[Pdns-users] PowerDNS DNSdist 1.9.4 released

Hello! We released PowerDNS DNSdist 1.9.4 today. This release fixes CVE-2024-25581, a denial of service security issue affecting versions 1.9.0, 1.9.1, 1.9.2 and 1.9.3 only. Earlier versions are not affected. When incoming DNS over HTTPS support is enabled using the nghttp2 provider, and

[Pdns-users] PowerDNS DNSdist 1.9.3 released

Hello! Less than an hour after the release of PowerDNS DNSdist 1.9.2 today, we received reports of DNSdist crashing in some setups. This 1.9.3 release fixes the issue that was introduced in 1.9.2, for now by reverting the related change. Please see the DNSdist website [1] for the changelog

[Pdns-users] PowerDNS DNSdist 1.9.2 released

Hello! We released PowerDNS DNSdist 1.9.2 today. This release fixes several issues: - HTTP/1.1 was wrongly selected over HTTP/2 when a DNS over HTTPS client advertised both HTTP versions in ALPN and listed HTTP/1.1 first, and the nghttp2 provider was used - The first connection to the DNSdist

[Pdns-users] PowerDNS DNSdist 1.9.1 released

Hello! We released PowerDNS DNSdist 1.9.1 today. This version brings no functional changes, and only bumps the version of the Quiche library we use, to incorporate a recent security update [1], fixing CVE-2024-1410 [2] and CVE-2024-1765 [3]. This applies only if you configured incoming DoQ

[Pdns-users] PowerDNS DNSdist 1.9.0

Hello! We are very happy to release PowerDNS DNSdist 1.9.0 today! This new version brings a fair number of new features since 1.8.3: - DNS over QUIC [1] - DNS over HTTP3 - AF_XDP [2] support - the ability to set Extended DNS Error [3] statuses - a cache-miss ratio dynamic block rule -

[Pdns-users] PowerDNS DNSdist 1.9.0-rc1 released

Hello! We are excited to release the first release candidate of what will become PowerDNS DNSdist 1.9.0! The latest addition to DNSdist is AF_XDP[1] support. AF_XDP is a Linux feature optimized for high performance packet processing, allowing DNSdist to process UDP datagrams even faster

[Pdns-users] PowerDNS DNSdist 1.8.3 released

Hello! We are very happy to release PowerDNS DNSdist 1.8.3 today, a maintenance release fixing a few bugs reported since 1.8.2: - The exponential back-off timer used when a carbon server is unreachable had a bug that could lead to a busy-loop, consuming CPU time until the carbon server

[Pdns-users] PowerDNS DNSdist 1.9.0-alpha4 released

Hello! We are thrilled to release the fourth alpha release of what will become PowerDNS DNSdist 1.9.0! The most exciting new feature in this latest alpha is support for DNS over HTTP/3! Like DNS over QUIC for which we announced support in the previous alpha, DNS over HTTP/3 uses QUIC to

Re: [Pdns-users] [EXT] Re: remote backend

On 29/11/2023 01:07, Alexis Fidalgo wrote: Problem is (and i’ve testing with golang and python) after the answer the “initialize” message, the socket is closed, so, getAllDomains message is being sent using a closed socket and that’s why i don’t see it on the responder side and pdns does not

Re: [Pdns-users] correct answer for lookup in backend

Hi, On 29/11/2023 21:23, Alexis Fidalgo via Pdns-users wrote: Quick question, when using JSON/RPC in remote backend with http connector. {"method":"lookup", "parameters":{"qtype":"ANY", "qname":"www.example.com.", "remote":"192.0.2.24", "local":"192.0.2.1", "real-remote":"192.0.2.24",

Re: [Pdns-users] remote backend

Hi! On 28/11/2023 19:59, Alexis Fidalgo via Pdns-users wrote: Sorry about that, yes, this will work locally, meaning the remote responder (my script) will run on the same VM than pdns-auth, so pdns-auth will connect using a unix socket with the responder using remote backend. That actually

Re: [Pdns-users] Blacklist domains

Hi Andrea, On 24/10/2023 15:39, Andrea Biancalani via Pdns-users wrote: yes, it is. Postal Police (or Post Police, don't know how that could be translated in english) it's a branch of the Italian state police which has the task of monitoring crimes on the internet, stemming scams, mitigating

[Pdns-users] PowerDNS DNSdist 1.9.0-alpha3 released

Hello! We are thrilled to release the third alpha release of what will become PowerDNS DNSdist 1.9.0! Let's first address the elephant in the room: the second alpha was never released due to a last-minute issue discovered in RPM packaging after the tag was pushed, so we went to alpha3 right

[Pdns-users] PowerDNS DNSdist 1.7.5 and 1.8.2 released

Hi, Today we have released DNSdist 1.7.5 and 1.8.2, with absolutely no changes with, respectively, 1.7.4 and 1.8.1, apart from the fact that our DNSdist packages have been rebuilt against our own fork [1] of libh2o in order to mitigate CVE-2023-44487 [2], also known as HTTP/2 rapid reset

Re: [Pdns-users] package build instructions

Hi Alex, On 09/10/2023 16:21, Alex Pavlov via Pdns-users wrote: Meanwhile have one question about DoH & DoT implementation in DNSDIST 1.5 and higher. Is written in documentation "...like CertBot, set permissions assuming that services are started as root, which is no longer true for dnsdist

Re: [Pdns-users] DNSdist 1.9.0-alpha1 released dnsdist_server_healthcheckfailurestimeout

Hi Christoph, On 19/09/2023 01:04, Christoph via Pdns-users wrote: We have made a lot of small improvements since 1.8.x as well, like adding Lua bindings to access selectors and actions, more fields of a DNS header in Lua actions, and adding metrics for health-check events. thanks a lot! We

[Pdns-users] PowerDNS DNSdist 1.9.0-alpha1 released

Hello! We are very happy to be releasing the first alpha release of what will become DNSdist 1.9.0! The most important change since 1.8.1 is that incoming DNS over HTTPS requests are now handled by the nghttp2 library, instead of the h2o one. This change should be transparent for most

[Pdns-users] PowerDNS DNSdist 1.8.1 released

Hello! We are very happy to release DNSdist 1.8.1 today, a maintenance release fixing a few bugs reported since 1.8.0: - Several bugs have been fixed in the health-check code, including one issue that could have resulted in some health-check responses to be lost - A crash has been fixed when

[Pdns-users] Third Release Candidate of PowerDNS DNSdist 1.8.0

Hello! We are very happy to release the third candidate of what will become dnsdist 1.8.0! This release contains fixes for several issues that were found in the second release candidate. - #12641: Use the correct source address when harvesting failed - #12639: Fix a race when a

[Pdns-users] Second Release Candidate of PowerDNS DNSdist 1.8.0

Hi! We are very happy to release the second candidate of what will become dnsdist 1.8.0! This release contains fixes for a few issues that were found in the first release candidate, the most important one being that dnsdist was responding from the wrong source IP address in some setups,

[Pdns-users] First release candidate of dnsdist 1.8.0

Hello! We are very happy to release the first candidate of what will become dnsdist 1.8.0! This release contains a significant amount of changes since the last major release, 1.7.0, which was released a bit over a year ago. We try to stick to a major release every six months, but this one

Re: [Pdns-users] troubleshooting dnsdist -> recursor instability

Hi Christoph, On 24/10/2022 01:46, Christoph via Pdns-users wrote: Is this unexpected or not unusual? If unusual: what would be the usual ways to further track this issue down? Clearly unexpected. You might be able to get more information about what is going by setting setVerboseHealthChecks

Re: [Pdns-users] [dnsdist] Dnsdist not reading from the cache

Hi Sami, On 12/09/2022 17:16, SAMI RAHAL via Pdns-users wrote: Thank you very much, i tried with connecting with dnsdist -c and it gives the result of the cache: Entries: 196858/200 Hits: 2255893765 Misses: 363296636 Deferred inserts: 91558 Deferred lookups: 174058 Lookup Collisions:

Re: [Pdns-users] [dnsdist] Dnsdist not reading from the cache

Hi Sami, On 12/09/2022 14:25, SAMI RAHAL via Pdns-users wrote: yes it's weird, because in the web interface it says that the cache is working, here is my configuration Thanks. And how do you collect the output that shows 0 hits and 0 misses? I'm guessing you are connecting to the console via

Re: [Pdns-users] [dnsdist] Dnsdist not reading from the cache

On 09/09/2022 17:38, SAMI RAHAL via Pdns-users wrote: The server is in production it receives requests as shown in this summary Uptime: 17 days, Number of queries: 2326402346 (2385.00 qps), ACL drops: 0, Dynamic drops: 27076173, Rule drops: 6451838 Average response time: 9.40 ms, CPU Usage:

Re: [Pdns-users] [EXT] RE: [EXTERNE]Re: [dnsdist] Dnsdist not reading from the cache

On 09/09/2022 11:34, SAMI RAHAL wrote: Thank you for your answer I test the cache as follows: getPool("resolverTopnet"):getCache():printStats() I get empty values: Entries: 0/200 Hits: 0 Misses: 0 Deferred inserts: 0 Deferred lookups: 0 Lookup Collisions: 0 Insert Collisions: 0 TTL Too

Re: [Pdns-users] [dnsdist] Dnsdist not reading from the cache

Hi, On 07/09/2022 14:02, SAMI RAHAL via Pdns-users wrote: for those running dnsdist I'm wondering is anyone has set up cache. If you have, I'd appreciate pointers in your strategies (and/or some examples?). A lot of installations are using caching in dnsdist, yes. I don't see anything

[Pdns-users] dnsdist 1.7.2 released

Hello! We are very happy to release dnsdist 1.7.2 today, a maintenance release fixing a few bugs reported since 1.7.1: - An unhandled exception could happen when an invalid protocol was used in an incoming DNS over HTTPS forwarded-for header and passed to the backend via the proxy protocol,

[Pdns-users] dnsdist 1.7.1 released

Hello! We are very happy to release dnsdist 1.7.1 today, a maintenance release fixing a few bugs reported since 1.7.0: - A use-after-free error could happen if a network error occurred in the middle of a XFR query, for a proxy-protocol-enabled backend, leading to a crash - The TLS Server

[Pdns-users] dnsdist 1.7.0 released

Hi everyone! We are proud to announce the release of dnsdist 1.7.0. This release contains several new exciting features since 1.6.1, as well as improvements and bug fixes. It contains one single change from the first release candidate, a fix for DynBlockRatioRule::warningRatioExceeded

Re: [Pdns-users] Recursor: Error writing TCP answer - broken pipe

Hi Christoph, On 16/01/2022 11:27, Christoph via Pdns-users wrote: I get about 2000 of these log events per day: pdns-recursor[11727]: Error writing TCP answer to 109.70.100.132:31192: Broken pipe 109.70.100.132 is the IP address of an dnsdist instance. setup: DoH/DoT clients -> dnsdist ->

[Pdns-users] First release release of dnsdist 1.7.0

Hi everyone! We are happy to announce the first release candidate of what will become dnsdist 1.7.0, with only one fix and one improvement since the second beta. We fixed a crash introduced in 1.7.0-alpha1 that could occur when a DoH query was forwarded to a backend over TCP, DoT or DoH and

[Pdns-users] Second beta release of dnsdist 1.7.0

Hi everyone! We are happy to announce the second beta release of dnsdist 1.7.0, with few fixes since the first beta, the most important one being a memory leak when reusing TLS sessions for outgoing DNS over TLS and DNS over HTTPS connections. During that work we stumbled upon a memory leak

[Pdns-users] First beta release of dnsdist 1.7.0

Hi everyone! We are happy to announce the first beta release of dnsdist 1.7.0! We introduced a fair number of improvements and new features since the second alpha, and we will now iron out the documentation and fix any bugs before hopefully releasing the first release candidate very soon.

Re: [Pdns-users] resource-limits metrics

Hi Christoph, On 10/24/21 10:49, Christoph via Pdns-users wrote: while going over the list of prometheus metrics available in PowerDNS Recursor I found this one: resource-limits counts number of queries that could not be performed because of resource limits

[Pdns-users] Second alpha release of dnsdist 1.7.0

Hi everyone, We are happy to announce the second alpha release of dnsdist 1.7.0! We spent quite some time since alpha1 reproducing an issue reported by Stephane Bortzmeyer in our new outgoing DNS over TLS feature. The issue turned out to be triggered by the use of the GnuTLS provider, and to

Re: [Pdns-users] SERVFAIL responses on malformed subdomain query

Hi Thibaud, On 10/14/21 15:52, Thib D via Pdns-users wrote: It seems like pdns auth servers are answering SERVFAIL queries when the subdomain is malformed in the query. It is testable on powerdns.com domain - which I assume is hosted on a pdns-auth backend. [...] I am

[Pdns-users] First alpha release of dnsdist 1.7.0

Hi everyone, We are proud to announce the first alpha release of dnsdist 1.7.0. This release contains several new exciting features, as well as improvements and bug fixes. In our view, the most exciting new feature is the support of outgoing DNS over TLS and DNS over HTTPS, as well as the

[Pdns-users] dnsdist 1.6.1 released

Hello! We are happy to release dnsdist 1.6.1 today, a maintenance release fixing a few bugs reported since 1.6.0: - Adding ECS failed for queries with records in the answer or additional section (Dimitrios Mavrommatis) - The transport was not properly set in dnstap and protobuf messages for

Re: [Pdns-users] Status of dnsdist 1.6.1

Hello! On 8/30/21 2:13 PM, labs--- via Pdns-users wrote: I tried the 1.6.0.38 version but the problem still exists. I can see that you backported the patch 29 days ago but the 1.6.0.38 package is dated 18th may 2021. Does this version really contain the patch? Perhaps there should be newer

Re: [Pdns-users] recursor: Possible bug in accepting / rejecting additional answers?

Hi, I think I have to clarify a bit here. The first question was why the recursor doesn't accept the A records from the delegated name server’s response. For the record I believe we are talking about this response, received from one of the servers returned in the delegation from one of the

Re: [Pdns-users] Status of dnsdist 1.6.1

Hi Oliver, On 8/27/21 5:36 PM, labs--- via Pdns-users wrote: there is a bug in handling notify packages in dnsdist which will be fixed in versions 1.6.1/.1.7: https://github.com/PowerDNS/pdns/pull/10419 I am longingly waiting for these releases because we use dnsdist in front of

Re: [Pdns-users] Injection Attacks Reloaded: Validating hostnames?

Hi Christoph, On 8/14/21 1:11 PM, Christoph via Pdns-users wrote: We were wondering if there is an easy way in Recursor's configuration to enable validation of hostnames similar to their python proof of concept [4]? We don't have such an option at the moment, although it would not be too

[Pdns-users] dnsdist 1.6.0 released

Hello! We are proud to announce the final release of dnsdist 1.6.0, with no changes since the second release candidate. Compared to 1.5.x, this release contains several new exciting features, as well as improvements and bug fixes. In our view, the most exciting new feature is the support of

[Pdns-users] dnsdist 1.5.2 released

Hi everyone! We are happy to release dnsdist 1.5.2 today, a maintenance release fixing a few bugs reported since 1.5.1: - A typo in prometheus metrics dnsdist_frontend_tlshandshakefailures (AppliedPrivacy) - A hang when removing a server with more than one socket - SNI availability on resumed

[Pdns-users] Second release candidate for dnsdist 1.6.0

Hi everyone, We are happy to announce the second release candidate of what should become dnsdist 1.6.0. This release contains very few changes since the first release candidate, and thanks to the great feedback we received on previous versions we expect to be able to release 1.6.0 final very

[Pdns-users] First release candidate for dnsdist 1.6.0

Hi everyone, We are happy to announce the first release candidate of what should become dnsdist 1.6.0. This release contains very few changes since the third alpha: - Add missing getEDNSOptions and getDO bindings for DNSResponse - Fix some issues reported by Thread Sanitizer - Lua: don’t destroy

Re: [Pdns-users] ECS not using proxied client IP?

Hi Mark, On 4/17/21 12:37 AM, Nejedlo, Mark via Pdns-users wrote: Using the same dnsdist/pdns_recursor setup as the previous, but with “ecs-add-for=0.0.0.0/0, ::/0" added to the configuration,  I see ECS with ::/56 as the client subnet.  Since dnsdist is using

Re: [Pdns-users] CPU consumption of pdns_recursor

Hi, On 4/6/21 6:25 PM, Nejedlo, Mark via Pdns-users wrote: On Tuesday, April 6, 2021 10:04 AM, Remi Gacogne wrote: On 4/6/21 4:18 PM, Nejedlo, Mark via Pdns-users wrote: Would additional distributor threads really cause additional worker CPU usage? That could happen if they have to fight

Re: [Pdns-users] CPU consumption of pdns_recursor

On 4/6/21 4:18 PM, Nejedlo, Mark via Pdns-users wrote: Would additional distributor threads really cause additional worker CPU usage? That could happen if they have to fight for the incoming socket. Do you have reuseport=yes in your configuration? Does the maintenance function block the

Re: [Pdns-users] CPU consumption of pdns_recursor

Hi, On 4/6/21 8:35 AM, Otto Moerbeek via Pdns-users wrote: On Mon, Apr 05, 2021 at 05:30:11PM +, Nejedlo, Mark via Pdns-users wrote: Some thoughts: 2 distributior thread feels a bit overkill, 1 distributor thread should be able to feed 8 workers. Did you do measurements to come to this

[Pdns-users] Third Alpha Release of DNSDist 1.6.0

Hi everyone, We are happy to announce the third alpha release of dnsdist 1.6.0. This release contains a few fixes for issues reported in the second release candidate: - DNS over HTTPS queries with a non-zero ID were not properly handled. Very few DoH clients actually send an ID with a value

[Pdns-users] Second alpha release of dnsdist 1.6.0

Hello everyone, We are happy to announce the second alpha release of dnsdist 1.6.0. This release contains mostly fixes for issues reported in the first release candidate: - A race condition was found to sometimes occur at startup, making it possible for the first TCP connection to happen

[Pdns-users] First alpha release of dnsdist 1.6.0

Hello! We are proud to announce the first alpha release of dnsdist 1.6.0. This release contains several new exciting features, as well as improvements and bug fixes. In our view, the most exciting new feature is the support of out-of-order processing for TCP and DNS over TLS connections.

[Pdns-users] DNSDist 1.5.1 released

Hello everyone, This release fixes a few issues discovered since 1.5.0: - the thread handling responses sent from a backend was not stopped when that backend was removed ; - getEDNSOptions() would throw an exception for queries with an empty additional section but records in the answer or

Re: [Pdns-users] PowerDNS Recursor build fails on openSUSE Tumbleweed/Factory (gcc 10)

Hi Michael, On 9/8/20 11:39 AM, Michael Ströder via Pdns-users wrote: > Currently building PowerDNS Recursor fails building on openSUSE > Tumbleweed/Factory: > > https://build.opensuse.org/package/live_build_log/home:stroeder:branches:server:dns/pdns-recursor/openSUSE_Tumbleweed/x86_64 > >

[Pdns-users] dnsdist 1.5.0 released

Hello everyone, After four release candidates, we are thrilled to announce the final release of dnsdist 1.5.0! This new release contains several new exciting features and a few breaking changes since 1.4.0, so please read the upgrade guide if you are upgrading from 1.4.0 or earlier. We described

[Pdns-users] Fourth release candidate for dnsdist 1.5.0

Hello everyone, While we expected the third release candidate for dnsdist 1.5.0 to be the last one, a race condition that could lead to a crash was discovered by Tomas Krizek from CZ.NIC with the DNS Shotgun tool, leading to a new release candidate. This new release candidate has no changes

[Pdns-users] Third release candidate for dnsdist 1.5.0

Hello everyone, We are very happy to announce the third release candidate of dnsdist 1.5.0. 1.5.0 contains several new exciting features and a few breaking changes since 1.4.0 that were detailed in the announcement [1] of alpha1. If you upgrade from 1.4.0, please see the upgrade guide [2] for

Re: [Pdns-users] why CAP_CHOWN?

Hi Michael, On 5/16/20 10:43 PM, Michael Ströder via Pdns-users wrote: > On 5/16/20 10:25 PM, bert hubert wrote: >> On Sat, May 16, 2020 at 08:42:21PM +0200, Michael Ströder via Pdns-users >> wrote: >>> But I wonder why CAP_CHOWN is set in CapabilityBoundingSet= and >>> AmbientCapabilities= and

Re: [Pdns-users] recursor fail to resolve

On 5/1/20 10:31 PM, Sergio Cesar via Pdns-users wrote: > Thus the question remains: what do I need to change in the recursor > configuration to make it work as bind does and resolve even tough it > looks like an issue at their end? I don't know how bind does resolve but we are doing the right

[Pdns-users] First release candidate for dnsdist 1.5.0

Hello everyone, We are very happy to announce the first release candidate of dnsdist 1.5.0. 1.5.0 contains several new exciting features and a few breaking changes since 1.4.0 that were detailed in the announcement of alpha1 [1]. If you upgrade from 1.4.0, please see the upgrade guide [2] for

Re: [Pdns-users] servfail-packets>0 but no data in servfail-queries ring buffer

Hi Martin, On 4/9/20 9:56 AM, Martin Kellermann via Pdns-users wrote: > I’m facing the fact, that sometimes the servfail-packets counter > increases and i would debug this and find the reason why PowerDNS sends > out a „servfail“ packet. > > Actually today the counter increased from 0 to 2 and i

[Pdns-users] First alpha release of dnsdist 1.5.0

Hello everyone, We are very happy to announce the 1.5.0 alpha 1 release of dnsdist. This version contains several new exciting features detailed below, but also a few breaking changes so please take the time to read the next section. Your feedback will be much appreciated so we can deliver a

Re: [Pdns-users] dns update across dnsdist

On 2/11/20 12:39 PM, Marc Boisis via Pdns-users wrote: > My dnsdist version is 1.3.3 and authoritative is 4.2.0 Thanks! > I've found a diff with wireshark, before dnsdist I have just one > aditional record containing the TSIG > after dnsdist I have two additional records (TSIG and OPT with

Re: [Pdns-users] dns update across dnsdist

Hi Marc, On 2/10/20 10:42 PM, Marc Boisis via Pdns-users wrote: > Here is my config: > [isc-dhcp] dns update>[dnsdist--->pdns authoritative] > the isc dhcp server(v4.4.2) send a dns update query with a tsig > key(hmac-md5). (I see it with tcpdump/wireshark). > When the authoritative get