Log message:
dnsdist: Update to 1.7.2.
pkgsrc changes:
* Fix NetBSD rc.d script that cannot have previously worked.
* Use readline support instead of hardcoding editline, and fix buildlink
variables that cannot have previously worked.
* Enable nghttp2 support.
1.7.2
Released: 14th of June 2022
* Improvements
Scan the UDP buckets only when we have outstanding queries
Only allocate the health-check mplexer when needed
Add Lua bindings to access the DNS payload as a string
* Bug Fixes
Fix invalid proxy protocol payload on a DoH TC to TCP retry
Fix a crash on a invalid protocol in DoH forwarded-for header
Add missing descriptions for prometheus metrics
1.7.1
Released: 25th of April 2022
* Improvements
Remove the leak warning with GnuTLS >= 3.7.3
Fix compilation with OpenSSL 3.0.0
Docker images: remove capability requirements
Docker image: install ca-certificates
Work around a compiler bug seen on OpenBSD/amd64 using clang-13
Stop using the now deprecated and useless std::binary_function
Add a ‘getAddressAndPort()’ method to DOHFrontend and TLSFrontend objects
* Bug Fixes
Fix the health-check timeout for outgoing DoH connections
Set Server Name Indication on outgoing TLS connections (DoT, DoH)
Fix the latency-count metric
Fix a use-after-free in case of a network error in the middle of a XFR query
Properly use eBPF when the DynBlock is not set
Fix ‘inConfigCheck()’
Use the correct outgoing protocol in our ring buffers
Raise the number of entries in a packet cache to at least 1
Fix wrong eBPF values (qtype, counter) being inserted for qnames
The check interval applies to health-check, not timeouts
1.7.0
Released: 17th of January 2022
* Bug Fixes
Test the correct member in DynBlockRatioRule::warningRatioExceeded (Doug Freed)
1.7.0-rc1
Released: 22nd of December 2021
* Improvements
Reuse and save the TLS session tickets in DoT healthchecks
* Bug Fixes
Fix a double-free when a DoH cross-protocol response is dropped
Check the size of the query when re-sending a DoH query
1.7.0-beta2
Released: 29th of November 2021
* Improvements
Add a function to know how many TLS sessions are currently cached
Warn that GnuTLS 3.7.x leaks memory when validating certs
Add a function to set the UDP recv/snd buffer sizes
Add ‘showWebserverConfig’
* Bug Fixes
Fix a memory leak when reusing TLS tickets for outgoing connections
Fix compiler/static analyzer warnings
Fix Lua parameters bound checks
Add missing visibility attribute on dnsdist_ffi_dnsquestion_get_qname_hash
1.7.0-beta1
Released: 16th of November 2021
* New Features
Implement filesystem pinning for eBPF maps, drop and truncate via XDP (Pierre \
Grié)
Add range support for dynamic blocks
Add the ability to retain select capabilities at runtime
* Improvements
Read as many DoH responses as possible before yielding
Stop over-allocating for DoH queries
Support DoT, DoH and DNSCrypt transports for protobuf and dnstap
Use the same outgoing TCP connection for different clients
Convert make_pair to emplace (Rosen Penev)
Add syslog identifier to service file
Get rid of make_pair (Rosen Penev)
Use make_unique instead of new (Rosen Penev)
Handle existing EDNS content for SetMacAddrAction/SetEDNSOptionAction
* Bug Fixes
Keep watching idle DoH backend connections
Fix the cleaning of TCP, DoT and DoH connections to the backend
Properly handle I/O exceptions in the health checker
NetmaskTree: Drop the ‘noexcept’ qualifier on the TreeNode ctor
Fix build without nghttp2
Remove debug print line flooding logs (Eugen Mayer)
Credentials: EVP_PKEY_CTX_set1_scrypt_salt() takes an unsigned char*
1.7.0-alpha2
Released: 19th of October 2021
* New Features
Add lua support for SetEDNSOptionAction
Rule for basing decisions on outstanding queries in a pool (phonedph1)
* Improvements
Disable TLS renegotiation, release buffers for outgoing TLS
Don’t create SSLKEYLOGFILE files with wide permissions
Update existing tags when calling setTagAction and setTagResponseAction
Fix the unit tests to handle v4-only or v6-only connectivity
* Improve the coverage of the outgoing DoH code
Allow skipping arbitrary EDNS options when computing packet hash
Add incoming and outgoing protocols to grepq
Allow setting the block reason from the SMT callback
Clear the UDP states of TCP-only backends
Replace shared by unique ptrs, reduce structs size
* Bug Fixes
Better handling of outgoing DoH workers
Properly cache UDP queries passed to a TCP/DoT/DoH backend
Use per-thread credentials for GnuTLS client connections
Only set recursion protection once we know we do not return
1.7.0-alpha1
Released: 23rd of September 2021
* New Features
Implementation of DoH between dnsdist and the backend
Implement cross-protocol queries, including outgoing DNS over TLS
Add support for Lua per-thread FFI rules and actions
Add FFI functions to spoof multiple raw values
Add support for range-based lookups into a Key-Value store
Implement SpoofSVCAction to return SVC responses
* Improvements
Don’t look up the LMDB dbi by name for every query
Move to hashed passwords for the web interface
Fix ‘temporary used in loop’ warnings reported by g++ 11.1.0
Skip some memory allocations in client mode to reduce memory usage
Support multiple ip addresses for dnsdist-resolver lua script (Wim)
Make DNSDist XFR aware when transfer is finished (Dimitrios Mavrommatis)
Do not report latency metrics of down upstream servers (Holger Hoffstätte)
Carry the exact incoming protocol (Do53, DNSCrypt, DoT, DoH) in DQ
Implement ‘reload()’ to rotate Log(Response)Action’s log file
Document that setECSOverride has its drawbacks (Andreas Jakum)
Convert dnsdist and the recursor to LockGuarded
Handle waiting for a descriptor to become readable OR writable
Clean up a bit of “cast from type […] casts away qualifiers” warnings
Reorganize the IDState and Rings fields to reduce memory usage
* Bug Fixes
Catch FDMultiplexerException in IOStateHandler’s destructor
Resizing LMDB map size while there might be open transactions is unsafe
Ignore TCAction over TCP
Stop raising the number of TCP workers to the number of TCP binds
Handle exception raised in IOStateGuard’s destructor
1.6.1
Released: 15th of September 2021
* New Features
Add the missing DOHFronted::loadNewCertificatesAndKeys()
Implement a web endpoint to get metrics for only one pool
* Bug Fixes
Set the dnstap/protobuf transport to TCP for DoH queries
Backport a missing mutex header
Properly handle ECS for queries with ancount or nscount > 0
Catch FDMultiplexerException in IOStateHandler’s destructor
Fix outstanding counter issue on TCP error
1.6.0
Released: 11th of May 2021
1.5.2
Released: 10th of May 2021
* Bug Fixes
Fix a crash when a DoH responses map is updated at runtime
Fix SNI on resumed sessions by acknowledging the name sent by the client
Fix the DNSName move assignment operator
Fix a typo in prometheus metrics dnsdist_frontend_tlshandshakefailures #9728 \
(AppliedPrivacy)
Make: two fixes
Fix eBPF filtering of long qnames
Fix a hang when removing a server with more than one socket
Fix Dynamic Block RCode rules messing up the queries count
Fix EDNS in ServFail generated when no server is available
Prevent a crash with DynBPF objects in client mode
Add missing getEDNSOptions and getDO bindings for DNSResponse
1.6.0-rc2
Released: 4th of May 2021
* Improvements
Make the backend queryLoad and dropRate values atomic
* Bug Fixes
Fix missing locks in DNSCrypt certificates management
Only use eBPF for “drop” actions, clean up more often
1.6.0-rc1
Released: 20th of April 2021
* Improvements
Replace pthread_rwlock with std::shared_mutex
Also disable PMTU for v6
* Bug Fixes
Lua: don’t destroy keys during table iteration
Add missing getEDNSOptions and getDO bindings for DNSResponse
Fix some issues reported by Thread Sanitizer
1.6.0-alpha3
Released: 29th of March 2021
* Improvements
Set OpenSSL to release buffers when idle, saves 35 kB per connection
Unify certificate reloading syntaxes
Disable TLS renegotiation by default
* Improve TCP connection reuse, add metrics
Using DATA to report memory usage is unreliable, start using RES instead, as \
it seems reliable and relevant
Add a metric for TCP listen queue full events
Enable sharding by default, greater pipe buffer sizes
Add limits for cached TCP connections, metrics
* Bug Fixes
Fix the handling of DoH queries with a non-zero ID
Fix the TCP connect timeout, add metrics
1.6.0-alpha2
Released: 4th of March 2021
* New Features
Add option to spoofRawAction to spoof multiple answers (Sander Hoentjen)
Add ‘spoof’ and ‘spoofRaw’ Lua bindings
* Improvements
Make NetmaskTree::fork() a bit easier to understand
Do not update the TCP error counters on idle states
Bind __tostring instead of toString for Lua, so that conversion to string \
works automatically (Aki Tuomi)
* Bug Fixes
Remove forgotten debug line in the web server
Create TCP worker threads before acceptors ones
Prevent a crash with DynBPF objects in client mode
Fix several bugs in the TCP code path, add unit tests
Fix size check during trailing data addition, regression tests
Clean up expired entries from all the packet cache’s shards
1.6.0-alpha1
Released: 2nd of February 2021
* New Features
Add per-thread Lua FFI load-balancing policies
Implement Lua custom web endpoints
Implement TCP out-of-order
Add support for incoming Proxy Protocol
Add SkipCacheResponseAction
* Improvements
Use more of systemd’s sandboxing options when available
Add an option to allow sub-paths for DoH
Prioritize ChaCha20-Poly1305 when client does (Sukhbir Singh)
Start all TCP worker threads on startup
Use protozero for Protocol Buffer operations
Speed up the round robin policy
Avoid unnecessary allocations and copies with DNSName::toDNSString()
Get rid of allocations in the packet cache’s fast path
Fix the DNSName move assignment operator
Don’t copy the policy for every query
UUID: Use the non-cryptographic variant of the boost::uuid
Use an eBPF filter for Dynamic blocks when available
Limit the number of concurrent console and web connections
Add prometheus metrics for top Dynamic Blocks entries
Add per connection queries count and duration stats for DoH
Add Lua bindings to get a server’s latency
Wrap more FILE objects in smart pointers
Set the default EDNS buffer size on generated answers to 1232
Add support for FreeBSD’s SO_REUSEPORT_LB
Accept string in DNSDistPacketCache:expungeByName
DNSName: add toDNSString convenience function
Skip EDNS Cookies in the packet cache
Add the query payload size to the verbose log over TCP
Add the response code in the packet cache dump
Add an optional name to rules
Add the ability to set ACL from a file (Matti Hiljanen)
Add a Lua binding for the number of queries dropped by a server
Move to c++17
Fix warnings on autoconf 2.70
Reduce diff to upstream yahttp, fixing a few CodeQL reports
Handle syslog facility as string, document the numerical one
Deprecate parameters to webserver(), add ‘statsRequireAuthentication’ \
parameter
Add a counter for queries truncated because of a rule
Replace offensive terms in our code and documentation
Use aligned atomics to prevent false sharing
Unify non-terminal actions as SetXXXAction()
Accept a NMG to fill DynBlockRulesGroup ranges
Silence clang 12 warning
Fix a few warnings reported by clang’s static analyzer and cppcheck
* Bug Fixes
Fix a crash when a DoH responses map is updated at runtime
Fix SNI on resumed sessions by acknowledging the name sent by the client
Use toStringWithPort instead of manual addr/port concat (Mischan \
Toosarani-Hausberger)
Force a reconnection when a downstream transitions to the UP state (Nuitari, \
Stephane Bakhos)
Handle EINTR in DelayPipe
Handle empty DNSNames in grepq()
Make: two fixes
Fix eBPF filtering of long qnames
* Improve const-correctness of Lua bindings (Georgeto)
Fix a hang when removing a server with more than one socket
Appease clang++ 12 ASAN on MacOS
Bunch of signed vs unsigned warnings
Send a NotImp answer on empty (qdcount=0) queries
Don’t apply QPS to backend server on cache hits
Fix EDNS in ServFail generated when no server is available
* Removals
Rename topRule() and friends
Remove useless second argument for SpoofAction
|