Hello everyone,

We are very happy to announce the 1.3.3 release of dnsdist. This release
contains a few new features, but is mostly fixing a security issue
reported since the release of dnsdist 1.3.2.

Security fix
============

While working on a new feature, Richard Gibson noticed that it was
possible for a remote attacker to craft a DNS query with trailing data
such that the addition of a record by dnsdist, for example an OPT record
when adding EDNS Client Subnet, might result in the trailing data being
smuggled to the backend as a valid record while not seen by dnsdist.
This is an issue when dnsdist is deployed as a DNS Firewall and used to
filter some records that should not be received by the backend. This
issue occurs only when either the 'useClientSubnet' or the experimental
'addXPF' parameters are used when declaring a new backend.

While dnsdist has not had any important security issue until now, we
decided this was a good time to implement the same security polling
mechanism that the authoritative server and the recursor have had for
years. Starting with this release, dnsdist will regularly perform a
security check using a DNS query to determine whether the current
version is up-to-date security-wise, and let the administrator know
otherwise.

Important changes
=================

It is sometimes very useful to be able to generate answers directly from
dnsdist, to quickly return a "No such domain" answer, spoof an "A" or
"AAAA" answer, or even just reply with the TC bit set so that legitimate
clients retry over TCP. Until now, answers generated that way were
mirroring the flags and EDNS options, if any, of the initial query. This
was not great because it could mislead the client into thinking that
dnsdist, or the server behind it, was supporting features or a UDP
payload size it did not.

Starting with this release, dnsdist is now generating a proper EDNS
payload if the query had one, and responding without EDNS otherwise.
This behavior can be turned off using the
new setAddEDNSToSelfGeneratedResponses() directive if needed.

We must, however, provide a responder's maximum payload size in this
record, and we can't easily know the maximum payload size of the actual
backend so we picked a safe default value of 1500, which can be
overridden using the new  setPayloadSizeOnSelfGeneratedAnswers() directive.

New features and improvements
=============================

A new load-balancing policy named "chashed" has been introduced, based
on consistent hashing. This new policy load-balances the incoming
queries based on a hash of the requested name, like the existing
"whashed" one, but has the interesting property that adding or removing
a server will only cause a very small portion of the incoming queries to
be mapped to a different server than they were before, keeping the
caches warm.

While we have been supporting the export of metrics using the well-known
carbon protocol from day one, we have seen an increasing demand for
supporting the emerging Prometheus protocol. Thanks to the work of Pavel
Odintsov and Kai S, dnsdist now supports it natively.

Very large installations of the DNS over TLS feature introduced in 1.3.0
reported several issues that we addressed in this release:

- dnsdist did not set TCP_NODELAY on its TLS sockets, causing needless
latency ;
- it was not possible to configure the number of stored TLS sessions ;
- our OpenSSL implementation had a memory leak when some clients aborted
prematurely because of a negotiation error during the TLS handshake.

We seized the opportunity to refactor the part of the code handling TLS
connections with the use of smart pointers while fixing that last issue,
making sure that this kind of memory leak will not happen again.

In 1.3.2, the optimized DynblockRulesGroup introduced in 1.3.0 gained
the ability to whitelist and blacklist ranges from dynamic rules, for
example to prevent some clients from ever being blocked by a
rate-limiting rule. This feature has now been made available when our
in-kernel eBPF filtering feature is used as well. At the same time, we
introduced the ability to set up warning rates to the dynamic rules,
making it possible to get an alert without blocking clients when they
reach a configured rate, and to block them should they reach a higher rate.

Finally, we introduced several new rules to our existing set:

- EDNSOptionRule, to be able to filter based on the presence of a given
EDNS option ;
- DSTPortRule, offering the ability to route queries by looking at their
destination port ;
- PoolAvailableRule, to be able to route queries based on whether a pool
has at least one usable backend.

Please see the dnsdist website [1] for the more complete changelog
[2] and the current documentation.

Release tarballs are available on the downloads website [3].

Several packages are also available on our repository [4]. Please be
aware that we have enabled a few additional features in our packages,
like DNS over TLS and DNSTap support, on distributions where the
required dependencies were available.


[1]: https://dnsdist.org
[2]: https://dnsdist.org/changelog.html
[3]: https://downloads.powerdns.com/releases/dnsdist-1.3.3.tar.bz2
[4]: https://repo.powerdns.com/

Best regards,

-- 
Remi Gacogne
PowerDNS.COM BV - https://www.powerdns.com/

Attachment: signature.asc
Description: OpenPGP digital signature

_______________________________________________
Pdns-dev mailing list
Pdns-dev@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-dev

Reply via email to