| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
pkgsrc changes:
* Fix NetBSD rc.d script that cannot have previously worked.
* Use readline support instead of hardcoding editline, and fix buildlink
variables that cannot have previously worked.
* Enable nghttp2 support.
1.7.2
Released: 14th of June 2022
* Improvements
Scan the UDP buckets only when we have outstanding queries
Only allocate the health-check mplexer when needed
Add Lua bindings to access the DNS payload as a string
* Bug Fixes
Fix invalid proxy protocol payload on a DoH TC to TCP retry
Fix a crash on a invalid protocol in DoH forwarded-for header
Add missing descriptions for prometheus metrics
1.7.1
Released: 25th of April 2022
* Improvements
Remove the leak warning with GnuTLS >= 3.7.3
Fix compilation with OpenSSL 3.0.0
Docker images: remove capability requirements
Docker image: install ca-certificates
Work around a compiler bug seen on OpenBSD/amd64 using clang-13
Stop using the now deprecated and useless std::binary_function
Add a ‘getAddressAndPort()’ method to DOHFrontend and TLSFrontend objects
* Bug Fixes
Fix the health-check timeout for outgoing DoH connections
Set Server Name Indication on outgoing TLS connections (DoT, DoH)
Fix the latency-count metric
Fix a use-after-free in case of a network error in the middle of a XFR query
Properly use eBPF when the DynBlock is not set
Fix ‘inConfigCheck()’
Use the correct outgoing protocol in our ring buffers
Raise the number of entries in a packet cache to at least 1
Fix wrong eBPF values (qtype, counter) being inserted for qnames
The check interval applies to health-check, not timeouts
1.7.0
Released: 17th of January 2022
* Bug Fixes
Test the correct member in DynBlockRatioRule::warningRatioExceeded (Doug Freed)
1.7.0-rc1
Released: 22nd of December 2021
* Improvements
Reuse and save the TLS session tickets in DoT healthchecks
* Bug Fixes
Fix a double-free when a DoH cross-protocol response is dropped
Check the size of the query when re-sending a DoH query
1.7.0-beta2
Released: 29th of November 2021
* Improvements
Add a function to know how many TLS sessions are currently cached
Warn that GnuTLS 3.7.x leaks memory when validating certs
Add a function to set the UDP recv/snd buffer sizes
Add ‘showWebserverConfig’
* Bug Fixes
Fix a memory leak when reusing TLS tickets for outgoing connections
Fix compiler/static analyzer warnings
Fix Lua parameters bound checks
Add missing visibility attribute on dnsdist_ffi_dnsquestion_get_qname_hash
1.7.0-beta1
Released: 16th of November 2021
* New Features
Implement filesystem pinning for eBPF maps, drop and truncate via XDP (Pierre Grié)
Add range support for dynamic blocks
Add the ability to retain select capabilities at runtime
* Improvements
Read as many DoH responses as possible before yielding
Stop over-allocating for DoH queries
Support DoT, DoH and DNSCrypt transports for protobuf and dnstap
Use the same outgoing TCP connection for different clients
Convert make_pair to emplace (Rosen Penev)
Add syslog identifier to service file
Get rid of make_pair (Rosen Penev)
Use make_unique instead of new (Rosen Penev)
Handle existing EDNS content for SetMacAddrAction/SetEDNSOptionAction
* Bug Fixes
Keep watching idle DoH backend connections
Fix the cleaning of TCP, DoT and DoH connections to the backend
Properly handle I/O exceptions in the health checker
NetmaskTree: Drop the ‘noexcept’ qualifier on the TreeNode ctor
Fix build without nghttp2
Remove debug print line flooding logs (Eugen Mayer)
Credentials: EVP_PKEY_CTX_set1_scrypt_salt() takes an unsigned char*
1.7.0-alpha2
Released: 19th of October 2021
* New Features
Add lua support for SetEDNSOptionAction
Rule for basing decisions on outstanding queries in a pool (phonedph1)
* Improvements
Disable TLS renegotiation, release buffers for outgoing TLS
Don’t create SSLKEYLOGFILE files with wide permissions
Update existing tags when calling setTagAction and setTagResponseAction
Fix the unit tests to handle v4-only or v6-only connectivity
* Improve the coverage of the outgoing DoH code
Allow skipping arbitrary EDNS options when computing packet hash
Add incoming and outgoing protocols to grepq
Allow setting the block reason from the SMT callback
Clear the UDP states of TCP-only backends
Replace shared by unique ptrs, reduce structs size
* Bug Fixes
Better handling of outgoing DoH workers
Properly cache UDP queries passed to a TCP/DoT/DoH backend
Use per-thread credentials for GnuTLS client connections
Only set recursion protection once we know we do not return
1.7.0-alpha1
Released: 23rd of September 2021
* New Features
Implementation of DoH between dnsdist and the backend
Implement cross-protocol queries, including outgoing DNS over TLS
Add support for Lua per-thread FFI rules and actions
Add FFI functions to spoof multiple raw values
Add support for range-based lookups into a Key-Value store
Implement SpoofSVCAction to return SVC responses
* Improvements
Don’t look up the LMDB dbi by name for every query
Move to hashed passwords for the web interface
Fix ‘temporary used in loop’ warnings reported by g++ 11.1.0
Skip some memory allocations in client mode to reduce memory usage
Support multiple ip addresses for dnsdist-resolver lua script (Wim)
Make DNSDist XFR aware when transfer is finished (Dimitrios Mavrommatis)
Do not report latency metrics of down upstream servers (Holger Hoffstätte)
Carry the exact incoming protocol (Do53, DNSCrypt, DoT, DoH) in DQ
Implement ‘reload()’ to rotate Log(Response)Action’s log file
Document that setECSOverride has its drawbacks (Andreas Jakum)
Convert dnsdist and the recursor to LockGuarded
Handle waiting for a descriptor to become readable OR writable
Clean up a bit of “cast from type […] casts away qualifiers” warnings
Reorganize the IDState and Rings fields to reduce memory usage
* Bug Fixes
Catch FDMultiplexerException in IOStateHandler’s destructor
Resizing LMDB map size while there might be open transactions is unsafe
Ignore TCAction over TCP
Stop raising the number of TCP workers to the number of TCP binds
Handle exception raised in IOStateGuard’s destructor
1.6.1
Released: 15th of September 2021
* New Features
Add the missing DOHFronted::loadNewCertificatesAndKeys()
Implement a web endpoint to get metrics for only one pool
* Bug Fixes
Set the dnstap/protobuf transport to TCP for DoH queries
Backport a missing mutex header
Properly handle ECS for queries with ancount or nscount > 0
Catch FDMultiplexerException in IOStateHandler’s destructor
Fix outstanding counter issue on TCP error
1.6.0
Released: 11th of May 2021
1.5.2
Released: 10th of May 2021
* Bug Fixes
Fix a crash when a DoH responses map is updated at runtime
Fix SNI on resumed sessions by acknowledging the name sent by the client
Fix the DNSName move assignment operator
Fix a typo in prometheus metrics dnsdist_frontend_tlshandshakefailures #9728 (AppliedPrivacy)
Make: two fixes
Fix eBPF filtering of long qnames
Fix a hang when removing a server with more than one socket
Fix Dynamic Block RCode rules messing up the queries count
Fix EDNS in ServFail generated when no server is available
Prevent a crash with DynBPF objects in client mode
Add missing getEDNSOptions and getDO bindings for DNSResponse
1.6.0-rc2
Released: 4th of May 2021
* Improvements
Make the backend queryLoad and dropRate values atomic
* Bug Fixes
Fix missing locks in DNSCrypt certificates management
Only use eBPF for “drop” actions, clean up more often
1.6.0-rc1
Released: 20th of April 2021
* Improvements
Replace pthread_rwlock with std::shared_mutex
Also disable PMTU for v6
* Bug Fixes
Lua: don’t destroy keys during table iteration
Add missing getEDNSOptions and getDO bindings for DNSResponse
Fix some issues reported by Thread Sanitizer
1.6.0-alpha3
Released: 29th of March 2021
* Improvements
Set OpenSSL to release buffers when idle, saves 35 kB per connection
Unify certificate reloading syntaxes
Disable TLS renegotiation by default
* Improve TCP connection reuse, add metrics
Using DATA to report memory usage is unreliable, start using RES instead, as it seems reliable and relevant
Add a metric for TCP listen queue full events
Enable sharding by default, greater pipe buffer sizes
Add limits for cached TCP connections, metrics
* Bug Fixes
Fix the handling of DoH queries with a non-zero ID
Fix the TCP connect timeout, add metrics
1.6.0-alpha2
Released: 4th of March 2021
* New Features
Add option to spoofRawAction to spoof multiple answers (Sander Hoentjen)
Add ‘spoof’ and ‘spoofRaw’ Lua bindings
* Improvements
Make NetmaskTree::fork() a bit easier to understand
Do not update the TCP error counters on idle states
Bind __tostring instead of toString for Lua, so that conversion to string works automatically (Aki Tuomi)
* Bug Fixes
Remove forgotten debug line in the web server
Create TCP worker threads before acceptors ones
Prevent a crash with DynBPF objects in client mode
Fix several bugs in the TCP code path, add unit tests
Fix size check during trailing data addition, regression tests
Clean up expired entries from all the packet cache’s shards
1.6.0-alpha1
Released: 2nd of February 2021
* New Features
Add per-thread Lua FFI load-balancing policies
Implement Lua custom web endpoints
Implement TCP out-of-order
Add support for incoming Proxy Protocol
Add SkipCacheResponseAction
* Improvements
Use more of systemd’s sandboxing options when available
Add an option to allow sub-paths for DoH
Prioritize ChaCha20-Poly1305 when client does (Sukhbir Singh)
Start all TCP worker threads on startup
Use protozero for Protocol Buffer operations
Speed up the round robin policy
Avoid unnecessary allocations and copies with DNSName::toDNSString()
Get rid of allocations in the packet cache’s fast path
Fix the DNSName move assignment operator
Don’t copy the policy for every query
UUID: Use the non-cryptographic variant of the boost::uuid
Use an eBPF filter for Dynamic blocks when available
Limit the number of concurrent console and web connections
Add prometheus metrics for top Dynamic Blocks entries
Add per connection queries count and duration stats for DoH
Add Lua bindings to get a server’s latency
Wrap more FILE objects in smart pointers
Set the default EDNS buffer size on generated answers to 1232
Add support for FreeBSD’s SO_REUSEPORT_LB
Accept string in DNSDistPacketCache:expungeByName
DNSName: add toDNSString convenience function
Skip EDNS Cookies in the packet cache
Add the query payload size to the verbose log over TCP
Add the response code in the packet cache dump
Add an optional name to rules
Add the ability to set ACL from a file (Matti Hiljanen)
Add a Lua binding for the number of queries dropped by a server
Move to c++17
Fix warnings on autoconf 2.70
Reduce diff to upstream yahttp, fixing a few CodeQL reports
Handle syslog facility as string, document the numerical one
Deprecate parameters to webserver(), add ‘statsRequireAuthentication’ parameter
Add a counter for queries truncated because of a rule
Replace offensive terms in our code and documentation
Use aligned atomics to prevent false sharing
Unify non-terminal actions as SetXXXAction()
Accept a NMG to fill DynBlockRulesGroup ranges
Silence clang 12 warning
Fix a few warnings reported by clang’s static analyzer and cppcheck
* Bug Fixes
Fix a crash when a DoH responses map is updated at runtime
Fix SNI on resumed sessions by acknowledging the name sent by the client
Use toStringWithPort instead of manual addr/port concat (Mischan Toosarani-Hausberger)
Force a reconnection when a downstream transitions to the UP state (Nuitari, Stephane Bakhos)
Handle EINTR in DelayPipe
Handle empty DNSNames in grepq()
Make: two fixes
Fix eBPF filtering of long qnames
* Improve const-correctness of Lua bindings (Georgeto)
Fix a hang when removing a server with more than one socket
Appease clang++ 12 ASAN on MacOS
Bunch of signed vs unsigned warnings
Send a NotImp answer on empty (qdcount=0) queries
Don’t apply QPS to backend server on cache hits
Fix EDNS in ServFail generated when no server is available
* Removals
Rename topRule() and friends
Remove useless second argument for SpoofAction
|
|
|
|
|
|
|
|
|
|
Fix for: Shared object "libprotobuf.so.29" not found
|
|
All checksums have been double-checked against existing RMD160 and
SHA512 hashes
Not committed (merge conflicts...):
net/radsecproxy/distinfo
The following distfiles could not be fetched (fetched conditionally?):
./net/citrix_ica/distinfo citrix_ica-10.6.115659/en.linuxx86.tar.gz
./net/djbdns/distinfo dnscache-1.05-multiple-ip.patch
./net/djbdns/distinfo djbdns-1.05-test28.diff.xz
./net/djbdns/distinfo djbdns-1.05-ignoreip2.patch
./net/djbdns/distinfo djbdns-1.05-multiip.diff
./net/djbdns/distinfo djbdns-cachestats.patch
|
|
Fix for: Shared object "libprotobuf.so.28" not found
|
|
|
|
* Released: 1st of October 2020
* Improvements:
- Add the "clearConsoleHistory" command
* Bug Fixes:
- Stop the related responder thread when a backend is removed
- Fix getEDNSOptions() for {AN,NS}COUNT != 0 and ARCOUNT = 0
- Fix building with LLVM11 (@RvdE)
- Only add EDNS on negative answers if the query had EDNS
|
|
1.5.0
Improvements
Use explicit flag for the specific version of c++ we are targeting.
Prevent a copy of a pool’s backends when selecting a server.
Bug Fixes
Fix compilation with h2o_socket_get_ssl_server_name().
Prevent a possible overflow via large Proxy Protocol values. (Valentei Sergey)
Avoid name clashes on Solaris derived systems.
Resize hostname to final size in getCarbonHostname(). (Aki Tuomi)
Fix compilation on OpenBSD/amd64.
Handle calling PacketCache methods on a nil object.
1.4.0
Improvements
Fix the default value of setMaxUDPOutstanding in the console’s help (phonedph1)
Add bindings for the noerrors and drops members of StatNode
Fix -Wshadow warnings (Aki Tuomi)
Fix typo: settting to setting (Chris Hofstaedtler)
Bug Fixes
Lowercase the name blocked by a SMT dynamic block
misc
Prefer the cipher suite from the server by default (DoH, DoT)
|
|
|
|
|
|
New Features:
Add consistent hash builtin policy
Add EDNSOptionRule
Add DSTPortRule (phonedph1)
Make getOutstanding usable from both lua and console (phonedph1)
Added :excludeRange and :includeRange methods to DynBPFFilter class
(Reinier Schoof)
Add Prometheus stats support (Pavel Odintsov, Kai S)
Name threads in the programs
Support the NXDomain action with dynamic blocks
Add security polling
Add a PoolAvailableRule to easily add backup pools (Robin Geuze)
Improvements:
Get rid of some allocs/copies in DNS parsing
Set a correct EDNS OPT RR for self-generated answers
Fix a sign-comparison warning in isEDNSOptionInOPT()
Add warning rates to DynBlockRulesGroup rules
Add support for exporting a server id in protobuf
dnsdist did not set TCP_NODELAY, causing needless latency
Add a setting to control the number of stored sessions
Wrap GnuTLS and OpenSSL pointers in smart pointers
Add a ‘creationOrder’ field to rules
Fix return-type detection with boost 1.69’s tribool
Fix format string issue on 32bits ARM
Wrap TCP connection objects in smart pointers
Add the setConsoleOutputMaxMsgSize function
Add the ability to update webserver credentials
Bug Fixes:
Display dynblocks’ default action, None, as the global one
Fix compilation when SO_REUSEPORT is not defined
Release memory on DNS over TLS handshake failure
Handle trailing data correctly when adding OPT or ECS info
|
|
|
|
|
|
New features:
- Add support for more than one TLS certificate
- Add a negative ttl option to the packet cache
- Add the ability to dump a summary of the cache content
- Add netmask-based {ex,in}clusions to DynblockRulesGroup
- Add DNSAction.NoOp to debug dynamic blocks
- Add SetECSAction to set an arbitrary outgoing ecs value
- Add support for rotating certificates and keys
|
|
New Features
- Add configuration option to disable IP_BIND_ADDRESS_NO_PORT
Improvements
- Handle bracketed IPv6 addresses without ports
Bug Fixes
- Make dnsdist dynamic truncate do right thing on TCP/IP.
- Add missing QPSAction
- Don't create a Remote Logger in client mode.
- Use libsodium's CFLAGS, we might need them to find the includes.
- Keep the TCP connection open on cache hit, generated answers.
- Add the missing <sys/time.h> include to mplexer.hh for struct timeval.
- Sort the servers based on their 'order' after it has been set.
- Quiet unused variable warning on macOS (Chris Hofstaedtler).
- Fix the outstanding counter when an exception is raised.
- Do not connect the snmpAgent from a dnsdist client.
|
|
to avoid having to refer to the property group explicitly. Fixes
joyent/pkgsrc#84. Bump PKGREVISION.
|
|
Fixes at least joyent/pkgsrc#60.
|
|
|
|
- fix for CVE-2016-7069 and CVE-2017-7557.
- applying rules on cache hits
- addition of runtime changeable rules that matches IP address for a
certain time: TimedIPSetRule
- SNMP support, exporting statistics and sending traps
- preventing the packet cache from ageing responses when deployed in
front of authoritative servers
- TTL alteration capabilities
- consistent hash results over multiple deployments
- exporting CNAME records over protobuf
- tuning the size of the ringbuffers used to keep track of recent
queries and responses
- various DNSCrypt-related fixes and improvements, including automatic
key rotation
Full changelog:
https://dnsdist.org/changelog.html
|
|
|
|
dnsdist is a highly DNS-, DoS- and abuse-aware loadbalancer. Its
goal in life is to route traffic to the best server, delivering top
performance to legitimate users while shunting or blocking abusive
traffic.
|
