Hello, (via: https://blog.powerdns.com/2019/04/12/first-alpha-release-of-dnsdist-1-4-0/ )
We are very happy to announce the 1.4.0 alpha 1 release of dnsdist. This
version contains a few new features, but is mostly focused on DNS privacy
improvements. We are introducing a new, much more scalable way of handling DNS
over TCP and DNS over TLS connections. It will be followed quite quickly by a
new alpha including experimental DNS over HTTPS support.
In older versions of dnsdist, a TCP worker could only handle one incoming
connection at a time, which was not very efficient when dealing with a larger
number of mostly inactive connections, as we are beginning to see with DNS over
TLS. Starting with this release, TCP workers are now event-based and each one
of them can handle a very large number of incoming connections simultaneously.
Your feedback will be much appreciated so we can deliver a stable 1.4.0 final
release!
# Important changes
We took the opportunity of this new release to clean up a few things that might
require updating your existing configuration. First, the number of parameters
to the `newPacketCache` command was getting out of hand, so we switched it to a
table-based syntax as we already did with `newServer` a while ago.
`addLuaAction` and `addLuaResponseAction` have been removed. Instead, use
`addAction` with a `LuaAction`, or `addResponseAction` with a
`LuaResponseAction`.
Lua constants for DNS response codes and QTypes have been moved from the
‘dnsdist’ prefix to, respectively, the `DNSQType` and `DNSRCode` prefixes.
To improve security, all ambient capabilities are now dropped after the startup
phase, which might prevent launching the webserver on a privileged port at
run-time, or impact some custom Lua code. In addition, systemd’s sandboxing
features are now determined at compile-time, resulting in more restrictions on
recent distributions. See pull requests 7138[1] and 6634[2] for more
information.
And finally, if you are compiling dnsdist, note that several `./configure`
options have been renamed to provide a more consistent experience. Features
that depend on an external component have been prefixed with `--with` while
internal features use `--enable`. This has lead to the following changes:
- `--enable-fstrm` to `--enable-dnstap`
- `--enable-gnutls` to `--with-gnutls`
- `--enable-libsodium` to `--with-libsodium`
- `--enable-libssl` to `--with-libssl`
- `--enable-re2` to `--with-re2`
# New features and improvements
Dynamic blocks and Lua rules can now use the `NoRecurse` action, thanks to
phonedph1.
Richard Gibson added the possibility to inspect and alter trailing data.
Dmitry Alenichev implemented new rules and actions to deal with unexpected EDNS
versions, and to optionally accept completely empty (`qdcount=0`) responses
from a backend.
Andrey Domas added the new `QNameSetRule` rule, along with the `DNSNameSet`
object, to match exact qnames instead of doing suffix matching.
The health check mechanism has been improved with the new `checkInterval`,
`checkTimeout` and `rise` parameters, thanks notably to “1848”.
We added a few convenience functions to pseudonymize IP addresses, as several
users reported that they needed it to be GDPR-compliant.
We noticed that, on some specific versions of the Linux kernel, the code we
used to measure our memory usage could be quite expensive so we switched to an
alternative, cheaper method. You might notice that the memory usage reported by
this new version does not exactly match the one reported by older versions, but
it should be close enough.
Finally the cost of exporting queries and responses using our remote logging
solution based on protobuf has been reduced by a huge margin. System calls that
used to be cheap before the Spectre and Meltdown mitigations were introduced
are now having a very visible impact, and we designed a new way of sending
messages to work around that.
Please see the dnsdist website for the more complete changelog[3] and the
current documentation[4].
Release tarballs are available on the downloads website[5].
Several packages are also available on our repository[6]. Please be aware that
we have enabled a few additional features in our packages, like DNS over TLS
and DNSTap support, on distributions where the required dependencies were
available.
[1] https://github.com/PowerDNS/pdns/pull/7138
[2] https://github.com/PowerDNS/pdns/pull/6634
[3] https://dnsdist.org/changelog.html#change-1.4.0-alpha1
[4] https://dnsdist.org/
[5] https://downloads.powerdns.com/releases/dnsdist-1.4.0-alpha1.tar.bz2
[6] https://repo.powerdns.com/
--
Erik Winkels
PowerDNS.COM BV -- https://www.powerdns.com
signature.asc
Description: PGP signature
_______________________________________________ dnsdist mailing list dnsdist@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/dnsdist
