Changelog

1.2.0

Released: 21st of August 2017

New Features

• Add an option to export CNAME records over protobuf.

  References: #4709, pull request 4776

• Add TCP management options from RFC 7766 section 10.

  References: pull request 4611

• Add an option to ‘mute’ UDP responses per bind.

  References: #4527, pull request 4536

• Save history to home-dir, only use CWD as a last resort.

  References: #4562, pull request 4779

• Add the setRingBuffersSize() directive to allows changing the ringbuffer size.

  References: pull request 4898

• Allow TTL alteration via Lua.

  References: #4707, pull request 4787

• Add RDRule() to match queries with the RD flag set.

  References: pull request 4837

• Add setWHashedPertubation() for consistent whashed results.

  References: pull request 4897

• Add tcpConnectTimeout to newServer().

  References: pull request 4818

• Add cache hit response rules.

  References: #4708, pull request 5036, pull request 4788

• Add SNMP support.

  References: pull request 4989, pull request 5204, pull request 5123

• Allow passing DNSNames as DNSRules.

  References: pull request 5070

• Add support for setting the server selection policy on a per pool basis (Robin Geuze).

  References: pull request 5113

• Add a suffixMatch parameter to PacketCache:expungeByName() (Robin Geuze).

  References: pull request 5159

• Add an option so the packet cache entries don’t age.

  References: #5126, pull request 5136

• Add QNameRule().

  References: pull request 5235

• Add an optional action to addDynBlocks().

  References: pull request 5337

• Add an optional interface parameter to addLocal()/setLocal().

  References: pull request 5344

• Make a truncate action available to DynBlock and Lua.

  References: pull request 5386

• Implement a runtime changeable rule that matches IP address for a certain time called TimedIPSetRule().

  References: pull request 5336

• Add support for returning several IPs to spoof from Lua.

  References: pull request 5496

• Add Lua bindings to be able to rotate DNSCrypt keys, see DNSCrypt.

  References: #5507, #5420, pull request 5490, pull request 5508

• Add the capability to set arbitrary tags in protobuf messages.

  References: pull request 5577, pull request 5396

• Add setConsoleConnectionsLogging().

  References: #5565, pull request 5581

Improvements

• Merge the client and server nonces to prevent replay attacks.

  References: pull request 4815

• Store the computed shared key and reuse it for the response for DNSCrypt messages.

  References: pull request 4813, pull request 4926

• Add setTCPUseSinglePipe() to use a single TCP waiting queue.

  References: pull request 4817

• Add sendSizeAndMsgWithTimeout to send size and data in a single call and use it for TCP Fast Open towards backends.

  References: #5494, pull request 4985, pull request 5501

• Tune systemd unit-file for medium-sized installations (Winfried Angele).

  References: pull request 4958

• Add the possiblity to fill a NetmaskGroup (using NetmaskGroup:addMask()) from exceeds* results.

  References: pull request 5185

• Add labels count to StatNode, only set the name once.

  References: pull request 5353

• DNSName: Check that both first two bits are set in compressed labels.

  References: #4851, pull request 4852

• Handle unreachable servers at startup, reconnect stale sockets

  References: #4131, #4155, pull request 4285

• Gracefully handle invalid addresses in newServer().

  References: #4471, pull request 4474

• Use IP_BIND_ADDRESS_NO_PORT when available.

  References: pull request 4786

• Add an optional seconds parameter to statNodeRespRing().

  References: #4775, #4660, pull request 4780

• Report a more specific lua version and report luajit in --version.

  References: pull request 4910

• Prevent issues by unshadowing variables.

  References: pull request 5056

• Register DNSName::chopOff (@plzz).

  References: pull request 4920

• Make includeDirectory() work sorted (Robin Geuze).

  References: #5053, pull request 5150, pull request 5171

• Allow embedded NULs in strings received from Lua.

  References: pull request 5147

• Cleanup closed TCP downstream connections.

  References: pull request 5163

• Improve reporting of C++ exceptions that bubble up via Lua.

  References: pull request 5230

• Add better logging on queries that get dropped, timed out or received.

  References: pull request 5253

• Print useful messages when query and response actions are mixed.

  References: pull request 5342

• Add DNSRule::toString() and add virtual destructors to DNSRule, DNSAction and DNSResponseAction so the destructors of derived classes are run even when deleted via the base type.

  References: pull request 5497

• Don’t use square brackets for IPv6 in Carbon metrics.

  References: #5538, pull request 5579

Bug Fixes

• Unified -k and setKey() behaviour for client and server mode now.

  References: pull request 5199

• Refactor SuffixMatchNode using a SuffixMatchTree.

  References: #4761, pull request 4950

• Get rid of std::move() calls preventing copy elision.

  References: pull request 5359

• Send an HTTP 404 on unknown API paths.

  References: pull request 5089

• LuaWrapper: Use the correct index when storing a function.

  References: pull request 4775

• Send a latency of 0 over carbon, null over API for down servers.

  References: #4689, pull request 4785

• Fix negative port detection for IPv6 addresses on 32-bit.

  References: pull request 4911

• Fix crashed on SmartOS/Illumos (Roman Dayneko).

  References: #4579, pull request 4877

• Change truncateTC to defaulting to off, having it enabled by default causes an compatibility with RFC 6891 (Robin Geuze).

  References: #4857, pull request 4859

• Don’t cache answers without any TTL (like SERVFAIL).

  References: #4983, pull request 5037, pull request 4987

• Fix destination port reporting on “any” binds.

  References: pull request 5194

• Correctly truncate EDNS Client Subnetmasks.

  References: pull request 5320

• Fix RecordsTypeCountRule()’s handling of the # of records in a section.

  References: #5365, pull request 5369

• Change stats functions to always return lowercase names (Robin Geuze).

  References: #5287, pull request 5383

• Only use TCP Fast Open when supported and prevent compiler warnings.

  References: pull request 5449, pull request 5454

• Skip timeouts on the response latency graph.

  References: #5559, pull request 5563

• Copy the DNS header before encrypting it in place.

  References: #5566, pull request 5580

Removals

• Remove BlockFilter.

  References: #5513, pull request 5514

• Deprecate syntactic sugar functions.

  References: #5069, pull request 5526

misc

• Fix potential pointer wrap-around on 32 bits.

  References: pull request 5630

• Make the API available with an API key only.

  References: pull request 5631

1.1.0

Released December 29th 2016

Changes since 1.1.0-beta2:

Improvements

• #4783: Add -latomic on powerpc
• #4812: Handle header-only responses, handle Refused as Servfail in the cache

Bug fixes

• #4762: SuffixMatchNode: Fix an insertion issue for an existing node
• #4772: Fix dnsdist initscript config check

1.1.0-beta2

Released December 14th 2016

Changes since 1.1.0-beta1:

New features

• #4518: Fix dynblocks over TCP, allow refusing dyn blocked queries
• #4519: Allow altering the ECS behavior via rules and Lua
• #4535: Add DNSQuestion:getDO()
• #4653: getStatisticsCounters() to access counters from Lua
• #4657: Add includeDirectory(dir)
• #4658: Allow editing the ACL via the API
• #4702: Add setUDPTimeout(n)
• #4726: Add an option to return ServFail when no server is available
• #4748: Add setCacheCleaningPercentage()

Improvements

• #4533: Fix building with clang on OS X and FreeBSD
• #4537: Replace luawrapper’s std::forward/std::make_tuple combo with std::forward_as_tuple (Sangwhan “fish” Moon)
• #4596: Change the default max number of queued TCP conns to 1000
• #4632: Improve dnsdist error message on a common typo/config mistake
• #4694: Don’t use a const_iterator for erasing (fix compilation with some versions of gcc)
• #4715: Specify that dnsmessage.proto uses protobuf version 2
• #4765: Some service improvements

Bug fixes

• #4425: Fix a protobuf regression (requestor/responder mix-up) caused by a94673e
• #4541: Fix insertion issues in SuffixMatchTree, move it to dnsname.hh
• #4553: Flush output in single command client mode
• #4578: Fix destination address reporting
• #4640: Don’t exit dnsdist on an exception in maintenance
• #4721: Handle exceptions in the UDP responder thread
• #4734: Add the TCP socket to the map only if the connection succeeds. Closes #4733
• #4742: Decrement the queued TCP conn count if writing to the pipe fails
• #4743: Ignore newBPFFilter() and newDynBPFFilter() in client mode
• #4753: Fix FD leak on TCP connection failure, handle TCP worker creation failure
• #4764: Prevent race while creating new TCP worker threads

1.1.0-beta1

Released September 1st 2016

Changes since 1.0.0:

New features

• #3762 Teeaction: send copy of query to second nameserver, sponge responses
• #3876 Add showResponseRules(), {mv,rm,top}ResponseRule()
• #3936 Filter on opcode, records count/type, trailing data
• #3975 Make dnsdist {A,I}XFR aware, document possible issues
• #4006 Add eBPF source address and qname/qtype filtering
• #4008 Node infrastructure for querying recent traffic
• #4042 Add server-side TCP Fast Open support
• #4050 Add clearRules() and setRules()
• #4114 Add QNameLabelsCountRule() and QNameWireLengthRule()
• #4116 Added src boolean to NetmaskGroupRule to match destination address (Reinier Schoof)
• #4175 Implemented query counting (Reinier Schoof)
• #4244 Add a setCD parameter to set cd=1 on health check queries
• #4284 Add RCodeRule(), Allow, Delay and Drop response actions
• #4305 Add an optional Lua callback for altering a Protobuf message
• #4309 Add showTCPStats function (RobinGeuze)
• #4329 Add options to LogAction() so it can append (instead of truncate) (Duane Wessels)

Improvements

• #3714 Add documentation links to dnsdist.service (Ruben Kerkhof)
• #3754 Allow the use of custom headers in the web server
• #3826 Implement a ‘quiet’ mode for SuffixMatchNodeRule()
• #3836 Log the content of webserver’s exceptions
• #3858 Only log YaHTTP’s parser exceptions in verbose mode
• #3877 Increase max FDs in systemd unit, warn if clearly too low
• #4019 Add an optional addECS option to TeeAction()
• #4029 Add version and feature information to version output
• #4079 Return an error on RemoteLog{,Response}Action() w/o protobuf
• #4246 API now sends pools as a JSON array instead of a string
• #4302 Add help() and showVersion()
• #4286 Add response rules to the API and Web status page
• #4068 Display the dyn eBPF filters stats in the web interface

Bug fixes

• #3755 Fix RegexRule example in dnsdistconf.lua
• #3773 Stop copying the HTTP request headers to the response
• #3837 Remove dnsdist service file on trusty
• #3840 Catch WrongTypeException in client mode
• #3906 Keep the servers ordered inside pools
• #3988 Fix grepq() output in the README
• #3992 Fix some typos in the AXFR/IXFR documentation
• #3995 Fix comparison between signed and unsigned integer
• #4049 Fix dnsdist rpm building script #4048 (Daniel Stirnimann)
• #4065 Include editline/readline.h instead of readline.h/history.h
• #4067 Disable eBPF support when BPF_FUNC_tail_call is not found
• #4069 Fix a buffer overflow when displaying an OpcodeRule
• #4101 Fix $ expansion in build-dnsdist-rpm
• #4198 newServer setting maxCheckFailures makes no sense (stutiredboy)
• #4205 Prevent the use of “any” addresses for downstream server
• #4220 Don’t log an error when parsing an invalid UDP query
• #4348 Fix invalid outstanding count for {A,I}XFR over TCP
• #4365 Reset origFD asap to keep the outstanding count correct
• #4375 Tuple requires make_tuple to initialize
• #4380 Fix compilation with clang when eBPF support is enabled

1.0.0

Released April 21st 2016

Changes since 1.0.0-beta1:

Improvements

• #3700 Create user from the RPM package to drop privs
• #3712 Make check should run testrunner
• #3713 Remove contrib/dnsdist.service (Ruben Kerkhof)
• #3722 Use LT_INIT and disable static objects (Ruben Kerkhof)
• #3724 Include PDNS_CHECK_OS in configure (Christian Hofstaedtler)
• #3728 Document libedit Ctrl-R workaround for CentOS 6
• #3730 Make topBandwidth() behave like other top* functions
• #3731 Clarify a bit the documentation of load-balancing policies

Bug fixes

• #3711 Building rpm needs systemd headers (Ruben Kerkhof)
• #3736 Add missing Lua binding for NetmaskGroupRule()
• #3739 Drop privileges after daemonizing and writing our pid

1.0.0-beta1

Released April 14th 2016

Changes since 1.0.0-alpha2:

New features

• Per-pool packet cache
• Some actions do not stop the processing anymore when they match, allowing more complex setups: Delay, Disable Validation, Log, MacAddr, No Recurse and of course None
• The new RE2Rule() is available, using the RE2 regular expression library to match queries, in addition to the existing POSIX-based RegexRule()
• SpoofAction() now supports multiple A and AAAA records
• Remote logging of questions and answers via Protocol Buffer

Improvements

• #3405 Add health check logging, maxCheckFailures to backend
• #3412 Check config
• #3440 Client operation improvements
• #3466 Add dq binding for skipping packet cache in LuaAction (Jan Broer)
• #3499 Add support for multiple carbon servers
• #3504 Allow accessing the API with an optional API key
• #3556 Add an option to limit the number of queued TCP connections
• #3578 Add a disable-syslog option
• #3608 Export cache stats to carbon
• #3622 Display the ACL content on startup
• #3627 Remove ECS option from response’s OPT RR when necessary
• #3633 Count “TTL too short” cache events
• #3677 systemd-notify support

Bug fixes

• #3388 Lock the Lua context before executing a LuaAction
• #3433 Check that the answer matches the initial query
• #3461 Fix crash when calling rmServer() with an invalid index
• #3550,#3551 Fix build failure on FreeBSD (Ruben Kerkhof)
• #3594 Prevent EOF error for empty console response w/o sodium
• #3634 Prevent dangling TCP fd in case setupTCPDownstream() fails
• #3641 Under threshold, QPS action should return None, not Allow
• #3658 Fix a race condition in MaxQPSIPRule

1.0.0-alpha2

Released February 5th 2016

Changes since 1.0.0-alpha1:

New features

• Lua functions now receive a DNSQuestion dq object instead of several parameters. This adds a greater compatibility with PowerDNS and allows adding more parameters without breaking the API (#3198)
• Added a source option to newServer() to specify the local address or interface used to contact a downstream server (#3138)
• CNAME and IPv6-only support have been added to spoofed responses (#3064)
• grepq() can be used to search for slow queries, along with topSlow()
• New Lua functions: addDomainCNAMESpoof(), AllowAction() by @bearggg, exceedQRate(), MacAddrAction(), makeRule(), NotRule(), OrRule(), QClassRule(), RCodeAction(), SpoofCNAMEAction(), SuffixMatchNodeRule(), TCPRule(), topSlow()
• NetmaskGroup support have been added in Lua (#3144)
• Added MacAddrAction() to add the source MAC address to the forwarded query (#3313)

Bug fixes

• An issue in DelayPipe could make dnsdist crash at startup
• downstream-timeouts metric was not always updated
• truncateTC was unproperly updating the response length (#3126)
• DNSCrypt responses larger than queries were unproperly truncated
• An issue prevented info message from being displayed in non-verbose mode, fixed by Jan Broer
• Reinstating an expired Dynamic Rule was not correctly logged (#3323)
• Initialized counters in the TCP client thread might have cause FD and memory leak, reported by Martin Pels (#3300)
• We now drop queries containing no question (qdcount == 0) (#3290)
• Outstanding TCP queries count was not always correct (#3288)
• A locking issue in exceedRespGen() might have caused crashs (#3277)
• Useless sockets were created in client mode (#3257)
• addAnyTCRule() was generating TC=1 responses even over TCP (#3251)

Web interface

• Cleanup of the HTML by Sander Hoentjen
• Fixed an XSS reported by @janeczku (#3217)
• Removed remote images
• Set the charset to UTF-8, added some security-related and CORS HTTP headers
• Added server latency by Jan Broer (#3201)
• Switched to official minified versions of JS scripts, by Sander Hoentjen (#3317)
• Don’t log unauthenticated HTTP request as an authentication failure

Various documentation updates and minor cleanups:

• Added documentation for Advanced DNS Protection features (Dynamic rules, maintenance())
• Make topBandwidth() default to the top 10 clients
• Replaced readline with libedit
• Added GPL2 License (#3200)
• Added incbin License (#3269)
• Updated completion rules
• Removed wrong option --daemon-no by Stefan Schmidt

1.0.0-alpha1

Released December 24th 2015

Initial release