Table of Contents

• dnsdist Overview
  • Running dnsdist
  • Questions, requests or comments?
• Installing dnsdist
  • Installing from Packages
    • Debian
    • Red Hat
    • FreeBSD
  • Installing from Source
    • From tarball
    • From git
    • OS Specific Instructions
    • Build options
• Quickstart Guide
  • Running in the Foreground
  • dnsdist Console and Configuration
    • Changing Server Settings
  • Restricting Access
  • Securing the path to the backend
  • More Information
• Running and Configuring dnsdist
  • Running as unprivileged user
  • Understanding how queries are forwarded to backends
• Packet Policies
  • Packet Actions
    • Examples
  • Managing Rules
• Statistics
  • acl-drops
  • cache-hits
  • cache-misses
  • cpu-iowait
  • cpu-steal
  • cpu-sys-msec
  • cpu-user-msec
  • doh-query-pipe-full
  • doh-response-pipe-full
  • doq-response-pipe-full
  • downstream-send-errors
  • downstream-timeouts
  • dyn-block-nmg-size
  • dyn-blocked
  • empty-queries
  • fd-usage
  • frontend-noerror
  • frontend-nxdomain
  • frontend-servfail
  • latency-avg100
  • latency-avg1000
  • latency-avg10000
  • latency-avg1000000
  • latency-bucket
  • latency-count
  • latency-doh-avg100
  • latency-doh-avg1000
  • latency-doh-avg10000
  • latency-doh-avg1000000
  • latency-doq-avg100
  • latency-doq-avg1000
  • latency-doq-avg10000
  • latency-doq-avg1000000
  • latency-dot-avg100
  • latency-dot-avg1000
  • latency-dot-avg10000
  • latency-dot-avg1000000
  • latency-slow
  • latency-sum
  • latency-tcp-avg100
  • latency-tcp-avg1000
  • latency-tcp-avg10000
  • latency-tcp-avg1000000
  • latency0-1
  • latency1-10
  • latency10-50
  • latency50-100
  • latency100-1000
  • no-policy
  • noncompliant-queries
  • noncompliant-responses
  • outgoing-doh-query-pipe-full
  • proxy-protocol-invalid
  • queries
  • rdqueries
  • real-memory-usage
  • responses
  • rule-drop
  • rule-nxdomain
  • rule-refused
  • rule-servfail
  • rule-truncated
  • security-status
  • self-answered
  • servfail-responses
  • tcp-cross-protocol-query-pipe-full
  • tcp-cross-protocol-response-pipe-full
  • tcp-listen-overflows
  • tcp-query-pipe-full
  • trunc-failures
  • udp-in-csum-errors
  • udp-in-errors
  • udp-noport-errors
  • udp-recvbuf-errors
  • udp-sndbuf-errors
  • udp6-in-csum-errors
  • udp6-in-errors
  • udp6-noport-errors
  • udp6-recvbuf-errors
  • udp6-sndbuf-errors
  • uptime
• Caching Responses
• Exporting statistics via Carbon
  • Setting up a carbon export
  • Query counters
• Working with the dnsdist Console
• DNS-over-HTTP/3 (DoH3)
  • Incoming
    • Advertising DNS over HTTP/3 support
• DNS-over-HTTPS (DoH)
  • Incoming
    • Advertising DNS over HTTP/3 support
    • Custom responses
    • DNS over HTTP
    • HTTP/1 support
    • Internal design
    • Investigating issues
  • Outgoing
    • Internal design
• DNS-over-QUIC (DoQ)
  • Incoming
• DNS-over-TLS
  • Incoming
  • Outgoing
  • Investigating issues
• DNSCrypt
• Configuring Downstream Servers
  • Healthcheck
    • Lazy health-checking
  • Source address selection
  • Securing the channel
  • Securing the path to the backend
• Dynamic Rule Generation
  • DynBlockRulesGroup
  • Rate rules and size of the ring buffers
• Guides
  • Working with the dnsdist Console
  • Caching Responses
  • Built-in webserver
    • Security of the Webserver
    • dnsdist API
  • Configuring Downstream Servers
    • Healthcheck
    • Source address selection
    • Securing the channel
    • Securing the path to the backend
  • Server pools
  • Loadbalancing and Server Policies
    • Built-in Policies
    • Lua server policies
    • ServerPolicy Objects
    • Functions
  • Exporting statistics via Carbon
    • Setting up a carbon export
    • Query counters
  • DNS-over-HTTPS (DoH)
    • Incoming
    • Outgoing
  • DNS-over-HTTP/3 (DoH3)
    • Incoming
  • DNS-over-QUIC (DoQ)
    • Incoming
  • DNS-over-TLS
    • Incoming
    • Outgoing
    • Investigating issues
  • DNSCrypt
• Server pools
• Loadbalancing and Server Policies
  • Built-in Policies
    • leastOutstanding
    • firstAvailable
    • wrandom
    • whashed
    • chashed
    • roundrobin
  • Lua server policies
  • ServerPolicy Objects
  • Functions
• Built-in webserver
  • Security of the Webserver
  • dnsdist API
    • URL Endpoints
    • JSON Objects
• Advanced Topics
  • Access Control
    • Listening on different addresses
    • Modifying the ACL
  • Passing the source address to the backend
    • Proxy Protocol
    • Using EDNS Client Subnet
    • X-Proxied-For
    • Influence on caching
  • TeeAction: copy the DNS traffic stream
  • Lua actions in rules
  • Runtime-modifiable IP address sets
  • Rules for traffic exceeding QPS limits
  • eBPF Socket Filtering
    • Requirements
    • External program, maps and XDP filtering
  • Performance Tuning
    • UDP and incoming DNS over HTTPS
    • AF_XDP / XSK
    • UDP buffer sizes
    • Outgoing DoH
    • TCP and DNS over TLS
    • TLS performance
    • DNS over QUIC
    • Rules and Lua
    • Lock contention and sharding
    • Memory usage
    • Firewall connection tracking
    • Network interface receive queues
  • SNMP support
  • AXFR, IXFR and NOTIFY
    • In front of primaries
    • In front of secondaries
  • Running multiple instances
    • Using systemd
  • Out-of-order
  • OCSP Stapling
    • Local PKI
    • Certificate signed by an external authority
    • Testing
  • TLS Certificates Management
    • Password-protected PKCS12 files
    • Reloading certificates
    • TLS sessions
    • OCSP stapling
  • TLS Sessions Management
    • TLS sessions
    • Keys management for incoming connections in dnsdist
    • Content of the STEK file
    • Sessions management for outgoing connections
  • Internal Design
    • UDP design
    • TCP / DoT design
    • DNS over HTTP/2 design
    • DNS over HTTP/3 design
    • DoQ design
  • Asynchronous processing
  • AF_XDP / XSK
    • Performance
    • Running under systemd
  • EDNS Client Subnet Zero Scope
• Reference Guides
  • Rule Actions
  • Configuration Reference
    • Functions and Types
    • Global configuration
    • Servers
    • Pools
    • Client State
    • Status, Statistics and More
    • Dynamic Blocks
    • Outgoing TLS tickets cache management
    • Other functions
  • Constants
    • OPCode
    • DNSClass
    • RCode
    • EDNSOptionCode
    • DNS Packet Sections
    • DNSAction
    • DNSQType
    • DNSResponseAction
  • ComboAddress
  • Netmask
  • NetmaskGroup
  • DNSName objects
    • Functions and methods of a DNSName
  • DNSNameSet objects
    • Functions and methods of a DNSNameSet
  • The DNSQuestion (dq) object
  • DNSResponse object
  • DNSHeader (dh) object
  • EDNSOptionView object
  • AsynchronousObject object
  • eBPF functions and objects
  • DNSCrypt objects and functions
    • Certificates
    • Certificate Pairs
    • Context
  • DNS Parser
    • DNSPacketOverlay
  • DNSRecord object
  • Protobuf Logging Reference
  • dnstap Logging Reference
  • Carbon export
  • SNMP reporting
  • Tuning related functions
  • Key Value Store functions and objects
  • Logging
  • Webserver-related objects
  • Rules management
    • Incoming queries
    • Cache misses
    • Responses
    • Cache hits
    • Cache inserted
    • Self-answered responses
    • XFR
    • Convenience Functions
  • Rule selectors
    • Combining Rules
    • Objects
  • SVCRecordParameters
  • Custom Metrics
  • XSK / AF_XDP functions and objects
• Manual Pages
  • dnsdist
    • Synopsis
    • Description
    • Scope
    • Options
    • Bugs
    • Resources
• Changelog
  • 1.9.8
    • Improvements
    • Bug Fixes
  • 1.9.7
    • New Features
    • Improvements
    • Bug Fixes
  • 1.8.4
    • Bug Fixes
  • 1.9.6
    • New Features
    • Improvements
    • Bug Fixes
  • 1.9.5
    • New Features
    • Bug Fixes
  • 1.9.4
    • Improvements
    • Bug Fixes
  • 1.9.3
    • Bug Fixes
  • 1.9.2
    • Improvements
    • Bug Fixes
  • 1.9.1
    • Bug Fixes
  • 1.9.0
    • Improvements
    • Bug Fixes
  • 1.9.0-rc1
    • New Features
    • Improvements
    • Bug Fixes
  • 1.8.3
    • Improvements
    • Bug Fixes
  • 1.9.0-alpha4
    • New Features
    • Improvements
    • Bug Fixes
  • 1.9.0-alpha3
    • New Features
    • Improvements
    • Bug Fixes
    • misc
  • 1.9.0-alpha2
  • 1.8.2
    • Bug Fixes
  • 1.7.5
    • Bug Fixes
  • 1.9.0-alpha1
    • New Features
    • Improvements
    • Removals
  • 1.8.1
    • New Features
    • Improvements
    • Bug Fixes
  • 1.7.4
    • New Features
    • Bug Fixes
  • 1.8.0
    • Bug Fixes
  • 1.8.0-rc3
    • Improvements
    • Bug Fixes
  • 1.8.0-rc2
    • Improvements
    • Bug Fixes
  • 1.8.0-rc1
    • New Features
    • Improvements
    • Bug Fixes
    • Removals
  • 1.7.3
    • Improvements
  • 1.7.2
    • Improvements
    • Bug Fixes
  • 1.7.1
    • Improvements
    • Bug Fixes
  • 1.7.0
    • Bug Fixes
  • 1.7.0-rc1
    • Improvements
    • Bug Fixes
  • 1.7.0-beta2
    • Improvements
    • Bug Fixes
  • 1.7.0-beta1
    • New Features
    • Improvements
    • Bug Fixes
  • 1.7.0-alpha2
    • New Features
    • Improvements
    • Bug Fixes
  • 1.7.0-alpha1
    • New Features
    • Improvements
    • Bug Fixes
  • 1.6.1
    • New Features
    • Bug Fixes
  • 1.6.0
  • 1.5.2
    • Bug Fixes
  • 1.6.0-rc2
    • Improvements
    • Bug Fixes
  • 1.6.0-rc1
    • Improvements
    • Bug Fixes
  • 1.6.0-alpha3
    • Improvements
    • Bug Fixes
  • 1.6.0-alpha2
    • New Features
    • Improvements
    • Bug Fixes
  • 1.6.0-alpha1
    • New Features
    • Improvements
    • Bug Fixes
    • Removals
  • 1.5.1
    • Improvements
    • Bug Fixes
  • 1.5.0
    • Improvements
    • Bug Fixes
  • 1.5.0-rc4
    • Bug Fixes
  • 1.5.0-rc3
    • New Features
    • Improvements
    • Bug Fixes
  • 1.5.0-rc2
    • Improvements
    • Bug Fixes
  • 1.5.0-rc1
    • Improvements
    • Bug Fixes
  • 1.5.0-alpha1
    • New Features
    • Improvements
    • Bug Fixes
  • 1.4.0
    • Improvements
    • Bug Fixes
    • misc
  • 1.4.0-rc5
    • Improvements
    • Bug Fixes
  • 1.4.0-rc4
    • New Features
    • Improvements
    • Bug Fixes
  • 1.4.0-rc3
    • Improvements
    • Bug Fixes
  • 1.4.0-rc2
    • New Features
    • Improvements
    • misc
  • 1.4.0-rc1
    • New Features
    • Improvements
    • Bug Fixes
  • 1.4.0-beta1
    • New Features
    • Improvements
    • Bug Fixes
  • 1.4.0-alpha2
    • New Features
    • Improvements
    • Bug Fixes
  • 1.4.0-alpha1
    • New Features
    • Improvements
    • Bug Fixes
  • 1.3.3
    • New Features
    • Improvements
    • Bug Fixes
  • 1.3.2
    • Bug Fixes
  • 1.3.1
    • New Features
    • Improvements
    • Bug Fixes
  • 1.3.0
    • New Features
    • Improvements
    • Bug Fixes
    • Removals
  • 1.2.1
    • New Features
    • Improvements
    • Bug Fixes
  • 1.2.0
    • New Features
    • Improvements
    • Bug Fixes
    • Removals
    • misc
  • 1.1.0
    • Improvements
    • Bug fixes
  • 1.1.0-beta2
    • New features
    • Improvements
    • Bug fixes
  • 1.1.0-beta1
    • New features
    • Improvements
    • Bug fixes
  • 1.0.0
    • Improvements
    • Bug fixes
  • 1.0.0-beta1
    • New features
    • Improvements
    • Bug fixes
  • 1.0.0-alpha2
    • New features
    • Bug fixes
    • Web interface
    • Various documentation updates and minor cleanups:
  • 1.0.0-alpha1
• Upgrade Guide
  • 1.8.x to 1.9.0
  • 1.7.x to 1.8.0
  • 1.7.0 to 1.7.1
  • 1.6.x to 1.7.0
  • 1.5.x to 1.6.0
  • 1.4.x to 1.5.0
  • 1.3.x to 1.4.0
  • 1.3.2 to 1.3.3
  • 1.2.x to 1.3.x
  • 1.1.0 to 1.2.0
• Security Advisories
  • PowerDNS Security Advisory 2024-03: Transfer requests received over DoH can lead to a denial of service in DNSdist
  • PowerDNS Security Advisory for dnsdist 2018-08: Record smuggling when adding ECS or XPF
  • PowerDNS Security Advisory 2017-02 for dnsdist: Alteration of ACLs via API authentication bypass
  • PowerDNS Security Advisory 2017-01 for dnsdist: Crafted backend responses can cause a denial of service
• PowerDNS Security Policy
  • YesWeHack
  • Disclosure Policy
• Glossary
• PowerDNS/dnsdist license
• End of life statements