[prev in list] [next in list] [prev in thread] [next in thread]
List: pdns-users
Subject: [Pdns-users] dnsdist 1.4.0 alpha 1 released
From: Erik Winkels via Pdns-users <pdns-users () mailman ! powerdns ! com>
Date: 2019-04-12 10:01:57
Message-ID: 896482230.62.1555063317858 () appsuite-dev-guard ! open-xchange ! com
[Download RAW message or body]
[Attachment #2 (multipart/signed)]
Hello,
(via: https://blog.powerdns.com/2019/04/12/first-alpha-release-of-dnsdist-1-4-0/ )
We are very happy to announce the 1.4.0 alpha 1 release of dnsdist. This version \
contains a few new features, but is mostly focused on DNS privacy improvements. We \
are introducing a new, much more scalable way of handling DNS over TCP and DNS over \
TLS connections. It will be followed quite quickly by a new alpha including \
experimental DNS over HTTPS support.
In older versions of dnsdist, a TCP worker could only handle one incoming connection \
at a time, which was not very efficient when dealing with a larger number of mostly \
inactive connections, as we are beginning to see with DNS over TLS. Starting with \
this release, TCP workers are now event-based and each one of them can handle a very \
large number of incoming connections simultaneously.
Your feedback will be much appreciated so we can deliver a stable 1.4.0 final \
release!
# Important changes
We took the opportunity of this new release to clean up a few things that might \
require updating your existing configuration. First, the number of parameters to the \
`newPacketCache` command was getting out of hand, so we switched it to a table-based \
syntax as we already did with `newServer` a while ago.
`addLuaAction` and `addLuaResponseAction` have been removed. Instead, use `addAction` \
with a `LuaAction`, or `addResponseAction` with a `LuaResponseAction`.
Lua constants for DNS response codes and QTypes have been moved from the ‘dnsdist' \
prefix to, respectively, the `DNSQType` and `DNSRCode` prefixes.
To improve security, all ambient capabilities are now dropped after the startup \
phase, which might prevent launching the webserver on a privileged port at run-time, \
or impact some custom Lua code. In addition, systemd's sandboxing features are now \
determined at compile-time, resulting in more restrictions on recent distributions. \
See pull requests 7138[1] and 6634[2] for more information.
And finally, if you are compiling dnsdist, note that several `./configure` options \
have been renamed to provide a more consistent experience. Features that depend on an \
external component have been prefixed with `--with` while internal features use \
`--enable`. This has lead to the following changes:
- `--enable-fstrm` to `--enable-dnstap`
- `--enable-gnutls` to `--with-gnutls`
- `--enable-libsodium` to `--with-libsodium`
- `--enable-libssl` to `--with-libssl`
- `--enable-re2` to `--with-re2`
# New features and improvements
Dynamic blocks and Lua rules can now use the `NoRecurse` action, thanks to phonedph1.
Richard Gibson added the possibility to inspect and alter trailing data.
Dmitry Alenichev implemented new rules and actions to deal with unexpected EDNS \
versions, and to optionally accept completely empty (`qdcount=0`) responses from a \
backend.
Andrey Domas added the new `QNameSetRule` rule, along with the `DNSNameSet` object, \
to match exact qnames instead of doing suffix matching.
The health check mechanism has been improved with the new `checkInterval`, \
`checkTimeout` and `rise` parameters, thanks notably to "1848".
We added a few convenience functions to pseudonymize IP addresses, as several users \
reported that they needed it to be GDPR-compliant.
We noticed that, on some specific versions of the Linux kernel, the code we used to \
measure our memory usage could be quite expensive so we switched to an alternative, \
cheaper method. You might notice that the memory usage reported by this new version \
does not exactly match the one reported by older versions, but it should be close \
enough.
Finally the cost of exporting queries and responses using our remote logging solution \
based on protobuf has been reduced by a huge margin. System calls that used to be \
cheap before the Spectre and Meltdown mitigations were introduced are now having a \
very visible impact, and we designed a new way of sending messages to work around \
that.
Please see the dnsdist website for the more complete changelog[3] and the current \
documentation[4].
Release tarballs are available on the downloads website[5].
Several packages are also available on our repository[6]. Please be aware that we \
have enabled a few additional features in our packages, like DNS over TLS and DNSTap \
support, on distributions where the required dependencies were available.
[1] https://github.com/PowerDNS/pdns/pull/7138
[2] https://github.com/PowerDNS/pdns/pull/6634
[3] https://dnsdist.org/changelog.html#change-1.4.0-alpha1
[4] https://dnsdist.org/
[5] https://downloads.powerdns.com/releases/dnsdist-1.4.0-alpha1.tar.bz2
[6] https://repo.powerdns.com/
--
Erik Winkels
PowerDNS.COM BV -- https://www.powerdns.com
[Attachment #5 (application/pgp-signature)]
[Attachment #6 (text/plain)]
_______________________________________________
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic