Changelog¶
1.5.0¶
Released: 30th of July 2020Improvements¶
Use explicit flag for the specific version of c++ we are targeting.¶
References: pull request 9231
Prevent a copy of a pool’s backends when selecting a server.¶
References: pull request 9360
Bug Fixes¶
Fix compilation with h2o_socket_get_ssl_server_name().¶
References: pull request 9344
Prevent a possible overflow via large Proxy Protocol values. (Valentei Sergey)¶
References: pull request 9320
Avoid name clashes on Solaris derived systems.¶
References: #9279, pull request 9348
Resize hostname to final size in getCarbonHostname(). (Aki Tuomi)¶
References: pull request 9343
Fix compilation on OpenBSD/amd64.¶
References: pull request 9346
Handle calling PacketCache methods on a nil object.¶
References: pull request 9356
1.5.0-rc4¶
Released: 7th of July 2020Bug Fixes¶
Prevent a race between the DoH handling threads¶
References: pull request 9278
1.5.0-rc3¶
Released: 18th of June 2020New Features¶
Implement an ACL in the internal web server¶
References: pull request 9229
Improvements¶
Less negatives in secpoll error messages improves readability.¶
References: pull request 9100
Use std::string_view when available (Rosen Penev)¶
References: pull request 9207
Clean up dnsdistconf.lua as a default configuration file¶
References: #8038, pull request 9238
Add optional masks to KeyValueLookupKeySourceIP¶
References: pull request 9244
Bug Fixes¶
Use non-blocking pipes to pass DoH queries/responses around¶
References: #9206, pull request 9211
Fix compilation on systems that do not define HOST_NAME_MAX¶
References: #9125, pull request 9127
Do not use using namespace std;¶
References: pull request 9213
1.5.0-rc2¶
Released: 13th of May 2020Improvements¶
Add the unit to the help for latency buckets¶
References: pull request 9084
Avoid copies in for loops¶
References: pull request 9042
Build with -Wmissing-declarations -Wredundant-decls¶
References: pull request 9054
Use std::shuffle instead of std::random_shuffle¶
References: #9004, pull request 9016
Get rid of a naked pointer in the /dev/poll event multiplexer¶
References: pull request 9053
A few warnings fixed, reported by clang on OpenBSD¶
References: pull request 9059
Wrap pthread objects¶
References: pull request 9067
NetmaskTree: do not test node for null, the loop guarantees node is not null.¶
References: pull request 9078
Bug Fixes¶
Fix duplicated HTTP/1 counter in ‘showDOHFrontends()’¶
References: pull request 9068
Fix compilation of the ports event multiplexer¶
References: #9025, pull request 9031
Gracefully handle a failure to remove FD on (re)-connection¶
References: pull request 9057
1.5.0-rc1¶
Released: 16th of April 2020Improvements¶
Expose SuffixMatchNode::remove in Lua¶
References: pull request 8956
Remove a std::move() preventing Return-Value Optimization in lmdb-safe.cc¶
References: pull request 8962
Drop responses with the QR bit set to 0¶
References: pull request 8996
Add an option to control the size of the TCP listen queue¶
References: #8986, pull request 8994
Bug Fixes¶
Keep accepting fragmented UDP datagrams on DNSCrypt binds¶
References: pull request 8974
Accept UDP datagrams larger than 1500 bytes for DNSCrypt¶
References: #8974, pull request 8976
On OpenBSD string_view is both in boost and std¶
References: pull request 8955
1.5.0-alpha1¶
Released: 20th of March 2020New Features¶
Implement LuaFFIRule, LuaFFIAction and LuaFFIResponseAction¶
References: #7617, pull request 8505
Add SetNegativeAndSOAAction() and its Lua binding¶
References: #4747, pull request 8171
Implement dynamic blocking on ratio of rcode/total responses¶
References: pull request 8274
Add bounded loads to the consistent hashing policy¶
References: #7387, pull request 8567
Dnsdist: LogResponseAction (phonedph1)¶
References: pull request 8654
Add spoofRawAction() to craft answers from raw bytes¶
References: pull request 8722
Add support for Proxy Protocol between dnsdist and the recursor¶
References: pull request 8874
Implement bounded loads for the whashed and wrandom policies¶
References: pull request 8909
Improvements¶
Don’t accept sub-paths of configured DoH URLs¶
References: #8573, pull request 8760
Implement Cache-Control headers in DoH¶
References: #8586, pull request 8762
Document that the ‘keyLogFile’ option requires OpenSSL >= 1.1.1¶
References: #8806, pull request 8899
Change the default DoH path from / to /dns-query¶
References: #8819, pull request 8905
Add support for the processing of X-Forwarded-For headers¶
References: #8661, pull request 8945
Switch the default DoT provider from GnuTLS to OpenSSL¶
References: pull request 8380
Add the source and destination ports to the protobuf msg¶
References: pull request 8702
Better handling of reconnections in Remote Logger¶
References: pull request 8887
Rework NetmaskTree for better CPU and memory efficiency. (Stephan Bosch)¶
References: pull request 8355
Implement parallel health checks¶
References: pull request 8491
Use move semantics when updating the content of the StateHolder¶
References: pull request 8538
Keep a masked network in the Netmask class¶
References: pull request 8812
Make FrameStream IO parameters configurable¶
References: pull request 8937
Add backend status to prometheus metrics¶
References: #8746, pull request 8772
Add ‘IO wait’ and ‘steal’ metrics on Linux¶
References: pull request 8783
Don’t start as root within a systemd environment¶
References: pull request 7820
Separate the check-config and client modes¶
References: pull request 8456
Add the number of received bytes to StatNode entries¶
References: pull request 8529
Support setting the value of AA, AD and RA when self-generating answers¶
References: #8534, pull request 8556
pthread_rwlock_init() should be matched by pthread_rwlock_destroy()¶
References: pull request 8580
Replace include guard ifdef/define with pragma once (Chris Hofstaedtler)¶
References: pull request 8631
Allow retrieving and deleting a backend via its UUID¶
References: pull request 8657
Load an openssl configuration file, if any, during startup¶
References: pull request 8733
Add get*BindCount() functions¶
References: pull request 8848
Add sessionTimeout setting for TLS session lifetime (Matti Hiljanen)¶
References: pull request 8882
Detect {Libre,Open}SSL functions availability during configure¶
References: #8739, pull request 8900
Warn on startup about low weight values with chashed¶
References: #8669, pull request 8950
Bug Fixes¶
Set the DoH ticket rotation delay before loading tickets¶
References: pull request 8949
Display the correct DoT provider¶
References: pull request 8662
Use ref counting for the DoT TLS context¶
References: pull request 8761
Add ‘queue full’ metrics for our remote logger, log at debug only¶
References: #8629, pull request 8883
Fix ECS addition when the OPT record is not the last one¶
References: #8098, pull request 8115
Wait longer for the TLS ticket to arrive in our tests¶
References: pull request 8591
Add missing exception message in KVS error¶
References: pull request 8604
Add getTag()/setTag() Lua bindings for a DNSResponse¶
References: pull request 8782
Fix key logging for DNS over TLS¶
References: #8442, pull request 8787
Fix a typo in the help/completion for getDNSCryptBindCount¶
References: pull request 8855
Implement rmACL() (swoga)¶
References: pull request 8856
Remove unused lambda capture reported by clang++¶
References: pull request 8879
1.4.0¶
Released: 20th of November 2019Improvements¶
Fix the default value of
setMaxUDPOutstandingin the console’s help (phonedph1)¶References: pull request 8531
Add bindings for the noerrors and drops members of StatNode¶
References: pull request 8522
Fix -Wshadow warnings (Aki Tuomi)¶
References: pull request 8440
Fix typo: settting to setting (Chris Hofstaedtler)¶
References: pull request 8509
Bug Fixes¶
Lowercase the name blocked by a SMT dynamic block¶
References: pull request 8524
misc¶
Prefer the cipher suite from the server by default (DoH, DoT)¶
References: pull request 8526
1.4.0-rc5¶
Released: 30th of October 2019Improvements¶
Rename the ‘address’ label to ‘frontend’ for DoH metrics¶
References: pull request 8465
Bug Fixes¶
Increment the DOHUnit ref count when it’s set in the IDState¶
References: pull request 8471
1.4.0-rc4¶
Released: 25th of October 2019New Features¶
Add support dumping TLS keys via keyLogFile¶
References: pull request 8442
Improvements¶
Implement reference counting for the DOHUnit object¶
References: pull request 8416
Add metrics about TLS handshake failures for DoH and DoT¶
References: pull request 8447
Merge the setup of TLS contexts in DoH and DoT¶
References: pull request 8383
Add metrics about unknown/inactive TLS ticket keys¶
References: pull request 8406
Count the number of concurrent connections for DoH as well¶
References: pull request 8395
Add a ‘preferServerCiphers’ option for DoH and DoT¶
References: pull request 8382
Lowercase custom DoH header names¶
References: #8353, pull request 8365
Refactor DoH prometheus metrics again¶
References: pull request 8361
Add metrics about TLS versions with DNS over TLS¶
References: pull request 8387
Add more options to LogAction (non-verbose mode, timestamps)¶
References: #8390, pull request 8411
Fix formatting in showTCPStats()¶
References: pull request 8415
Use SO_BINDTODEVICE when available for newServer’s source interface¶
References: pull request 8372
Check the address supplied to ‘webserver’ in check-config¶
References: #8362, pull request 8364
Bug Fixes¶
Clear the DoH session ticket encryption key in the ctor¶
References: pull request 8388
Add missing prometheus descriptions for cache-related metrics¶
References: pull request 8409
Add a prometheus ‘thread’ label to distinguish identical frontends¶
References: pull request 8381
Fix a typo in the prometheus description of ‘senderrors’¶
References: pull request 8378
More prometheus fixes¶
References: pull request 8368
Fix the caching of large entries¶
References: pull request 8408
Work around cmsg_space somehow not being a constexpr on macOS¶
References: #8412, pull request 8413
Fix the creation order of rules when inserted via setRules()¶
References: pull request 8359
1.4.0-rc3¶
Released: 30th of September 2019Improvements¶
Display the DoH and DoT binds in the web view¶
References: pull request 8264
Allow accepting DoH queries over HTTP instead of HTTPS¶
References: pull request 8267
Implement TLS session ticket keys management for DoH¶
References: pull request 8349
Clean up our interactions with errno¶
References: #7845, pull request 8083
Remove the ‘blockfilter’ stat from the web view¶
References: #5514, pull request 8265
Fix some spelling mistakes noticed by lintian (Chris Hofstaedtler)¶
References: pull request 8268
dnsdistconf.lua use non-deprecated versions for 1.4.0 (phonedph1)¶
References: pull request 8285
Better use of labels in our DoH prometheus export¶
References: pull request 8318
Bug Fixes¶
Fix the newCDBKVStore console completion when LMDB is not enabled (phonedph1)¶
References: pull request 8281
Allow configure CDB_CFLAGS to work (phonedph1)¶
References: pull request 8283
Fix the warning message on an invalid secpoll answer¶
References: pull request 8303
Don’t connect to remote logger in client/command mode¶
References: #8300, pull request 8304
1.4.0-rc2¶
Released: 2nd of September 2019New Features¶
Add support for early DoH HTTP responses¶
References: pull request 8206
Add a KeyValueStoreLookup action based on CDB or LMDB¶
References: pull request 8139
Improvements¶
Add minTLSVersion for DoH and DoT¶
References: #8202, pull request 8207
Split dnsdist-lua-bindings.cc to reduce memory consumption during compilation¶
References: pull request 8250
Add a Lua binding for dynBlockRulesGroup:setQuiet(quiet)¶
References: pull request 8252
misc¶
Update h2o to 2.2.6, fixing CVE-2019-9512, CVE-2019-9514 and CVE-2019-9515 for repo.powerdns.com packages¶
References: pull request 8200
1.4.0-rc1¶
Released: 12th of August 2019New Features¶
Add OCSP stapling (from files) for DoT and DoH¶
References: #7812, pull request 8141
Add support for custom DoH headers (Melissa Voegeli)¶
References: #7957, #7900, pull request 8148
Add lua bindings, rules and action for DoH¶
References: #8133, pull request 8153
Implement ContinueAction()¶
References: pull request 8117
Improvements¶
Send better HTTP status codes, handle ACL drops earlier¶
References: pull request 7917
Add more stats about DoH HTTP responses¶
References: #7898, pull request 7933
Improve error messages for DoT issues¶
References: pull request 7978
Accept more than one certificate in addDNSCryptBind()¶
References: #8020, pull request 8042
Disallow TCP disablement¶
References: pull request 7860
Update boost.m4 to the latest version¶
References: pull request 7862
Print stats from expungeByName (Matti Hiljanen)¶
References: pull request 7909
Squelch unused function warning¶
References: #7950, pull request 7952
SuffixMatchNode:add(): accept more types¶
References: pull request 7985
Explicitly align the buffer used for cmsgs¶
References: #7981, pull request 7990
Add quiet parameter to NetmaskGroupRule¶
References: pull request 7992
Clear cmsg_space(sizeof(data)) in cmsghdr to appease Valgrind¶
References: #7981, pull request 7996
Add static assertions for the size of the src address control buffer¶
References: pull request 8007
Don’t create temporary strings to escape DNSName labels¶
References: pull request 8013
Display TCP/DoT queries and responses in verbose mode, opcode in grepq¶
References: pull request 8024
Be a bit more explicit about what failed in testCrypto()¶
References: pull request 8025
Update URLs to use HTTPS scheme (Chris Hofstaedtler)¶
References: pull request 8110
Double-check we only increment the outstanding counter once¶
References: pull request 8113
ext/ipcrypt: ship license in tarballs (Chris Hofstaedtler)¶
References: #8108, pull request 8135
Use a counter to mark IDState usage instead of the FD¶
References: pull request 8154
Increase the default value of setMaxUDPOutstanding to 65535¶
References: pull request 8175
Bug Fixes¶
Properly override the HTTP Server header for DoH¶
References: #7894, pull request 7911
Exit when requested DoT/DoH support is not compiled in¶
References: pull request 7915
Proper HTTP response for timeouts over DoH¶
References: #7917, pull request 7927
Prevent a dangling DOHUnit pointer when send() failed¶
References: pull request 8112
Skip non-dnscrypt binds in showDNSCryptBinds()¶
References: #8014, pull request 8015
SuffixMatchTree: fix root removal, partial match of non-leaf nodes¶
References: pull request 7886
Deduplicate frontends entries with carbon and prometheus¶
References: #7933, pull request 7934
Update boost.m4¶
References: #8084, #6942, pull request 7951
Fix short IOs over TCP¶
References: #7971, pull request 7974
Fix handling of backend connection failing over TCP¶
References: pull request 7979
Insert the response into the ringbuffer right after sending it¶
References: pull request 8003
Handle ENOTCONN on read() over TCP¶
References: #8021, pull request 8030
Make sure we always compile with BOOST_CB_ENABLE_DEBUG set to 0¶
References: pull request 8067
Catch exceptions thrown when handling a TCP response¶
References: pull request 8078
Fix unlimited retries when TCP Fast Open is enabled¶
References: pull request 8079
M4/systemd.m4: fail when systemctl is not available¶
References: pull request 8081
Fix a typo in the Server’s latency description for Prometheus (phonedph1)¶
References: pull request 8105
Console: flush cout after printing g_outputbuffer (Doug Freed)¶
References: #8130, pull request 8131
Fix signedness issue in isEDNSOptionInOpt()¶
References: pull request 8158
1.4.0-beta1¶
Released: 6th of June 2019New Features¶
Implement SNIRule for DoT and DoH¶
References: #7210, pull request 7825
Improvements¶
Support Prometheus latency histograms (Marlin Cremers)¶
References: #6088, pull request 7853
Bug Fixes¶
DoH: Don’t let ‘self’ dangling while parsing the request’s qname, this could lead to a crash¶
References: #7810, pull request 7814
Fix minor issues reported by Coverity¶
References: pull request 7823
Remove second, incomplete copy of lua EDNSOptionCode table¶
References: pull request 7833
1.4.0-alpha2¶
Released: 26th of April 2019New Features¶
Add DNS over HTTPS support based on libh2o¶
References: #7526, #6911, pull request 7726
Improvements¶
Ignore Path MTU discovery on UDP server socket¶
References: pull request 7410
Alternative solution to the unaligned accesses.¶
References: pull request 7708
Bug Fixes¶
Exit when setting ciphers fails (GnuTLS)¶
References: pull request 7718
1.4.0-alpha1¶
Released: 12th of April 2019New Features¶
Make recursor & dnsdist communicate (ECS) ‘variable’ status¶
References: pull request 7209
Add namespace and instance variable to carbon key (Gibheer)¶
References: #6941, #2362, pull request 6959
Allow NoRecurse for use in dynamic blocks or Lua rules (phonedph1)¶
References: pull request 7087
Expose secpoll status¶
References: #7194, pull request 7197
Add an optional ‘checkTimeout’ parameter to ‘newServer()’¶
References: #7236, pull request 7323
Add a ‘rise’ parameter to ‘newServer()’¶
References: #7237, pull request 7322
Add a ‘keepStaleData’ option to the packet cache¶
References: #7239, pull request 7310
Expose trailing data (Richard Gibson)¶
References: #6846, #6897, pull request 6967
Add option to set interval between health checks (1848)¶
References: pull request 7142
Add EDNS unknown version handling (Dmitry Alenichev)¶
References: pull request 7406
DNSNameSet and QNameSetRule (Andrey)¶
References: pull request 7537
Add support for encrypting ip addresses #gdpr¶
References: #6242, pull request 7481
Add ‘setSyslogFacility()’¶
References: #5653, pull request 7677
Add ‘reloadAllCertificates()’¶
References: pull request 7676
Improvements¶
Fix warnings, mostly unused parameters, reported by -wextra¶
References: pull request 7168
Add optional uuid column to showServers()¶
References: pull request 7191
Configure –enable-pdns-option –with-third-party-module (Josh Soref)¶
References: pull request 7026
Drop remaining capabilities after startup¶
References: pull request 7138
More sandboxing using systemd’s features¶
References: pull request 6634
Reduce systemcall usage in Protobuf logging¶
References: pull request 7428
Resync YaHTTP code to cmouse/yahttp@11be77a1fc4032 (Chris Hofstaedtler)¶
References: pull request 7433
Pass empty response (Dmitry Alenichev)¶
References: pull request 7431
Change the way getRealMemusage() works on linux (using statm)¶
References: pull request 7502
Prevent 0-ttl cache hits¶
References: #7534, pull request 7585
Add addDynBlockSMT() support to dynBlockRulesGroup¶
References: #7139, pull request 7343
Add frontend response statistics (Matti Hiljanen)¶
References: pull request 7578
Remove addLuaAction and addLuaResponseAction¶
References: pull request 7670
Refactoring of the TCP stack¶
References: #7526, #4814, pull request 7559
Prevent a conflict with BADSIG being clobbered¶
References: #7556, pull request 7692
Switch to the new ‘newPacketCache()’ syntax for 1.4.0¶
References: pull request 7689
Move constants to proper namespace¶
References: pull request 7678
Unify the management of DNS/DNSCrypt/DoT frontends¶
References: pull request 7694
¶Fix compiler warning about returning garbage (Adam Majer)References: pull request 7167
Bug Fixes¶
Protect GnuTLS tickets key rotation with a read-write lock¶
References: pull request 7256
Check that
SO_ATTACH_BPFis defined before enabling eBPF¶References: pull request 7267
Fix off-by-one in mvRule counting¶
References: pull request 7426
Don’t convert nsec to usec if we need nsec¶
References: pull request 7520
Fix setRules()¶
References: pull request 7594
Handle EAGAIN in the GnuTLS DNS over TLS provider¶
References: pull request 7560
Gracefully handle a null latency in the webserver’s js¶
References: #7461, pull request 7586
EDNSOptionView improvements¶
References: pull request 7652
Honor libcrypto include path¶
References: #7481, pull request 7674
1.3.3¶
Released: 8th of November 2018New Features¶
Add consistent hash builtin policy¶
References: #6932, pull request 6939, pull request 6737
Add EDNSOptionRule¶
References: pull request 6803
Add DSTPortRule (phonedph1)¶
References: pull request 6813
Make getOutstanding usable from both lua and console (phonedph1)¶
References: pull request 6826
Added :excludeRange and :includeRange methods to DynBPFFilter class (Reinier Schoof)¶
References: pull request 6856
Add Prometheus stats support (Pavel Odintsov, Kai S)¶
References: #4947, #6002, pull request 3935, pull request 7089, pull request 6343, pull request 6901, pull request 7007
Name threads in the programs¶
References: #6974, pull request 6997
Support the NXDomain action with dynamic blocks¶
References: #6908, pull request 7075
Add security polling¶
References: pull request 7115
Add a PoolAvailableRule to easily add backup pools (Robin Geuze)¶
References: pull request 7140
Improvements¶
Get rid of some allocs/copies in DNS parsing¶
References: pull request 6831
Set a correct EDNS OPT RR for self-generated answers¶
References: #4857, #6348, pull request 6847
Fix a sign-comparison warning in isEDNSOptionInOPT()¶
References: pull request 6877
Add warning rates to DynBlockRulesGroup rules¶
References: #6907, pull request 6986
Add support for exporting a server id in protobuf¶
References: #6990, #7004, pull request 7015
dnsdist did not set TCP_NODELAY, causing needless latency¶
References: pull request 7030
Add a setting to control the number of stored sessions¶
References: pull request 7062
Wrap GnuTLS and OpenSSL pointers in smart pointers¶
References: #7060, pull request 7064
Add a ‘creationOrder’ field to rules¶
References: #6909, pull request 7078
Fix return-type detection with boost 1.69’s tribool¶
References: #7091, pull request 7092
Fix format string issue on 32bits ARM¶
References: #7096, pull request 7104
Wrap TCP connection objects in smart pointers¶
References: pull request 7108
Add the setConsoleOutputMaxMsgSize function¶
References: #7084, pull request 7109
Add the ability to update webserver credentials¶
References: #7112, pull request 7117
Bug Fixes¶
Display dynblocks’ default action, None, as the global one¶
References: pull request 6835
Fix compilation when SO_REUSEPORT is not defined¶
References: pull request 6956
Release memory on DNS over TLS handshake failure¶
References: pull request 7060
Handle trailing data correctly when adding OPT or ECS info¶
References: #6896, pull request 7165
1.3.2¶
Released: 10th of July 2018Bug Fixes¶
Add missing include for PRId64, fix build on CentOS 6 / SLES 12¶
References: pull request 6785
1.3.1¶
Released: 10th of July 2018New Features¶
Add support for more than one TLS certificate¶
References: #6450, pull request 6524
Add a negative ttl option to the packet cache¶
References: #6579, pull request 6740
Add the ability to dump a summary of the cache content¶
References: pull request 6749
Add netmask-based {ex,in}clusions to DynblockRulesGroup¶
References: pull request 6760
Add DNSAction.NoOp to debug dynamic blocks¶
References: #6703, pull request 6776
Add SetECSAction to set an arbitrary outgoing ecs value¶
References: #6404, pull request 6734
Add support for rotating certificates and keys¶
References: pull request 6764
Improvements¶
Remove thelog and thel and replace this with a global g_log¶
References: #6357, pull request 6358
Fix two small nits on the documentation¶
References: pull request 6422
Move the el6 dnsdist package to upstart¶
References: #6394, pull request 6426
CLI option improvements (Chris Hofstaedtler)¶
References: #6433, pull request 6435
Split pdns_enable_unit_tests (Chris Hofstaedtler)¶
References: pull request 6436
Re-do lua detection¶
References: #6423, pull request 6445, pull request 6470, pull request 6457
Docs: fix missing ref in the dnsdist docs¶
References: pull request 6460
Be more permissive in wrandom tests, log values on failure¶
References: pull request 6502
Tests: avoid failure on not-so-optimal distribution¶
References: #6430, pull request 6523
Add syntax to dns.proto to silence compilation warning.¶
References: pull request 6577
Fix warnings reported by gcc 8.1.0¶
References: pull request 6590
Document setVerboseHealthchecks()¶
References: #6483, pull request 6592
Update dq.rst (phonedph1)¶
References: pull request 6615
Fix rpm scriptlets¶
References: pull request 6641
Don’t copy unitialized values of SuffixMatchTree¶
References: pull request 6637
Expose toString of various objects to Lua (Chris Hofstaedtler)¶
References: pull request 6684
Remove ‘expired’ states from MaxQPSIPRule¶
References: pull request 6674
Mark the remote member of DownstreamState as const¶
References: #6664, pull request 6688
Test the content of dynamic blocks using the API¶
References: #6706, pull request 6710
Default set “connection: close” header for web requests¶
References: #6532, pull request 6711
Update timedipsetrule.rst (phonedph1)¶
References: pull request 6717
Don’t access the TCP buffer vector past its size¶
References: #6712, pull request 6716
Show droprate in API output¶
References: pull request 6563
Refuse console connection without a proper key set¶
References: #6709, #6683, pull request 6715
Use LRU to clean the MaxQPSIPRule’s store¶
References: pull request 6726
Disable maybe uninitialized warnings with boost optional¶
References: pull request 6769
Luawrapper: report caught std::exception as lua_error¶
References: #6541, pull request 6658
Dnstap.rst: fix some editing errors (Chris Hofstaedtler)¶
References: pull request 6602
Allow known exception types to be converted to string¶
References: #6535, pull request 6541
Bug Fixes¶
Initialize the done variable in the rings’ unit tests¶
References: pull request 6425
Reorder headers to fix OpenBSD build¶
References: pull request 6429
Restrict value range for weight parameter, avoid sum overflows dropping queries (Dan McCombs)¶
References: pull request 6448
Fix reconnection handling¶
References: pull request 6672
Dynamic blocks were being created with the wrong duration (David Freedman)¶
References: pull request 6706
Limit qps and latency to two decimals in the web view¶
References: #6442, pull request 6718
Check the flags to detect collisions in the packet cache¶
References: pull request 6747
Fix iterating over the results of exceed*() functions¶
References: pull request 6762
Fix duration false positive in the dynblock regression tests¶
References: pull request 6767
Implement NoneAction()¶
References: #6758, pull request 6775
Detect ECS collisions in the packet cache¶
References: #6747, pull request 6754
Fix an outstanding counter race when reusing states¶
References: pull request 6773
1.3.0¶
Released: 30th of March 2018New Features¶
Add an optional status parameter to
Server:setAuto().¶References: pull request 5625
Add
inClientStartup()function.¶References: pull request 6072
Add tag-based routing of queries.¶
References: pull request 6037
Add experimental DNS-over-TLS support.¶
References: pull request 6176, pull request 6177, pull request 6117, pull request 6175, pull request 6189
Add simple dnstap support (Justin Valentini, Chris Hofstaedtler).¶
References: pull request 5201, pull request 6170
Add experimental XPF support based on draft-bellis-dnsop-xpf-04.¶
References: #5654, #5079, pull request 6220, pull request 5594
Add
ERCodeRule()to match on extended RCodes (Chris Hofstaedtler).¶References: pull request 6147
Add
TempFailureCacheTTLAction()(Chris Hofstaedtler).¶References: pull request 6003
Add DynBlockRulesGroup to improve processing speed of the
maintenance()function by reducing memory usage and not walking the ringbuffers multiple times.¶References: pull request 6391
Add
console ACLfunctions.¶References: #4654, pull request 6399
Allow adding
EDNS Client Subnet informationto a query before looking in the cache. This allows serving ECS enabled answers from the cache when all servers in a pool are down.¶References: #6098, pull request 6400
Improvements¶
Add cache sharding,
recvmmsgand CPU pinning support. With these, the scalability of dnsdist is drastically improved.¶References: #5202, #5859, pull request 5576, pull request 5860
Add burst option to
MaxQPSIPRule()(42wim).¶References: pull request 5970
Add Pools, cacheHitResponseRules to the API.¶
References: pull request 6022
Add a class option to health checks.¶
References: #5748, pull request 5929
Add UUIDs to rules, this allows tracking rules through modifications and moving them around.¶
References: pull request 6030
Apply ResponseRules to locally generated answers (Chris Hofstaedtler).¶
References: #6182, pull request 6185
Report
LuaAction()andLuaResponseAction()failures in the log and send SERVFAIL instead of not answering the query (Chris Hofstaedtler).¶References: pull request 6283
Unify global statistics accounting (Chris Hofstaedtler).¶
References: pull request 6289
Speed up the processing of large ring buffers. This change will make dnsdist more scalable with a large number of different clients.¶
References: pull request 6366, pull request 6350
Make custom
addLuaAction()andaddLuaResponseAction()callback’s second return value optional.¶References: #6346, pull request 6363
Add “server-up” metric count to Carbon Reporting (Lowell Mower).¶
References: pull request 6327
Add xchacha20 support for DNSCrypt.¶
References: pull request 6045, pull request 6382
Scalability improvement: Add an option to use several source ports towards a backend.¶
References: pull request 6317
Add ‘?’ and ‘help’ for providing help() output on
dnsdist -c(Kirill Ponomarev, Chris Hofstaedtler).¶References: #4845, pull request 5866, pull request 6375
Replace the Lua mutex with a rw lock to limit contention. This improves the processing speed and parallelism of the policies.¶
References: pull request 6190, pull request 6381
Ensure dnsdist compiles on NetBSD (Tom Ivar Helbekkmo).¶
References: pull request 6146
Also log eBPF dynamic blocks, as regular dynamic block already are.¶
References: #5845, pull request 5845
Ensure large numbers are shown correctly in the API.¶
References: #6211, pull request 6401
Add option to
showRules()to truncate the output length.¶References: #5763, pull request 6402
Fix several warnings reported by clang’s analyzer and cppcheck, should lead to small performance increases.¶
References: pull request 6407
Bug Fixes¶
Handle SNMP alarms so we can reconnect to the master.¶
References: #5327, pull request 5328
Fix signed/unsigned comparison warnings on ARM.¶
References: #5489, pull request 5597
Keep trying if the first connection to the remote logger failed¶
References: pull request 5770
Fix escaping unusual DNS label octets in DNSName is off by one (Kees Monshouwer).¶
References: pull request 6018
Avoid assertion errors in
NewServer()(Chris Hofstaedtler).¶References: pull request 6403
Removals¶
Remove the
--daemonoption from dnsdist.¶References: #6329, pull request 6394
1.2.1¶
Released: 16th of February 2018New Features¶
Add configuration option to disable IP_BIND_ADDRESS_NO_PORT (Dan McCombs).¶
References: pull request 5880
Improvements¶
Handle bracketed IPv6 addresses without ports (Chris Hofstaedtler).¶
References: pull request 6057
Bug Fixes¶
Make dnsdist dynamic truncate do right thing on TCP/IP.¶
References: pull request 5647
Add missing QPSAction¶
References: pull request 5686
Don’t create a Remote Logger in client mode.¶
References: pull request 5847
Use libsodium’s CFLAGS, we might need them to find the includes.¶
References: pull request 5858
Keep the TCP connection open on cache hit, generated answers.¶
References: pull request 6012
Add the missing <sys/time.h> include to mplexer.hh for struct timeval.¶
References: pull request 6041
Sort the servers based on their ‘order’ after it has been set.¶
References: pull request 6043
Quiet unused variable warning on macOS (Chris Hofstaedtler).¶
References: pull request 6073
Fix the outstanding counter when an exception is raised.¶
References: #5652, pull request 6094
Do not connect the snmpAgent from a dnsdist client.¶
References: #6163, pull request 6164
1.2.0¶
Released: 21st of August 2017New Features¶
Add an option to export CNAME records over protobuf.¶
References: #4709, pull request 4776
Add TCP management options from RFC 7766 section 10.¶
References: pull request 4611
Add an option to ‘mute’ UDP responses per bind.¶
References: #4527, pull request 4536
Save history to home-dir, only use CWD as a last resort.¶
References: #4562, pull request 4779
Add the
setRingBuffersSize()directive to allows changing the ringbuffer size.¶References: pull request 4898
Allow TTL alteration via Lua.¶
References: #4707, pull request 4787
Add
RDRule()to match queries with theRDflag set.¶References: pull request 4837
Add
setWHashedPertubation()for consistentwhashedresults.¶References: pull request 4897
Add
tcpConnectTimeouttonewServer().¶References: pull request 4818
Add cache hit response rules.¶
References: #4708, pull request 5036, pull request 4788
Add SNMP support.¶
References: pull request 4989, pull request 5204, pull request 5123
Allow passing
DNSNames as DNSRules.¶References: pull request 5070
Add support for setting the server selection policy on a per pool basis (Robin Geuze).¶
References: pull request 5113
Add a
suffixMatchparameter toPacketCache:expungeByName()(Robin Geuze).¶References: pull request 5159
Add an option so the packet cache entries don’t age.¶
References: #5126, pull request 5136
Add
QNameRule().¶References: pull request 5235
Add an optional action to
addDynBlocks().¶References: pull request 5337
Add an optional interface parameter to
addLocal()/setLocal().¶References: pull request 5344
Make a
truncateaction available to DynBlock and Lua.¶References: pull request 5386
Implement a runtime changeable rule that matches IP address for a certain time called
TimedIPSetRule().¶References: pull request 5336
Add support for returning several IPs to spoof from Lua.¶
References: pull request 5496
Add Lua bindings to be able to rotate DNSCrypt keys, see DNSCrypt.¶
References: #5507, #5420, pull request 5490, pull request 5508
Add the capability to set arbitrary tags in protobuf messages.¶
References: pull request 5577, pull request 5396
Add setConsoleConnectionsLogging().¶
References: #5565, pull request 5581
Improvements¶
Merge the client and server nonces to prevent replay attacks.¶
References: pull request 4815
Store the computed shared key and reuse it for the response for DNSCrypt messages.¶
References: pull request 4813, pull request 4926
Add
setTCPUseSinglePipe()to use a single TCP waiting queue.¶References: pull request 4817
Add
sendSizeAndMsgWithTimeoutto send size and data in a single call and use it for TCP Fast Open towards backends.¶References: #5494, pull request 4985, pull request 5501
Tune systemd unit-file for medium-sized installations (Winfried Angele).¶
References: pull request 4958
Add the possibility to fill a
NetmaskGroup(usingNetmaskGroup:addMask()) from exceeds* results.¶References: pull request 5185
Add labels count to StatNode, only set the name once.¶
References: pull request 5353
DNSName: Check that both first two bits are set in compressed labels.¶
References: #4851, pull request 4852
Handle unreachable servers at startup, reconnect stale sockets¶
References: #4131, #4155, pull request 4285
Gracefully handle invalid addresses in
newServer().¶References: #4471, pull request 4474
Use
IP_BIND_ADDRESS_NO_PORTwhen available.¶References: pull request 4786
Add an optional
secondsparameter tostatNodeRespRing().¶References: #4775, #4660, pull request 4780
Report a more specific lua version and report luajit in
--version.¶References: pull request 4910
Prevent issues by unshadowing variables.¶
References: pull request 5056
Register DNSName::chopOff (@plzz).¶
References: pull request 4920
Make
includeDirectory()work sorted (Robin Geuze).¶References: #5053, pull request 5150, pull request 5171
Allow embedded NULs in strings received from Lua.¶
References: pull request 5147
Cleanup closed TCP downstream connections.¶
References: pull request 5163
Improve reporting of C++ exceptions that bubble up via Lua.¶
References: pull request 5230
Add better logging on queries that get dropped, timed out or received.¶
References: pull request 5253
Print useful messages when query and response actions are mixed.¶
References: pull request 5342
Add
DNSRule::toString()and add virtual destructors to DNSRule, DNSAction and DNSResponseAction so the destructors of derived classes are run even when deleted via the base type.¶References: pull request 5497
Don’t use square brackets for IPv6 in Carbon metrics.¶
References: #5538, pull request 5579
Bug Fixes¶
Unified
-kandsetKey()behaviour for client and server mode now.¶References: pull request 5199
Refactor SuffixMatchNode using a SuffixMatchTree.¶
References: #4761, pull request 4950
Get rid of
std::move()calls preventing copy elision.¶References: pull request 5359
Send an HTTP 404 on unknown API paths.¶
References: pull request 5089
LuaWrapper: Use the correct index when storing a function.¶
References: pull request 4775
Send a latency of 0 over carbon, null over API for down servers.¶
References: #4689, pull request 4785
Fix negative port detection for IPv6 addresses on 32-bit.¶
References: pull request 4911
Fix crashed on SmartOS/Illumos (Roman Dayneko).¶
References: #4579, pull request 4877
Change
truncateTCto defaulting to off, having it enabled by default causes an compatibility with RFC 6891 (Robin Geuze).¶References: #4857, pull request 4859
Don’t cache answers without any TTL (like SERVFAIL).¶
References: #4983, pull request 5037, pull request 4987
Fix destination port reporting on “any” binds.¶
References: pull request 5194
Correctly truncate EDNS Client Subnetmasks.¶
References: pull request 5320
Fix
RecordsTypeCountRule()’s handling of the # of records in a section.¶References: #5365, pull request 5369
Change stats functions to always return lowercase names (Robin Geuze).¶
References: #5287, pull request 5383
Only use TCP Fast Open when supported and prevent compiler warnings.¶
References: pull request 5449, pull request 5454
Skip timeouts on the response latency graph.¶
References: #5559, pull request 5563
Copy the DNS header before encrypting it in place.¶
References: #5566, pull request 5580
Removals¶
Remove BlockFilter.¶
References: #5513, pull request 5514
Deprecate syntactic sugar functions.¶
References: #5069, pull request 5526
misc¶
Fix potential pointer wrap-around on 32 bits.¶
References: pull request 5630
Make the API available with an API key only.¶
References: pull request 5631
1.1.0-beta2¶
Released December 14th 2016
Changes since 1.1.0-beta1:
New features¶
- #4518: Fix dynblocks over TCP, allow refusing dyn blocked queries
- #4519: Allow altering the ECS behavior via rules and Lua
- #4535: Add
DNSQuestion:getDO() - #4653:
getStatisticsCounters()to access counters from Lua - #4657: Add
includeDirectory(dir) - #4658: Allow editing the ACL via the API
- #4702: Add
setUDPTimeout(n) - #4726: Add an option to return ServFail when no server is available
- #4748: Add
setCacheCleaningPercentage()
Improvements¶
- #4533: Fix building with clang on OS X and FreeBSD
- #4537: Replace luawrapper’s std::forward/std::make_tuple combo with std::forward_as_tuple (Sangwhan “fish” Moon)
- #4596: Change the default max number of queued TCP conns to 1000
- #4632: Improve dnsdist error message on a common typo/config mistake
- #4694: Don’t use a const_iterator for erasing (fix compilation with some versions of gcc)
- #4715: Specify that dnsmessage.proto uses protobuf version 2
- #4765: Some service improvements
Bug fixes¶
- #4425: Fix a protobuf regression (requestor/responder mix-up) caused by a94673e
- #4541: Fix insertion issues in SuffixMatchTree, move it to dnsname.hh
- #4553: Flush output in single command client mode
- #4578: Fix destination address reporting
- #4640: Don’t exit dnsdist on an exception in maintenance
- #4721: Handle exceptions in the UDP responder thread
- #4734: Add the TCP socket to the map only if the connection succeeds. Closes #4733
- #4742: Decrement the queued TCP conn count if writing to the pipe fails
- #4743: Ignore newBPFFilter() and newDynBPFFilter() in client mode
- #4753: Fix FD leak on TCP connection failure, handle TCP worker creation failure
- #4764: Prevent race while creating new TCP worker threads
1.1.0-beta1¶
Released September 1st 2016
Changes since 1.0.0:
New features¶
- #3762 Teeaction: send copy of query to second nameserver, sponge responses
- #3876 Add
showResponseRules(),{mv,rm,top}ResponseRule() - #3936 Filter on opcode, records count/type, trailing data
- #3975 Make dnsdist {A,I}XFR aware, document possible issues
- #4006 Add eBPF source address and qname/qtype filtering
- #4008 Node infrastructure for querying recent traffic
- #4042 Add server-side TCP Fast Open support
- #4050 Add
clearRules()andsetRules() - #4114 Add
QNameLabelsCountRule()andQNameWireLengthRule() - #4116 Added src boolean to NetmaskGroupRule to match destination address (Reinier Schoof)
- #4175 Implemented query counting (Reinier Schoof)
- #4244 Add a
setCDparameter to set cd=1 on health check queries - #4284 Add RCodeRule(), Allow, Delay and Drop response actions
- #4305 Add an optional Lua callback for altering a Protobuf message
- #4309 Add showTCPStats function (RobinGeuze)
- #4329 Add options to LogAction() so it can append (instead of truncate) (Duane Wessels)
Improvements¶
- #3714 Add documentation links to dnsdist.service (Ruben Kerkhof)
- #3754 Allow the use of custom headers in the web server
- #3826 Implement a ‘quiet’ mode for SuffixMatchNodeRule()
- #3836 Log the content of webserver’s exceptions
- #3858 Only log YaHTTP’s parser exceptions in verbose mode
- #3877 Increase max FDs in systemd unit, warn if clearly too low
- #4019 Add an
optional
addECSoption toTeeAction() - #4029 Add version and feature information to version output
- #4079 Return an error on RemoteLog{,Response}Action() w/o protobuf
- #4246 API now sends pools as a JSON array instead of a string
- #4302 Add
help()andshowVersion() - #4286 Add response rules to the API and Web status page
- #4068 Display the dyn eBPF filters stats in the web interface
Bug fixes¶
- #3755 Fix RegexRule example in dnsdistconf.lua
- #3773 Stop copying the HTTP request headers to the response
- #3837 Remove dnsdist service file on trusty
- #3840 Catch WrongTypeException in client mode
- #3906 Keep the servers ordered inside pools
- #3988 Fix
grepq()output in the README - #3992 Fix some typos in the AXFR/IXFR documentation
- #3995 Fix comparison between signed and unsigned integer
- #4049 Fix dnsdist rpm building script #4048 (Daniel Stirnimann)
- #4065 Include editline/readline.h instead of readline.h/history.h
- #4067 Disable eBPF support when BPF_FUNC_tail_call is not found
- #4069 Fix a buffer overflow when displaying an OpcodeRule
- #4101 Fix $ expansion in build-dnsdist-rpm
- #4198 newServer setting maxCheckFailures makes no sense (stutiredboy)
- #4205 Prevent the use of “any” addresses for downstream server
- #4220 Don’t log an error when parsing an invalid UDP query
- #4348 Fix invalid outstanding count for {A,I}XFR over TCP
- #4365 Reset origFD asap to keep the outstanding count correct
- #4375 Tuple requires make_tuple to initialize
- #4380 Fix compilation with clang when eBPF support is enabled
1.0.0¶
Released April 21st 2016
Changes since 1.0.0-beta1:
Improvements¶
- #3700 Create user from the RPM package to drop privs
- #3712 Make check should run testrunner
- #3713 Remove contrib/dnsdist.service (Ruben Kerkhof)
- #3722 Use LT_INIT and disable static objects (Ruben Kerkhof)
- #3724 Include PDNS_CHECK_OS in configure (Chris Hofstaedtler)
- #3728 Document libedit Ctrl-R workaround for CentOS 6
- #3730 Make
topBandwidth()behave like other top* functions - #3731 Clarify a bit the documentation of load-balancing policies
1.0.0-beta1¶
Released April 14th 2016
Changes since 1.0.0-alpha2:
New features¶
- Per-pool packet cache
- Some actions do not stop the processing anymore when they match, allowing more complex setups: Delay, Disable Validation, Log, MacAddr, No Recurse and of course None
- The new RE2Rule() is available, using the RE2 regular expression library to match queries, in addition to the existing POSIX-based RegexRule()
- SpoofAction() now supports multiple A and AAAA records
- Remote logging of questions and answers via Protocol Buffer
Improvements¶
- #3405 Add health
check logging,
maxCheckFailuresto backend - #3412 Check config
- #3440 Client operation improvements
- #3466 Add dq binding for skipping packet cache in LuaAction (Jan Broer)
- #3499 Add support for multiple carbon servers
- #3504 Allow accessing the API with an optional API key
- #3556 Add an option to limit the number of queued TCP connections
- #3578 Add a
disable-syslogoption - #3608 Export cache stats to carbon
- #3622 Display the ACL content on startup
- #3627 Remove ECS option from response’s OPT RR when necessary
- #3633 Count “TTL too short” cache events
- #3677 systemd-notify support
Bug fixes¶
- #3388 Lock the Lua context before executing a LuaAction
- #3433 Check that the answer matches the initial query
- #3461 Fix crash when calling rmServer() with an invalid index
- #3550,#3551 Fix build failure on FreeBSD (Ruben Kerkhof)
- #3594 Prevent EOF error for empty console response w/o sodium
- #3634 Prevent dangling TCP fd in case setupTCPDownstream() fails
- #3641 Under threshold, QPS action should return None, not Allow
- #3658 Fix a race condition in MaxQPSIPRule
1.0.0-alpha2¶
Released February 5th 2016
Changes since 1.0.0-alpha1:
New features¶
- Lua functions now receive a DNSQuestion
dqobject instead of several parameters. This adds a greater compatibility with PowerDNS and allows adding more parameters without breaking the API (#3198) - Added a
sourceoption tonewServer()to specify the local address or interface used to contact a downstream server (#3138) - CNAME and IPv6-only support have been added to spoofed responses (#3064)
grepq()can be used to search for slow queries, along withtopSlow()- New Lua functions:
addDomainCNAMESpoof(),AllowAction()by @bearggg,exceedQRate(),MacAddrAction(),makeRule(),NotRule(),OrRule(),QClassRule(),RCodeAction(),SpoofCNAMEAction(),SuffixMatchNodeRule(),TCPRule(),topSlow() NetmaskGroupsupport have been added in Lua (#3144)- Added
MacAddrAction()to add the source MAC address to the forwarded query (#3313)
Bug fixes¶
- An issue in DelayPipe could make dnsdist crash at startup
downstream-timeoutsmetric was not always updatedtruncateTCwas unproperly updating the response length (#3126)- DNSCrypt responses larger than queries were unproperly truncated
- An issue prevented info message from being displayed in non-verbose mode, fixed by Jan Broer
- Reinstating an expired Dynamic Rule was not correctly logged (#3323)
- Initialized counters in the TCP client thread might have cause FD and memory leak, reported by Martin Pels (#3300)
- We now drop queries containing no question (qdcount == 0) (#3290)
- Outstanding TCP queries count was not always correct (#3288)
- A locking issue in exceedRespGen() might have caused crashs (#3277)
- Useless sockets were created in client mode (#3257)
addAnyTCRule()was generating TC=1 responses even over TCP (#3251)
Web interface¶
- Cleanup of the HTML by Sander Hoentjen
- Fixed an XSS reported by @janeczku (#3217)
- Removed remote images
- Set the charset to UTF-8, added some security-related and CORS HTTP headers
- Added server latency by Jan Broer (#3201)
- Switched to official minified versions of JS scripts, by Sander Hoentjen (#3317)
- Don’t log unauthenticated HTTP request as an authentication failure
Various documentation updates and minor cleanups:¶
- Added documentation for Advanced DNS Protection features (Dynamic
rules,
maintenance()) - Make
topBandwidth()default to the top 10 clients - Replaced readline with libedit
- Added GPL2 License (#3200)
- Added incbin License (#3269)
- Updated completion rules
- Removed wrong option
--daemon-noby Stefan Schmidt