Software Update: PowerDNS Recursor 3.6.0

PowerDNS is a dns server with a database as back-end, which makes it easy to manage a large number of dns entries. The developers previously decided to release the two parts that make up PowerDNS, a recursor and an authoritative name server, separately. This means that a new version can be released faster and more specifically, according to the developers. When you perform a dns lookup, a recursor will initially start asking this question to a dns root server. This can then redirect to other servers, from where it can redirect to other servers, etc., until finally a server is reached that knows the answer or knows that the lookup is not possible. The latter can be the case if the name does not exist or the servers do not respond. The process of going through different authoritative servers is called recursion. The developers released PowerDNS Recursor 3.6.0 a few days ago. The announcement of this release looks like this:

PowerDNS Recursor version 3.6.0

This is a performance, feature and bugfix update to 3.5/3.5.3. It contains important fixes for slightly broken domain names, which your users expect to work anyhow. It also brings robust resilience against certain classes of attacks.

New features:

• commit aadceba: Implement minimum-ttl-override config setting, plus runtime configurability via ‘rec_control set-minimum-ttl’.
• Lots of work on the JSON API, which is exposed via Aki Tuomi’s ‘yahttp’. Massive thanks to Christian Hofstaedtler for delivering this exciting new functionality. Documentation & demo is coming, but code to use it available on GitHub.
• Lua modules can now use ‘pdnslog(INFO..’), as described in ticket 1074, implemented in commit 674a305
• Adopt any-to-tcp feature to the recursor. Based on a patch by Winfried Angele. Closes ticket 836, commit 56b4d21 and commit e661a20.
• commit 2c78bd5: implement built-in statistics dumper using the ‘carbon’ protocol, which is also understood by metronome (our mini-graphite). Use ‘carbon-server’, ‘carbon-ourname’ and ‘carbon-interval’ settings.
• New setting ‘udp-truncation-threshold’ to configure from how many bytes we should truncate. commit a09a8ce.
• Proper support for CHAOS class for CHAOS TXT queries. commit c86e1f2, addition for lua in commit f94c53d, some warnings in commit 438db54 however.
• Added support for Lua scripts to drop queries w/o further processing. commit 0478c54.
• Kevin Holly added qtype statistics to recursor and rec_control (get-qtypelist) (commit 79332bf)
• Add support for include-files in configuration, also reload ACLs and zones defined in them (commit 829849d, commit 242b90e, commit 302df81).
• Paulo Anes contributed server-down-max-fails which helps combat Recursive DNS based amplification attacks. Described in this post. Also comes with new metric ‘failed-host-entries’ in commit 406f46f.
• commit 21e7976: Implement “followCNAMERecords” feature in the Lua hooks.

Improvements:

• commit 06ea901: make pdns-distributes-queries use a hash so related queries get sent to the same thread. Original idea by Winfried Angele. Astoundingly effective, approximately half CPU usage!
• commit b13e737: –help now writes to stdout instead of stderr. Thanks Winfried Angele.
• To aid in limiting DoS attacks, when truncating a response, we actually truncate all the way so only the question remains. Suggested in ticket 1092, code in commit add935a.
• No longer experimental, the switch ‘pdns-distributes-queries’ can improve multi-threaded performance on Linux (various cleanup commits).
• Update to embedded PolarSSL, plus remove previous AES implementation and shift to PolarSSL (commit e22d9b4, commit 990ad9a)
• commit 92c0733 moves various Lua magic constants into an enum namespace.
• set group and supplementary groups before chroot (commit 6ee50ce, ticket 1198).
• commit 4e9a20e: raise our socket buffer setting so it no longer generates a warning about lowering it.
• commit 4e9a20e: warn about Linux suboptimal IPv6 settings if we detect them.
• SIGUSR2 turns on a ‘trace’ of all DNS traffic, a second SIGUSR2 now turns it off again. commit 4f217ce.
• Various fixes for Lua 5.2.
• commit 81859ba: No longer attempt to answer questions coming in from port 0, reply would not reach them anyhow. Thanks to Niels Bakker and ‘sid3windr’ for insight & debugging. Closes ticket 844.
• commit b1a2d6c: now, I’m not one to get OCD over things, but that log message about stats based on 1801 seconds got to me. 1800 now.

Fixes:

• 0c9de4fc: stay away from getaddrinfo unless we really can’t help it for ascii ipv6 conversions to binary
• commit 08f3f63: fix average latency calculation, closing ticket 424.
• commit 75ba907: Some of our counters were still 32 bits, now 64.
• commit 2f22827: Fix statistics and stability when running with pdns-distributes-queries.
• commit 6196f90: avoid merging old and new additional data, fixes an issue caused by weird (but probably legal) Akamai behavior
• commit 3a8a4d6: make sure we don’t exceed the number of available filedescriptors for mthreads. Raises performance in case of DoS. See this post for further details.
• commit 7313fe6: implement indexed packet cache wiping for recursor, orders of magnitude faster. Important when reloading all zones, which causes massive cache cleaning.
• rec_control get-all would include ‘cache-bytes’ and ‘packetcache-bytes’, which were expensive operations, too expensive for frequent polling. Removed in commit 8e42d27.
• All old workarounds for supporting Windows of the XP era have been removed.
• Fix issues on S390X based systems which have unsigned characters (commit 916a0fd)