7.0-alpha1¶
Released: 23rd of September 2021New Features¶
Implementation of DoH between dnsdist and the backend¶
References: pull request 10635
Implement cross-protocol queries, including outgoing DNS over TLS¶
References: pull request 10338
Add support for Lua per-thread FFI rules and actions¶
References: pull request 10501
Add FFI functions to spoof multiple raw values¶
References: #10456, pull request 10532
Add support for range-based lookups into a Key-Value store¶
References: #10520, pull request 10525
Implement SpoofSVCAction to return SVC responses¶
References: #10367, pull request 10597
Improvements¶
Don’t look up the LMDB dbi by name for every query¶
References: pull request 10520
Move to hashed passwords for the web interface¶
References: #7937, pull request 10157
Fix ‘temporary used in loop’ warnings reported by g++ 11.1.0¶
References: pull request 10429
Skip some memory allocations in client mode to reduce memory usage¶
References: pull request 10441
Support multiple ip addresses for dnsdist-resolver lua script (Wim)¶
References: pull request 10414
Make DNSDist XFR aware when transfer is finished (Dimitrios Mavrommatis)¶
References: #10436, pull request 10489
Do not report latency metrics of down upstream servers (Holger Hoffstätte)¶
References: #10500, pull request 10508
Carry the exact incoming protocol (Do53, DNSCrypt, DoT, DoH) in DQ¶
References: #10338, pull request 10537
Implement ‘reload()’ to rotate Log(Response)Action’s log file¶
References: #10502, pull request 10527
Document that setECSOverride has its drawbacks (Andreas Jakum)¶
References: pull request 10626
Convert dnsdist and the recursor to LockGuarded¶
References: pull request 10649
Handle waiting for a descriptor to become readable OR writable¶
References: pull request 10631
Clean up a bit of “cast from type […] casts away qualifiers” warnings¶
References: pull request 10687
¶Reorganize the IDState and Rings fields to reduce memory usageReferences: pull request 10381
Bug Fixes¶
Catch FDMultiplexerException in IOStateHandler’s destructor¶
References: pull request 10656
Resizing LMDB map size while there might be open transactions is unsafe¶
References: pull request 10672
Ignore TCAction over TCP¶
References: #10693, pull request 10695
Stop raising the number of TCP workers to the number of TCP binds¶
References: pull request 10704
Handle exception raised in IOStateGuard’s destructor¶
References: pull request 10724
1.6.1¶
Released: 15th of September 2021New Features¶
Add the missing DOHFronted::loadNewCertificatesAndKeys()¶
References: #10418, pull request 10550
Implement a web endpoint to get metrics for only one pool¶
References: #10482, pull request 10560
Bug Fixes¶
Set the dnstap/protobuf transport to TCP for DoH queries¶
References: #10497, pull request 10538
Backport a missing mutex header¶
References: pull request 10438
Properly handle ECS for queries with ancount or nscount > 0¶
References: #10419, pull request 10619
Catch FDMultiplexerException in IOStateHandler’s destructor¶
References: pull request 10656
Fix outstanding counter issue on TCP error¶
References: #10705, pull request 10706
1.6.0¶
Released: 11th of May 20211.5.2¶
Released: 10th of May 2021Bug Fixes¶
Fix a crash when a DoH responses map is updated at runtime¶
References: #9934, pull request 9936
Fix SNI on resumed sessions by acknowledging the name sent by the client¶
References: #9921, pull request 9922
Fix the DNSName move assignment operator¶
References: pull request 9749
Fix a typo in prometheus metrics dnsdist_frontend_tlshandshakefailures #9728 (AppliedPrivacy)¶
References: #9728, pull request 9729
Make: two fixes¶
References: pull request 9583
Fix eBPF filtering of long qnames¶
References: #9689, pull request 9717
Fix a hang when removing a server with more than one socket¶
References: pull request 9900
Fix Dynamic Block RCode rules messing up the queries count¶
References: #9756, pull request 9980
Fix EDNS in ServFail generated when no server is available¶
References: #10006, pull request 10012
Prevent a crash with DynBPF objects in client mode¶
References: #10090, pull request 10095
Add missing getEDNSOptions and getDO bindings for DNSResponse¶
References: pull request 10355
1.6.0-rc2¶
Released: 4th of May 2021Improvements¶
Make the backend queryLoad and dropRate values atomic¶
References: pull request 10323
Bug Fixes¶
Fix missing locks in DNSCrypt certificates management¶
References: pull request 10346
Only use eBPF for “drop” actions, clean up more often¶
References: #10324, pull request 10327
1.6.0-rc1¶
Released: 20th of April 2021Improvements¶
Replace pthread_rwlock with std::shared_mutex¶
References: #10209, pull request 10216
Also disable PMTU for v6¶
References: pull request 10264
Bug Fixes¶
Lua: don’t destroy keys during table iteration¶
References: pull request 10171
Add missing getEDNSOptions and getDO bindings for DNSResponse¶
References: #10262, pull request 10267
Fix some issues reported by Thread Sanitizer¶
References: pull request 10274
1.6.0-alpha3¶
Released: 29th of March 2021Improvements¶
Set OpenSSL to release buffers when idle, saves 35 kB per connection¶
References: pull request 10179
Disable TLS renegotiation by default¶
References: pull request 10218
Unify certificate reloading syntaxes¶
References: pull request 10214
Improve TCP connection reuse, add metrics¶
References: pull request 10156
Using DATA to report memory usage is unreliable, start using RES instead, as it seems reliable and relevant¶
References: #7591, pull request 10161
Add a metric for TCP listen queue full events¶
References: pull request 10184
Enable sharding by default, greater pipe buffer sizes¶
References: pull request 10204
Add limits for cached TCP connections, metrics¶
References: pull request 10207
Bug Fixes¶
Fix the handling of DoH queries with a non-zero ID¶
References: pull request 10208
Fix the TCP connect timeout, add metrics¶
References: pull request 10201
1.6.0-alpha2¶
Released: 4th of March 2021New Features¶
Add option to spoofRawAction to spoof multiple answers (Sander Hoentjen)¶
References: pull request 10063
Add ‘spoof’ and ‘spoofRaw’ Lua bindings¶
References: pull request 10073
Improvements¶
Make NetmaskTree::fork() a bit easier to understand¶
References: #10035, pull request 10046
Do not update the TCP error counters on idle states¶
References: pull request 10131
¶Bind __tostring instead of toString for Lua, so that conversion to string works automatically (Aki Tuomi)References: pull request 9361
Bug Fixes¶
Remove forgotten debug line in the web server¶
References: #10049, pull request 10050
Create TCP worker threads before acceptors ones¶
References: pull request 10088
Prevent a crash with DynBPF objects in client mode¶
References: #10090, pull request 10095
Fix several bugs in the TCP code path, add unit tests¶
References: pull request 10108
Fix size check during trailing data addition, regression tests¶
References: pull request 10139
Clean up expired entries from all the packet cache’s shards¶
References: pull request 10133
1.6.0-alpha1¶
Released: 2nd of February 2021New Features¶
Add per-thread Lua FFI load-balancing policies¶
References: pull request 9175
Implement Lua custom web endpoints¶
References: #9120, pull request 9676
Implement TCP out-of-order¶
References: pull request 9582
Add support for incoming Proxy Protocol¶
References: pull request 9616
Add SkipCacheResponseAction¶
References: #9536, pull request 9960
Improvements¶
Use more of systemd’s sandboxing options when available¶
References: pull request 8969
Add an option to allow sub-paths for DoH¶
References: pull request 9962
Prioritize ChaCha20-Poly1305 when client does (Sukhbir Singh)¶
References: pull request 9510
Start all TCP worker threads on startup¶
References: pull request 9957
Speed up the round robin policy¶
References: pull request 9382
Avoid unnecessary allocations and copies with DNSName::toDNSString()¶
References: pull request 9424
Get rid of allocations in the packet cache’s fast path¶
References: #8993, pull request 9420
Fix the DNSName move assignment operator¶
References: pull request 9749
Don’t copy the policy for every query¶
References: pull request 9850
UUID: Use the non-cryptographic variant of the boost::uuid¶
References: pull request 9832
Use an eBPF filter for Dynamic blocks when available¶
References: #6763, #9756, pull request 9782
Use protozero for Protocol Buffer operations¶
References: #9780, #9781, pull request 9843
Limit the number of concurrent console and web connections¶
References: #4978, pull request 9997
Add prometheus metrics for top Dynamic Blocks entries¶
References: pull request 9756
Add per connection queries count and duration stats for DoH¶
References: pull request 9738
Add Lua bindings to get a server’s latency¶
References: pull request 9273
Wrap more FILE objects in smart pointers¶
References: pull request 9225
Set the default EDNS buffer size on generated answers to 1232¶
References: pull request 9049
Add support for FreeBSD’s SO_REUSEPORT_LB¶
References: #9156, pull request 9157
Accept string in DNSDistPacketCache:expungeByName¶
References: pull request 9428
DNSName: add toDNSString convenience function¶
References: pull request 9466
Skip EDNS Cookies in the packet cache¶
References: #5131, pull request 8993
Add the query payload size to the verbose log over TCP¶
References: pull request 9677
Add the response code in the packet cache dump¶
References: #9274, pull request 9737
Add an optional name to rules¶
References: pull request 9746
Add the ability to set ACL from a file (Matti Hiljanen)¶
References: pull request 9822
Add a Lua binding for the number of queries dropped by a server¶
References: #9861, pull request 9862
Move to c++17¶
References: pull request 9913
Fix warnings on autoconf 2.70¶
References: #9918, pull request 9920
Reduce diff to upstream yahttp, fixing a few CodeQL reports¶
References: pull request 9955
Handle syslog facility as string, document the numerical one¶
References: #9383, pull request 9989
Deprecate parameters to webserver(), add ‘statsRequireAuthentication’ parameter¶
References: #8710, #9311, pull request 9972
Add a counter for queries truncated because of a rule¶
References: #9357, pull request 9992
Replace offensive terms in our code and documentation¶
References: pull request 9993
Use aligned atomics to prevent false sharing¶
References: #9455, pull request 9998
Unify non-terminal actions as SetXXXAction()¶
References: #8118, pull request 9974
Accept a NMG to fill DynBlockRulesGroup ranges¶
References: #9545, pull request 10015
Silence clang 12 warning¶
References: pull request 10023
Fix a few warnings reported by clang’s static analyzer and cppcheck¶
References: pull request 10035
Bug Fixes¶
Fix a crash when a DoH responses map is updated at runtime¶
References: #9927, pull request 9934
Fix SNI on resumed sessions by acknowledging the name sent by the client¶
References: pull request 9921
Use toStringWithPort instead of manual addr/port concat (Mischan Toosarani-Hausberger)¶
References: #9075, pull request 9222
Force a reconnection when a downstream transitions to the UP state (Nuitari, Stephane Bakhos)¶
References: pull request 9275
Handle EINTR in DelayPipe¶
References: pull request 9381
Handle empty DNSNames in grepq()¶
References: pull request 9431
Make: two fixes¶
References: pull request 9583
Fix eBPF filtering of long qnames¶
References: #9626, pull request 9689
Improve const-correctness of Lua bindings (Georgeto)¶
References: pull request 9721
Fix a hang when removing a server with more than one socket¶
References: pull request 9900
Appease clang++ 12 ASAN on MacOS¶
References: pull request 9925
Bunch of signed vs unsigned warnings¶
References: pull request 9937
Send a NotImp answer on empty (qdcount=0) queries¶
References: #9961, pull request 9991
Don’t apply QPS to backend server on cache hits¶
References: #7038, pull request 9999
Fix EDNS in ServFail generated when no server is available¶
References: #10006, pull request 10012
Removals¶
Rename topRule() and friends¶
References: pull request 9532
Remove useless second argument for SpoofAction¶
References: #9783, pull request 9784
1.5.1¶
Released: 1st of October 2020Improvements¶
Add the ‘clearConsoleHistory’ command¶
References: #9372, pull request 9540
Bug Fixes¶
Stop the related responder thread when a backend is removed¶
References: #9372, pull request 9541
Fix getEDNSOptions() for {AN,NS}COUNT != 0 and ARCOUNT = 0¶
References: pull request 9542
Fix building with LLVM11 (@RvdE)¶
References: pull request 9543
Only add EDNS on negative answers if the query had EDNS¶
References: pull request 9555
1.5.0¶
Released: 30th of July 2020Improvements¶
Use explicit flag for the specific version of c++ we are targeting.¶
References: pull request 9231
Prevent a copy of a pool’s backends when selecting a server.¶
References: pull request 9360
Bug Fixes¶
Fix compilation with h2o_socket_get_ssl_server_name().¶
References: pull request 9344
Prevent a possible overflow via large Proxy Protocol values. (Valentei Sergey)¶
References: pull request 9320
Avoid name clashes on Solaris derived systems.¶
References: #9279, pull request 9348
Resize hostname to final size in getCarbonHostname(). (Aki Tuomi)¶
References: pull request 9343
Fix compilation on OpenBSD/amd64.¶
References: pull request 9346
Handle calling PacketCache methods on a nil object.¶
References: pull request 9356
1.5.0-rc4¶
Released: 7th of July 2020Bug Fixes¶
Prevent a race between the DoH handling threads¶
References: pull request 9278
1.5.0-rc3¶
Released: 18th of June 2020New Features¶
Implement an ACL in the internal web server¶
References: pull request 9229
Improvements¶
Less negatives in secpoll error messages improves readability.¶
References: pull request 9100
Use std::string_view when available (Rosen Penev)¶
References: pull request 9207
Clean up dnsdistconf.lua as a default configuration file¶
References: #8038, pull request 9238
Add optional masks to KeyValueLookupKeySourceIP¶
References: pull request 9244
Bug Fixes¶
Use non-blocking pipes to pass DoH queries/responses around¶
References: #9206, pull request 9211
Fix compilation on systems that do not define HOST_NAME_MAX¶
References: #9125, pull request 9127
Do not use using namespace std;¶
References: pull request 9213
1.5.0-rc2¶
Released: 13th of May 2020Improvements¶
Add the unit to the help for latency buckets¶
References: pull request 9084
Avoid copies in for loops¶
References: pull request 9042
Build with -Wmissing-declarations -Wredundant-decls¶
References: pull request 9054
Use std::shuffle instead of std::random_shuffle¶
References: #9004, pull request 9016
Get rid of a naked pointer in the /dev/poll event multiplexer¶
References: pull request 9053
A few warnings fixed, reported by clang on OpenBSD¶
References: pull request 9059
Wrap pthread objects¶
References: pull request 9067
NetmaskTree: do not test node for null, the loop guarantees node is not null.¶
References: pull request 9078
Bug Fixes¶
Fix duplicated HTTP/1 counter in ‘showDOHFrontends()’¶
References: pull request 9068
Fix compilation of the ports event multiplexer¶
References: #9025, pull request 9031
Gracefully handle a failure to remove FD on (re)-connection¶
References: pull request 9057
1.5.0-rc1¶
Released: 16th of April 2020Improvements¶
Expose SuffixMatchNode::remove in Lua¶
References: pull request 8956
Remove a std::move() preventing Return-Value Optimization in lmdb-safe.cc¶
References: pull request 8962
Drop responses with the QR bit set to 0¶
References: pull request 8996
Add an option to control the size of the TCP listen queue¶
References: #8986, pull request 8994
Bug Fixes¶
Keep accepting fragmented UDP datagrams on DNSCrypt binds¶
References: pull request 8974
Accept UDP datagrams larger than 1500 bytes for DNSCrypt¶
References: #8974, pull request 8976
On OpenBSD string_view is both in boost and std¶
References: pull request 8955
1.5.0-alpha1¶
Released: 20th of March 2020New Features¶
Implement LuaFFIRule, LuaFFIAction and LuaFFIResponseAction¶
References: #7617, pull request 8505
Add SetNegativeAndSOAAction() and its Lua binding¶
References: #4747, pull request 8171
Implement dynamic blocking on ratio of rcode/total responses¶
References: pull request 8274
Add bounded loads to the consistent hashing policy¶
References: #7387, pull request 8567
LogResponseAction (phonedph1)¶
References: pull request 8654
Add spoofRawAction() to craft answers from raw bytes¶
References: pull request 8722
Add support for Proxy Protocol between dnsdist and the recursor¶
References: pull request 8874
Implement bounded loads for the whashed and wrandom policies¶
References: pull request 8909
Improvements¶
Don’t accept sub-paths of configured DoH URLs¶
References: #8573, pull request 8760
Implement Cache-Control headers in DoH¶
References: #8586, pull request 8762
Change the default DoH path from / to /dns-query¶
References: #8819, pull request 8905
Add support for the processing of X-Forwarded-For headers¶
References: #8661, pull request 8945
Switch the default DoT provider from GnuTLS to OpenSSL¶
References: pull request 8380
Document that the ‘keyLogFile’ option requires OpenSSL >= 1.1.1¶
References: #8806, pull request 8899
Add the source and destination ports to the protobuf msg¶
References: pull request 8702
Better handling of reconnections in Remote Logger¶
References: pull request 8887
Rework NetmaskTree for better CPU and memory efficiency. (Stephan Bosch)¶
References: pull request 8355
Implement parallel health checks¶
References: pull request 8491
Use move semantics when updating the content of the StateHolder¶
References: pull request 8538
Keep a masked network in the Netmask class¶
References: pull request 8812
Make FrameStream IO parameters configurable¶
References: pull request 8937
Add backend status to prometheus metrics¶
References: #8746, pull request 8772
Add ‘IO wait’ and ‘steal’ metrics on Linux¶
References: pull request 8783
Don’t start as root within a systemd environment¶
References: pull request 7820
Separate the check-config and client modes¶
References: pull request 8456
Add the number of received bytes to StatNode entries¶
References: pull request 8529
Support setting the value of AA, AD and RA when self-generating answers¶
References: #8534, pull request 8556
pthread_rwlock_init() should be matched by pthread_rwlock_destroy()¶
References: pull request 8580
Replace include guard ifdef/define with pragma once (Chris Hofstaedtler)¶
References: pull request 8631
Allow retrieving and deleting a backend via its UUID¶
References: pull request 8657
Load an openssl configuration file, if any, during startup¶
References: pull request 8733
Add get*BindCount() functions¶
References: pull request 8848
Add sessionTimeout setting for TLS session lifetime (Matti Hiljanen)¶
References: pull request 8882
Detect {Libre,Open}SSL functions availability during configure¶
References: #8739, pull request 8900
Warn on startup about low weight values with chashed¶
References: #8669, pull request 8950
Bug Fixes¶
Set the DoH ticket rotation delay before loading tickets¶
References: pull request 8949
Display the correct DoT provider¶
References: pull request 8662
Use ref counting for the DoT TLS context¶
References: pull request 8761
Add ‘queue full’ metrics for our remote logger, log at debug only¶
References: #8629, pull request 8883
Fix ECS addition when the OPT record is not the last one¶
References: #8098, pull request 8115
Wait longer for the TLS ticket to arrive in our tests¶
References: pull request 8591
Add missing exception message in KVS error¶
References: pull request 8604
Add getTag()/setTag() Lua bindings for a DNSResponse¶
References: pull request 8782
Fix key logging for DNS over TLS¶
References: #8442, pull request 8787
Fix a typo in the help/completion for getDNSCryptBindCount¶
References: pull request 8855
Implement rmACL() (swoga)¶
References: pull request 8856
Remove unused lambda capture reported by clang++¶
References: pull request 8879
1.4.0¶
Released: 20th of November 2019Improvements¶
Fix the default value of
setMaxUDPOutstandingin the console’s help (phonedph1)¶References: pull request 8531
Add bindings for the noerrors and drops members of StatNode¶
References: pull request 8522
Fix -Wshadow warnings (Aki Tuomi)¶
References: pull request 8440
Fix typo: settting to setting (Chris Hofstaedtler)¶
References: pull request 8509
Bug Fixes¶
Lowercase the name blocked by a SMT dynamic block¶
References: pull request 8524
misc¶
Prefer the cipher suite from the server by default (DoH, DoT)¶
References: pull request 8526
1.4.0-rc5¶
Released: 30th of October 2019Improvements¶
Rename the ‘address’ label to ‘frontend’ for DoH metrics¶
References: pull request 8465
Bug Fixes¶
Increment the DOHUnit ref count when it’s set in the IDState¶
References: pull request 8471
1.4.0-rc4¶
Released: 25th of October 2019New Features¶
Add support dumping TLS keys via keyLogFile¶
References: pull request 8442
Improvements¶
Implement reference counting for the DOHUnit object¶
References: pull request 8416
Lowercase custom DoH header names¶
References: #8353, pull request 8365
Add metrics about TLS handshake failures for DoH and DoT¶
References: pull request 8447
Merge the setup of TLS contexts in DoH and DoT¶
References: pull request 8383
Add metrics about unknown/inactive TLS ticket keys¶
References: pull request 8406
Add metrics about TLS versions with DNS over TLS¶
References: pull request 8387
Add a ‘preferServerCiphers’ option for DoH and DoT¶
References: pull request 8382
Count the number of concurrent connections for DoH as well¶
References: pull request 8395
Refactor DoH prometheus metrics again¶
References: pull request 8361
Add more options to LogAction (non-verbose mode, timestamps)¶
References: #8390, pull request 8411
Fix formatting in showTCPStats()¶
References: pull request 8415
Use SO_BINDTODEVICE when available for newServer’s source interface¶
References: pull request 8372
Check the address supplied to ‘webserver’ in check-config¶
References: #8362, pull request 8364
Bug Fixes¶
Clear the DoH session ticket encryption key in the ctor¶
References: pull request 8388
Add missing prometheus descriptions for cache-related metrics¶
References: pull request 8409
Add a prometheus ‘thread’ label to distinguish identical frontends¶
References: pull request 8381
Fix a typo in the prometheus description of ‘senderrors’¶
References: pull request 8378
More prometheus fixes¶
References: pull request 8368
Fix the caching of large entries¶
References: pull request 8408
Work around cmsg_space somehow not being a constexpr on macOS¶
References: #8412, pull request 8413
Fix the creation order of rules when inserted via setRules()¶
References: pull request 8359
1.4.0-rc3¶
Released: 30th of September 2019Improvements¶
Allow accepting DoH queries over HTTP instead of HTTPS¶
References: pull request 8267
Implement TLS session ticket keys management for DoH¶
References: pull request 8349
Display the DoH and DoT binds in the web view¶
References: pull request 8264
Clean up our interactions with errno¶
References: #7845, pull request 8083
Remove the ‘blockfilter’ stat from the web view¶
References: #5514, pull request 8265
Fix some spelling mistakes noticed by lintian (Chris Hofstaedtler)¶
References: pull request 8268
dnsdistconf.lua use non-deprecated versions for 1.4.0 (phonedph1)¶
References: pull request 8285
Better use of labels in our DoH prometheus export¶
References: pull request 8318
Bug Fixes¶
Fix the newCDBKVStore console completion when LMDB is not enabled (phonedph1)¶
References: pull request 8281
Allow configure CDB_CFLAGS to work (phonedph1)¶
References: pull request 8283
Fix the warning message on an invalid secpoll answer¶
References: pull request 8303
Don’t connect to remote logger in client/command mode¶
References: #8300, pull request 8304
1.4.0-rc2¶
Released: 2nd of September 2019New Features¶
Add support for early DoH HTTP responses¶
References: pull request 8206
Add a KeyValueStoreLookup action based on CDB or LMDB¶
References: pull request 8139
Improvements¶
Add minTLSVersion for DoH and DoT¶
References: #8202, pull request 8207
Split dnsdist-lua-bindings.cc to reduce memory consumption during compilation¶
References: pull request 8250
Add a Lua binding for dynBlockRulesGroup:setQuiet(quiet)¶
References: pull request 8252
misc¶
Update h2o to 2.2.6, fixing CVE-2019-9512, CVE-2019-9514 and CVE-2019-9515 for repo.powerdns.com packages¶
References: pull request 8200
1.4.0-rc1¶
Released: 12th of August 2019New Features¶
Add support for custom DoH headers (Melissa Voegeli)¶
References: #7900, #7957, pull request 8148
Add lua bindings, rules and action for DoH¶
References: #8133, pull request 8153
Add OCSP stapling (from files) for DoT and DoH¶
References: #7812, pull request 8141
Implement ContinueAction()¶
References: pull request 8117
Improvements¶
Send better HTTP status codes, handle ACL drops earlier¶
References: pull request 7917
Add more stats about DoH HTTP responses¶
References: #7898, pull request 7933
Improve error messages for DoT issues¶
References: pull request 7978
Accept more than one certificate in addDNSCryptBind()¶
References: #8020, pull request 8042
Disallow TCP disablement¶
References: pull request 7860
Update boost.m4 to the latest version¶
References: pull request 7862
Print stats from expungeByName (Matti Hiljanen)¶
References: pull request 7909
Squelch unused function warning¶
References: #7950, pull request 7952
SuffixMatchNode:add(): accept more types¶
References: pull request 7985
Explicitly align the buffer used for cmsgs¶
References: #7981, pull request 7990
Add quiet parameter to NetmaskGroupRule¶
References: pull request 7992
Clear cmsg_space(sizeof(data)) in cmsghdr to appease Valgrind¶
References: #7981, pull request 7996
Add static assertions for the size of the src address control buffer¶
References: pull request 8007
Don’t create temporary strings to escape DNSName labels¶
References: pull request 8013
Display TCP/DoT queries and responses in verbose mode, opcode in grepq¶
References: pull request 8024
Be a bit more explicit about what failed in testCrypto()¶
References: pull request 8025
Update URLs to use HTTPS scheme (Chris Hofstaedtler)¶
References: pull request 8110
Double-check we only increment the outstanding counter once¶
References: pull request 8113
ext/ipcrypt: ship license in tarballs (Chris Hofstaedtler)¶
References: #8108, pull request 8135
Use a counter to mark IDState usage instead of the FD¶
References: pull request 8154
Increase the default value of setMaxUDPOutstanding to 65535¶
References: pull request 8175
Bug Fixes¶
Properly override the HTTP Server header for DoH¶
References: #7894, pull request 7911
Proper HTTP response for timeouts over DoH¶
References: #7917, pull request 7927
Prevent a dangling DOHUnit pointer when send() failed¶
References: pull request 8112
Exit when requested DoT/DoH support is not compiled in¶
References: pull request 7915
Skip non-dnscrypt binds in showDNSCryptBinds()¶
References: #8014, pull request 8015
SuffixMatchTree: fix root removal, partial match of non-leaf nodes¶
References: pull request 7886
Deduplicate frontends entries with carbon and prometheus¶
References: #7933, pull request 7934
Update boost.m4¶
References: #6942, #8084, pull request 7951
Fix short IOs over TCP¶
References: #7971, pull request 7974
Fix handling of backend connection failing over TCP¶
References: pull request 7979
Insert the response into the ringbuffer right after sending it¶
References: pull request 8003
Handle ENOTCONN on read() over TCP¶
References: #8021, pull request 8030
Make sure we always compile with BOOST_CB_ENABLE_DEBUG set to 0¶
References: pull request 8067
Catch exceptions thrown when handling a TCP response¶
References: pull request 8078
Fix unlimited retries when TCP Fast Open is enabled¶
References: pull request 8079
M4/systemd.m4: fail when systemctl is not available¶
References: pull request 8081
Fix a typo in the Server’s latency description for Prometheus (phonedph1)¶
References: pull request 8105
Console: flush cout after printing g_outputbuffer (Doug Freed)¶
References: #8130, pull request 8131
Fix signedness issue in isEDNSOptionInOpt()¶
References: pull request 8158
1.4.0-beta1¶
Released: 6th of June 2019New Features¶
Implement SNIRule for DoT and DoH¶
References: #7210, pull request 7825
Improvements¶
Support Prometheus latency histograms (Marlin Cremers)¶
References: #6088, pull request 7853
Bug Fixes¶
DoH: Don’t let ‘self’ dangling while parsing the request’s qname, this could lead to a crash¶
References: #7810, pull request 7814
Fix minor issues reported by Coverity¶
References: pull request 7823
Remove second, incomplete copy of lua EDNSOptionCode table¶
References: pull request 7833
1.4.0-alpha2¶
Released: 26th of April 2019New Features¶
Add DNS over HTTPS support based on libh2o¶
References: #6911, #7526, pull request 7726
Improvements¶
Ignore Path MTU discovery on UDP server socket¶
References: pull request 7410
Alternative solution to the unaligned accesses.¶
References: pull request 7708
Bug Fixes¶
Exit when setting ciphers fails (GnuTLS)¶
References: pull request 7718
1.4.0-alpha1¶
Released: 12th of April 2019New Features¶
Make recursor & dnsdist communicate (ECS) ‘variable’ status¶
References: pull request 7209
Add namespace and instance variable to carbon key (Gibheer)¶
References: #2362, #6941, pull request 6959
Allow NoRecurse for use in dynamic blocks or Lua rules (phonedph1)¶
References: pull request 7087
Expose secpoll status¶
References: #7194, pull request 7197
Add an optional ‘checkTimeout’ parameter to ‘newServer()’¶
References: #7236, pull request 7323
Add a ‘rise’ parameter to ‘newServer()’¶
References: #7237, pull request 7322
Add a ‘keepStaleData’ option to the packet cache¶
References: #7239, pull request 7310
Expose trailing data (Richard Gibson)¶
References: #6846, #6897, pull request 6967
Add option to set interval between health checks (1848)¶
References: pull request 7142
Add EDNS unknown version handling (Dmitry Alenichev)¶
References: pull request 7406
DNSNameSet and QNameSetRule (Andrey)¶
References: pull request 7537
Add support for encrypting ip addresses #gdpr¶
References: #6242, pull request 7481
Add ‘setSyslogFacility()’¶
References: #5653, pull request 7677
Add ‘reloadAllCertificates()’¶
References: pull request 7676
Improvements¶
Fix warnings, mostly unused parameters, reported by -wextra¶
References: pull request 7168
Add optional uuid column to showServers()¶
References: pull request 7191
Configure –enable-pdns-option –with-third-party-module (Josh Soref)¶
References: pull request 7026
Drop remaining capabilities after startup¶
References: pull request 7138
More sandboxing using systemd’s features¶
References: pull request 6634
Reduce systemcall usage in Protobuf logging¶
References: pull request 7428
Resync YaHTTP code to cmouse/yahttp@11be77a1fc4032 (Chris Hofstaedtler)¶
References: pull request 7433
Pass empty response (Dmitry Alenichev)¶
References: pull request 7431
Change the way getRealMemusage() works on linux (using statm)¶
References: pull request 7502
Prevent 0-ttl cache hits¶
References: #7534, pull request 7585
Add addDynBlockSMT() support to dynBlockRulesGroup¶
References: #7139, pull request 7343
Add frontend response statistics (Matti Hiljanen)¶
References: pull request 7578
Remove addLuaAction and addLuaResponseAction¶
References: pull request 7670
Refactoring of the TCP stack¶
References: #4814, #7526, pull request 7559
Prevent a conflict with BADSIG being clobbered¶
References: #7556, pull request 7692
Switch to the new ‘newPacketCache()’ syntax for 1.4.0¶
References: pull request 7689
Move constants to proper namespace¶
References: pull request 7678
Unify the management of DNS/DNSCrypt/DoT frontends¶
References: pull request 7694
¶Fix compiler warning about returning garbage (Adam Majer)References: pull request 7167
Bug Fixes¶
Protect GnuTLS tickets key rotation with a read-write lock¶
References: pull request 7256
Check that
SO_ATTACH_BPFis defined before enabling eBPF¶References: pull request 7267
Fix off-by-one in mvRule counting¶
References: pull request 7426
Don’t convert nsec to usec if we need nsec¶
References: pull request 7520
Fix setRules()¶
References: pull request 7594
Handle EAGAIN in the GnuTLS DNS over TLS provider¶
References: pull request 7560
Gracefully handle a null latency in the webserver’s js¶
References: #7461, pull request 7586
EDNSOptionView improvements¶
References: pull request 7652
Honor libcrypto include path¶
References: #7481, pull request 7674
1.3.3¶
Released: 8th of November 2018New Features¶
Add consistent hash builtin policy¶
References: #6932, pull request 6737, pull request 6939
Add EDNSOptionRule¶
References: pull request 6803
Add DSTPortRule (phonedph1)¶
References: pull request 6813
Make getOutstanding usable from both lua and console (phonedph1)¶
References: pull request 6826
Added :excludeRange and :includeRange methods to DynBPFFilter class (Reinier Schoof)¶
References: pull request 6856
Add Prometheus stats support (Pavel Odintsov, Kai S)¶
References: #4947, #6002, pull request 3935, pull request 6343, pull request 6901, pull request 7007, pull request 7089
Name threads in the programs¶
References: #6974, pull request 6997
Support the NXDomain action with dynamic blocks¶
References: #6908, pull request 7075
Add security polling¶
References: pull request 7115
Add a PoolAvailableRule to easily add backup pools (Robin Geuze)¶
References: pull request 7140
Improvements¶
Get rid of some allocs/copies in DNS parsing¶
References: pull request 6831
Set a correct EDNS OPT RR for self-generated answers¶
References: #4857, #6348, pull request 6847
Fix a sign-comparison warning in isEDNSOptionInOPT()¶
References: pull request 6877
Add warning rates to DynBlockRulesGroup rules¶
References: #6907, pull request 6986
Add support for exporting a server id in protobuf¶
References: #6990, #7004, pull request 7015
dnsdist did not set TCP_NODELAY, causing needless latency¶
References: pull request 7030
Add a setting to control the number of stored sessions¶
References: pull request 7062
Wrap GnuTLS and OpenSSL pointers in smart pointers¶
References: #7060, pull request 7064
Add a ‘creationOrder’ field to rules¶
References: #6909, pull request 7078
Fix return-type detection with boost 1.69’s tribool¶
References: #7091, pull request 7092
Fix format string issue on 32bits ARM¶
References: #7096, pull request 7104
Wrap TCP connection objects in smart pointers¶
References: pull request 7108
Add the setConsoleOutputMaxMsgSize function¶
References: #7084, pull request 7109
Add the ability to update webserver credentials¶
References: #7112, pull request 7117
Bug Fixes¶
Display dynblocks’ default action, None, as the global one¶
References: pull request 6835
Fix compilation when SO_REUSEPORT is not defined¶
References: pull request 6956
Release memory on DNS over TLS handshake failure¶
References: pull request 7060
Handle trailing data correctly when adding OPT or ECS info¶
References: #6896, pull request 7165
1.3.2¶
Released: 10th of July 2018Bug Fixes¶
Add missing include for PRId64, fix build on CentOS 6 / SLES 12¶
References: pull request 6785
1.3.1¶
Released: 10th of July 2018New Features¶
Add support for more than one TLS certificate¶
References: #6450, pull request 6524
Add a negative ttl option to the packet cache¶
References: #6579, pull request 6740
Add the ability to dump a summary of the cache content¶
References: pull request 6749
Add netmask-based {ex,in}clusions to DynblockRulesGroup¶
References: pull request 6760
Add DNSAction.NoOp to debug dynamic blocks¶
References: #6703, pull request 6776
Add SetECSAction to set an arbitrary outgoing ecs value¶
References: #6404, pull request 6734
Add support for rotating certificates and keys¶
References: pull request 6764
Improvements¶
Remove thelog and thel and replace this with a global g_log¶
References: #6357, pull request 6358
Fix two small nits on the documentation¶
References: pull request 6422
Move the el6 dnsdist package to upstart¶
References: #6394, pull request 6426
CLI option improvements (Chris Hofstaedtler)¶
References: #6433, pull request 6435
Split pdns_enable_unit_tests (Chris Hofstaedtler)¶
References: pull request 6436
Re-do lua detection¶
References: #6423, pull request 6445, pull request 6457, pull request 6470
Docs: fix missing ref in the dnsdist docs¶
References: pull request 6460
Be more permissive in wrandom tests, log values on failure¶
References: pull request 6502
Tests: avoid failure on not-so-optimal distribution¶
References: #6430, pull request 6523
Add syntax to dns.proto to silence compilation warning.¶
References: pull request 6577
Fix warnings reported by gcc 8.1.0¶
References: pull request 6590
Document setVerboseHealthchecks()¶
References: #6483, pull request 6592
Update dq.rst (phonedph1)¶
References: pull request 6615
Fix rpm scriptlets¶
References: pull request 6641
Don’t copy unitialized values of SuffixMatchTree¶
References: pull request 6637
Expose toString of various objects to Lua (Chris Hofstaedtler)¶
References: pull request 6684
Remove ‘expired’ states from MaxQPSIPRule¶
References: pull request 6674
Mark the remote member of DownstreamState as const¶
References: #6664, pull request 6688
Test the content of dynamic blocks using the API¶
References: #6706, pull request 6710
Default set “connection: close” header for web requests¶
References: #6532, pull request 6711
Update timedipsetrule.rst (phonedph1)¶
References: pull request 6717
Don’t access the TCP buffer vector past its size¶
References: #6712, pull request 6716
Show droprate in API output¶
References: pull request 6563
Refuse console connection without a proper key set¶
References: #6683, #6709, pull request 6715
Use LRU to clean the MaxQPSIPRule’s store¶
References: pull request 6726
Disable maybe uninitialized warnings with boost optional¶
References: pull request 6769
Luawrapper: report caught std::exception as lua_error¶
References: #6541, pull request 6658
Dnstap.rst: fix some editing errors (Chris Hofstaedtler)¶
References: pull request 6602
Allow known exception types to be converted to string¶
References: #6535, pull request 6541
Bug Fixes¶
Initialize the done variable in the rings’ unit tests¶
References: pull request 6425
Reorder headers to fix OpenBSD build¶
References: pull request 6429
Restrict value range for weight parameter, avoid sum overflows dropping queries (Dan McCombs)¶
References: pull request 6448
Fix reconnection handling¶
References: pull request 6672
Dynamic blocks were being created with the wrong duration (David Freedman)¶
References: pull request 6706
Limit qps and latency to two decimals in the web view¶
References: #6442, pull request 6718
Check the flags to detect collisions in the packet cache¶
References: pull request 6747
Fix iterating over the results of exceed*() functions¶
References: pull request 6762
Fix duration false positive in the dynblock regression tests¶
References: pull request 6767
Implement NoneAction()¶
References: #6758, pull request 6775
Detect ECS collisions in the packet cache¶
References: #6747, pull request 6754
Fix an outstanding counter race when reusing states¶
References: pull request 6773
1.3.0¶
Released: 30th of March 2018New Features¶
Add an optional status parameter to
Server:setAuto().¶References: pull request 5625
Add
inClientStartup()function.¶References: pull request 6072
Add tag-based routing of queries.¶
References: pull request 6037
Add experimental DNS-over-TLS support.¶
References: pull request 6117, pull request 6175, pull request 6176, pull request 6177, pull request 6189
Add simple dnstap support (Justin Valentini, Chris Hofstaedtler).¶
References: pull request 5201, pull request 6170
Add experimental XPF support based on draft-bellis-dnsop-xpf-04.¶
References: #5079, #5654, pull request 5594, pull request 6220
Add
ERCodeRule()to match on extended RCodes (Chris Hofstaedtler).¶References: pull request 6147
Add
TempFailureCacheTTLAction()(Chris Hofstaedtler).¶References: pull request 6003
Add DynBlockRulesGroup to improve processing speed of the
maintenance()function by reducing memory usage and not walking the ringbuffers multiple times.¶References: pull request 6391
Add
console ACLfunctions.¶References: #4654, pull request 6399
Allow adding
EDNS Client Subnet informationto a query before looking in the cache. This allows serving ECS enabled answers from the cache when all servers in a pool are down.¶References: #6098, pull request 6400
Improvements¶
Add cache sharding,
recvmmsgand CPU pinning support. With these, the scalability of dnsdist is drastically improved.¶References: #5202, #5859, pull request 5576, pull request 5860
Add burst option to
MaxQPSIPRule()(42wim).¶References: pull request 5970
Add Pools, cacheHitResponseRules to the API.¶
References: pull request 6022
Add a class option to health checks.¶
References: #5748, pull request 5929
Add UUIDs to rules, this allows tracking rules through modifications and moving them around.¶
References: pull request 6030
Apply ResponseRules to locally generated answers (Chris Hofstaedtler).¶
References: #6182, pull request 6185
Report
LuaAction()andLuaResponseAction()failures in the log and send SERVFAIL instead of not answering the query (Chris Hofstaedtler).¶References: pull request 6283
Unify global statistics accounting (Chris Hofstaedtler).¶
References: pull request 6289
Speed up the processing of large ring buffers. This change will make dnsdist more scalable with a large number of different clients.¶
References: pull request 6350, pull request 6366
Make custom
addLuaAction()andaddLuaResponseAction()callback’s second return value optional.¶References: #6346, pull request 6363
Add “server-up” metric count to Carbon Reporting (Lowell Mower).¶
References: pull request 6327
Add xchacha20 support for DNSCrypt.¶
References: pull request 6045, pull request 6382
Scalability improvement: Add an option to use several source ports towards a backend.¶
References: pull request 6317
Add ‘?’ and ‘help’ for providing help() output on
dnsdist -c(Kirill Ponomarev, Chris Hofstaedtler).¶References: #4845, pull request 5866, pull request 6375
Replace the Lua mutex with a rw lock to limit contention. This improves the processing speed and parallelism of the policies.¶
References: pull request 6190, pull request 6381
Ensure dnsdist compiles on NetBSD (Tom Ivar Helbekkmo).¶
References: pull request 6146
Also log eBPF dynamic blocks, as regular dynamic block already are.¶
References: #5845, pull request 5845
Ensure large numbers are shown correctly in the API.¶
References: #6211, pull request 6401
Add option to
showRules()to truncate the output length.¶References: #5763, pull request 6402
Fix several warnings reported by clang’s analyzer and cppcheck, should lead to small performance increases.¶
References: pull request 6407
Bug Fixes¶
Handle SNMP alarms so we can reconnect to the daemon.¶
References: #5327, pull request 5328
Fix signed/unsigned comparison warnings on ARM.¶
References: #5489, pull request 5597
Keep trying if the first connection to the remote logger failed¶
References: pull request 5770
Fix escaping unusual DNS label octets in DNSName is off by one (Kees Monshouwer).¶
References: pull request 6018
Avoid assertion errors in
NewServer()(Chris Hofstaedtler).¶References: pull request 6403
Removals¶
Remove the
--daemonoption from dnsdist.¶References: #6329, pull request 6394
1.2.1¶
Released: 16th of February 2018New Features¶
Add configuration option to disable IP_BIND_ADDRESS_NO_PORT (Dan McCombs).¶
References: pull request 5880
Improvements¶
Handle bracketed IPv6 addresses without ports (Chris Hofstaedtler).¶
References: pull request 6057
Bug Fixes¶
Make dnsdist dynamic truncate do right thing on TCP/IP.¶
References: pull request 5647
Add missing QPSAction¶
References: pull request 5686
Don’t create a Remote Logger in client mode.¶
References: pull request 5847
Use libsodium’s CFLAGS, we might need them to find the includes.¶
References: pull request 5858
Keep the TCP connection open on cache hit, generated answers.¶
References: pull request 6012
Add the missing <sys/time.h> include to mplexer.hh for struct timeval.¶
References: pull request 6041
Sort the servers based on their ‘order’ after it has been set.¶
References: pull request 6043
Quiet unused variable warning on macOS (Chris Hofstaedtler).¶
References: pull request 6073
Fix the outstanding counter when an exception is raised.¶
References: #5652, pull request 6094
Do not connect the snmpAgent from a dnsdist client.¶
References: #6163, pull request 6164
1.2.0¶
Released: 21st of August 2017New Features¶
Add an option to export CNAME records over protobuf.¶
References: #4709, pull request 4776
Add TCP management options from RFC 7766 section 10.¶
References: pull request 4611
Add an option to ‘mute’ UDP responses per bind.¶
References: #4527, pull request 4536
Save history to home-dir, only use CWD as a last resort.¶
References: #4562, pull request 4779
Add the
setRingBuffersSize()directive to allows changing the ringbuffer size.¶References: pull request 4898
Allow TTL alteration via Lua.¶
References: #4707, pull request 4787
Add
RDRule()to match queries with theRDflag set.¶References: pull request 4837
Add
setWHashedPertubation()for consistentwhashedresults.¶References: pull request 4897
Add
tcpConnectTimeouttonewServer().¶References: pull request 4818
Add cache hit response rules.¶
References: #4708, pull request 4788, pull request 5036
Add SNMP support.¶
References: pull request 4989, pull request 5123, pull request 5204
Allow passing
DNSNames as DNSRules.¶References: pull request 5070
Add support for setting the server selection policy on a per pool basis (Robin Geuze).¶
References: pull request 5113
Add a
suffixMatchparameter toPacketCache:expungeByName()(Robin Geuze).¶References: pull request 5159
Add an option so the packet cache entries don’t age.¶
References: #5126, pull request 5136
Add
QNameRule().¶References: pull request 5235
Add an optional action to
addDynBlocks().¶References: pull request 5337
Add an optional interface parameter to
addLocal()/setLocal().¶References: pull request 5344
Make a
truncateaction available to DynBlock and Lua.¶References: pull request 5386
Implement a runtime changeable rule that matches IP address for a certain time called
TimedIPSetRule().¶References: pull request 5336
Add support for returning several IPs to spoof from Lua.¶
References: pull request 5496
Add Lua bindings to be able to rotate DNSCrypt keys, see DNSCrypt.¶
References: #5420, #5507, pull request 5490, pull request 5508
Add the capability to set arbitrary tags in protobuf messages.¶
References: pull request 5396, pull request 5577
Add setConsoleConnectionsLogging().¶
References: #5565, pull request 5581
Improvements¶
Merge the client and server nonces to prevent replay attacks.¶
References: pull request 4815
Store the computed shared key and reuse it for the response for DNSCrypt messages.¶
References: pull request 4813, pull request 4926
Add
setTCPUseSinglePipe()to use a single TCP waiting queue.¶References: pull request 4817
Add
sendSizeAndMsgWithTimeoutto send size and data in a single call and use it for TCP Fast Open towards backends.¶References: #5494, pull request 4985, pull request 5501
Tune systemd unit-file for medium-sized installations (Winfried Angele).¶
References: pull request 4958
Add the possibility to fill a
NetmaskGroup(usingNetmaskGroup:addMask()) from exceeds* results.¶References: pull request 5185
Add labels count to StatNode, only set the name once.¶
References: pull request 5353
DNSName: Check that both first two bits are set in compressed labels.¶
References: #4851, pull request 4852
Handle unreachable servers at startup, reconnect stale sockets¶
References: #4131, #4155, pull request 4285
Gracefully handle invalid addresses in
newServer().¶References: #4471, pull request 4474
Use
IP_BIND_ADDRESS_NO_PORTwhen available.¶References: pull request 4786
Add an optional
secondsparameter tostatNodeRespRing().¶References: #4660, #4775, pull request 4780
Report a more specific lua version and report luajit in
--version.¶References: pull request 4910
Prevent issues by unshadowing variables.¶
References: pull request 5056
Register DNSName::chopOff (@plzz).¶
References: pull request 4920
Make
includeDirectory()work sorted (Robin Geuze).¶References: #5053, pull request 5150, pull request 5171
Allow embedded NULs in strings received from Lua.¶
References: pull request 5147
Cleanup closed TCP downstream connections.¶
References: pull request 5163
Improve reporting of C++ exceptions that bubble up via Lua.¶
References: pull request 5230
Add better logging on queries that get dropped, timed out or received.¶
References: pull request 5253
Print useful messages when query and response actions are mixed.¶
References: pull request 5342
Add
DNSRule::toString()and add virtual destructors to DNSRule, DNSAction and DNSResponseAction so the destructors of derived classes are run even when deleted via the base type.¶References: pull request 5497
Don’t use square brackets for IPv6 in Carbon metrics.¶
References: #5538, pull request 5579
Bug Fixes¶
Unified
-kandsetKey()behaviour for client and server mode now.¶References: pull request 5199
Refactor SuffixMatchNode using a SuffixMatchTree.¶
References: #4761, pull request 4950
Get rid of
std::move()calls preventing copy elision.¶References: pull request 5359
Send an HTTP 404 on unknown API paths.¶
References: pull request 5089
LuaWrapper: Use the correct index when storing a function.¶
References: pull request 4775
Send a latency of 0 over carbon, null over API for down servers.¶
References: #4689, pull request 4785
Fix negative port detection for IPv6 addresses on 32-bit.¶
References: pull request 4911
Fix crashed on SmartOS/Illumos (Roman Dayneko).¶
References: #4579, pull request 4877
Change
truncateTCto defaulting to off, having it enabled by default causes an compatibility with RFC 6891 (Robin Geuze).¶References: #4857, pull request 4859
Don’t cache answers without any TTL (like SERVFAIL).¶
References: #4983, pull request 4987, pull request 5037
Fix destination port reporting on “any” binds.¶
References: pull request 5194
Correctly truncate EDNS Client Subnetmasks.¶
References: pull request 5320
Fix
RecordsTypeCountRule()’s handling of the # of records in a section.¶References: #5365, pull request 5369
Change stats functions to always return lowercase names (Robin Geuze).¶
References: #5287, pull request 5383
Only use TCP Fast Open when supported and prevent compiler warnings.¶
References: pull request 5449, pull request 5454
Skip timeouts on the response latency graph.¶
References: #5559, pull request 5563
Copy the DNS header before encrypting it in place.¶
References: #5566, pull request 5580
Removals¶
Remove BlockFilter.¶
References: #5513, pull request 5514
Deprecate syntactic sugar functions.¶
References: #5069, pull request 5526
misc¶
Fix potential pointer wrap-around on 32 bits.¶
References: pull request 5630
Make the API available with an API key only.¶
References: pull request 5631
1.1.0-beta2¶
Released December 14th 2016
Changes since 1.1.0-beta1:
New features¶
- #4518: Fix dynblocks over TCP, allow refusing dyn blocked queries
- #4519: Allow altering the ECS behavior via rules and Lua
- #4535: Add
DNSQuestion:getDO() - #4653:
getStatisticsCounters()to access counters from Lua - #4657: Add
includeDirectory(dir) - #4658: Allow editing the ACL via the API
- #4702: Add
setUDPTimeout(n) - #4726: Add an option to return ServFail when no server is available
- #4748: Add
setCacheCleaningPercentage()
Improvements¶
- #4533: Fix building with clang on OS X and FreeBSD
- #4537: Replace luawrapper’s std::forward/std::make_tuple combo with std::forward_as_tuple (Sangwhan “fish” Moon)
- #4596: Change the default max number of queued TCP conns to 1000
- #4632: Improve dnsdist error message on a common typo/config mistake
- #4694: Don’t use a const_iterator for erasing (fix compilation with some versions of gcc)
- #4715: Specify that dnsmessage.proto uses protobuf version 2
- #4765: Some service improvements
Bug fixes¶
- #4425: Fix a protobuf regression (requestor/responder mix-up) caused by a94673e
- #4541: Fix insertion issues in SuffixMatchTree, move it to dnsname.hh
- #4553: Flush output in single command client mode
- #4578: Fix destination address reporting
- #4640: Don’t exit dnsdist on an exception in maintenance
- #4721: Handle exceptions in the UDP responder thread
- #4734: Add the TCP socket to the map only if the connection succeeds. Closes #4733
- #4742: Decrement the queued TCP conn count if writing to the pipe fails
- #4743: Ignore newBPFFilter() and newDynBPFFilter() in client mode
- #4753: Fix FD leak on TCP connection failure, handle TCP worker creation failure
- #4764: Prevent race while creating new TCP worker threads
1.1.0-beta1¶
Released September 1st 2016
Changes since 1.0.0:
New features¶
- #3762 Teeaction: send copy of query to second nameserver, sponge responses
- #3876 Add
showResponseRules(),{mv,rm,top}ResponseRule() - #3936 Filter on opcode, records count/type, trailing data
- #3975 Make dnsdist {A,I}XFR aware, document possible issues
- #4006 Add eBPF source address and qname/qtype filtering
- #4008 Node infrastructure for querying recent traffic
- #4042 Add server-side TCP Fast Open support
- #4050 Add
clearRules()andsetRules() - #4114 Add
QNameLabelsCountRule()andQNameWireLengthRule() - #4116 Added src boolean to NetmaskGroupRule to match destination address (Reinier Schoof)
- #4175 Implemented query counting (Reinier Schoof)
- #4244 Add a
setCDparameter to set cd=1 on health check queries - #4284 Add RCodeRule(), Allow, Delay and Drop response actions
- #4305 Add an optional Lua callback for altering a Protobuf message
- #4309 Add showTCPStats function (RobinGeuze)
- #4329 Add options to LogAction() so it can append (instead of truncate) (Duane Wessels)
Improvements¶
- #3714 Add documentation links to dnsdist.service (Ruben Kerkhof)
- #3754 Allow the use of custom headers in the web server
- #3826 Implement a ‘quiet’ mode for SuffixMatchNodeRule()
- #3836 Log the content of webserver’s exceptions
- #3858 Only log YaHTTP’s parser exceptions in verbose mode
- #3877 Increase max FDs in systemd unit, warn if clearly too low
- #4019 Add an
optional
addECSoption toTeeAction() - #4029 Add version and feature information to version output
- #4079 Return an error on RemoteLog{,Response}Action() w/o protobuf
- #4246 API now sends pools as a JSON array instead of a string
- #4302 Add
help()andshowVersion() - #4286 Add response rules to the API and Web status page
- #4068 Display the dyn eBPF filters stats in the web interface
Bug fixes¶
- #3755 Fix RegexRule example in dnsdistconf.lua
- #3773 Stop copying the HTTP request headers to the response
- #3837 Remove dnsdist service file on trusty
- #3840 Catch WrongTypeException in client mode
- #3906 Keep the servers ordered inside pools
- #3988 Fix
grepq()output in the README - #3992 Fix some typos in the AXFR/IXFR documentation
- #3995 Fix comparison between signed and unsigned integer
- #4049 Fix dnsdist rpm building script #4048 (Daniel Stirnimann)
- #4065 Include editline/readline.h instead of readline.h/history.h
- #4067 Disable eBPF support when BPF_FUNC_tail_call is not found
- #4069 Fix a buffer overflow when displaying an OpcodeRule
- #4101 Fix $ expansion in build-dnsdist-rpm
- #4198 newServer setting maxCheckFailures makes no sense (stutiredboy)
- #4205 Prevent the use of “any” addresses for downstream server
- #4220 Don’t log an error when parsing an invalid UDP query
- #4348 Fix invalid outstanding count for {A,I}XFR over TCP
- #4365 Reset origFD asap to keep the outstanding count correct
- #4375 Tuple requires make_tuple to initialize
- #4380 Fix compilation with clang when eBPF support is enabled
1.0.0¶
Released April 21st 2016
Changes since 1.0.0-beta1:
Improvements¶
- #3700 Create user from the RPM package to drop privs
- #3712 Make check should run testrunner
- #3713 Remove contrib/dnsdist.service (Ruben Kerkhof)
- #3722 Use LT_INIT and disable static objects (Ruben Kerkhof)
- #3724 Include PDNS_CHECK_OS in configure (Chris Hofstaedtler)
- #3728 Document libedit Ctrl-R workaround for CentOS 6
- #3730 Make
topBandwidth()behave like other top* functions - #3731 Clarify a bit the documentation of load-balancing policies
1.0.0-beta1¶
Released April 14th 2016
Changes since 1.0.0-alpha2:
New features¶
- Per-pool packet cache
- Some actions do not stop the processing anymore when they match, allowing more complex setups: Delay, Disable Validation, Log, MacAddr, No Recurse and of course None
- The new RE2Rule() is available, using the RE2 regular expression library to match queries, in addition to the existing POSIX-based RegexRule()
- SpoofAction() now supports multiple A and AAAA records
- Remote logging of questions and answers via Protocol Buffer
Improvements¶
- #3405 Add health
check logging,
maxCheckFailuresto backend - #3412 Check config
- #3440 Client operation improvements
- #3466 Add dq binding for skipping packet cache in LuaAction (Jan Broer)
- #3499 Add support for multiple carbon servers
- #3504 Allow accessing the API with an optional API key
- #3556 Add an option to limit the number of queued TCP connections
- #3578 Add a
disable-syslogoption - #3608 Export cache stats to carbon
- #3622 Display the ACL content on startup
- #3627 Remove ECS option from response’s OPT RR when necessary
- #3633 Count “TTL too short” cache events
- #3677 systemd-notify support
Bug fixes¶
- #3388 Lock the Lua context before executing a LuaAction
- #3433 Check that the answer matches the initial query
- #3461 Fix crash when calling rmServer() with an invalid index
- #3550,#3551 Fix build failure on FreeBSD (Ruben Kerkhof)
- #3594 Prevent EOF error for empty console response w/o sodium
- #3634 Prevent dangling TCP fd in case setupTCPDownstream() fails
- #3641 Under threshold, QPS action should return None, not Allow
- #3658 Fix a race condition in MaxQPSIPRule
1.0.0-alpha2¶
Released February 5th 2016
Changes since 1.0.0-alpha1:
New features¶
- Lua functions now receive a DNSQuestion
dqobject instead of several parameters. This adds a greater compatibility with PowerDNS and allows adding more parameters without breaking the API (#3198) - Added a
sourceoption tonewServer()to specify the local address or interface used to contact a downstream server (#3138) - CNAME and IPv6-only support have been added to spoofed responses (#3064)
grepq()can be used to search for slow queries, along withtopSlow()- New Lua functions:
addDomainCNAMESpoof(),AllowAction()by @bearggg,exceedQRate(),MacAddrAction(),makeRule(),NotRule(),OrRule(),QClassRule(),RCodeAction(),SpoofCNAMEAction(),SuffixMatchNodeRule(),TCPRule(),topSlow() NetmaskGroupsupport have been added in Lua (#3144)- Added
MacAddrAction()to add the source MAC address to the forwarded query (#3313)
Bug fixes¶
- An issue in DelayPipe could make dnsdist crash at startup
downstream-timeoutsmetric was not always updatedtruncateTCwas unproperly updating the response length (#3126)- DNSCrypt responses larger than queries were unproperly truncated
- An issue prevented info message from being displayed in non-verbose mode, fixed by Jan Broer
- Reinstating an expired Dynamic Rule was not correctly logged (#3323)
- Initialized counters in the TCP client thread might have cause FD and memory leak, reported by Martin Pels (#3300)
- We now drop queries containing no question (qdcount == 0) (#3290)
- Outstanding TCP queries count was not always correct (#3288)
- A locking issue in exceedRespGen() might have caused crashes (#3277)
- Useless sockets were created in client mode (#3257)
addAnyTCRule()was generating TC=1 responses even over TCP (#3251)
Web interface¶
- Cleanup of the HTML by Sander Hoentjen
- Fixed an XSS reported by @janeczku (#3217)
- Removed remote images
- Set the charset to UTF-8, added some security-related and CORS HTTP headers
- Added server latency by Jan Broer (#3201)
- Switched to official minified versions of JS scripts, by Sander Hoentjen (#3317)
- Don’t log unauthenticated HTTP request as an authentication failure
Various documentation updates and minor cleanups:¶
- Added documentation for Advanced DNS Protection features (Dynamic
rules,
maintenance()) - Make
topBandwidth()default to the top 10 clients - Replaced readline with libedit
- Added GPL2 License (#3200)
- Added incbin License (#3269)
- Updated completion rules
- Removed wrong option
--daemon-noby Stefan Schmidt