By Bert Hubert, Principal at PowerDNS
We are very happy to announce the 1.3.2 release of dnsdist. This release contains a few new features, but is mostly fixing bugs and documentation issues reported since the release of dnsdist 1.3.0. You might be wondering why this release is not numbered 1.3.1, we discovered a build issue on some platforms right after tagging 1.3.1 and therefore decided to release 1.3.2 right away.
After discussing with several users, we noticed that quite a lot of them were not aware that enabling the dnsdist’s console without a key, even restricted to the local host, could be a security issue and allow privilege escalation by allowing an unprivileged user to connect to the console and execute Lua code as the dnsdist user. We therefore decided to refuse any connection to the console until a key has been set, so please check that you do set a key before upgrading if you use the console.
The DNS over TLS feature introduced in 1.3.0 was missing the ability to support both an RSA and an ECDSA certificate at the same time, and it was not possible to switch to a new certificate without restarting dnsdist. This has now been fixed.
The packet cache has also been improved in this release, with the addition of a negative TTL option to be able to specify how long NODATA and NXDOMAIN answers should be cached, as well as a way to dump the content of the cache. We also made the detection of ECS collisions more robust, preventing two queries for the same name, type and class but a different ECS subnet from colliding even if they did hash to the same value.
This version gained the ability to insert dynamic rules that do nothing, and do not stop the processing of subsequent rules, which is very useful for testing purposes. The optimized DynblockRulesGroup introduced in 1.3.0 also gained the ability to whitelist and blacklist ranges from dynamic rules, for example to prevent some clients from ever being blocked by a rate-limiting rule.
Finally, we introduced the new SetECSAction directive to be able to force the ECS value sent to a downstream server for some or all queries.
In addition to various documentation and cosmetics fixes, a few annoying bugs have been fixed in this release:
- If the first connection attempt to a given backend failed, dnsdist didn’t properly reconnect even when the backend became available ;
- Dynamic blocks were sometimes created with the wrong duration ;
- The ability to iterate over the results of the Lua exceed*() functions was broken in 1.3.0, preventing manual whitelisting from Lua ;
- Some statistics were displayed with too many decimals in the web interface ;
- A backend outstanding queries counter could become wrong if it dropped a lot of queries for a while.
Release tarballs are available on the downloads website.
Several packages are also available on our repository.