PowerDNS Recursor

PowerDNS Recursor is an open source, high-end, free, portable and high-performance resolving name server, a command-line software that provides system administrators with a feature-rich and comprehensive set of technologies related to email and Internet Naming. It is part of the well known PowerDNS software suite.

PowerDNS is open source daemon name server software written from scratch that providing a high-performance, modern and advanced authoritative-only nameserver. It interfaces with almost any database, and conforms with all the relevant DNS (Domain Name System) standards documents.

Features at a glance

Key features include complete support for all popular standards, DNS64 support, the ability to reconfigure it without downtime, support for security measures and block lists, remote and local access, powerful anti-spoofing measures, answer reconditioning, question interception, NXDOMAIN redirection, plain BIND zone files, direct control API and built-in scripted answer generation based on Lua.

In addition, it includes top-notch features that are common to all PowerDNS products, including support for IPv4 (UDP and TCP), IPv6 (UDP and TCP), high performance, read-only SNMP (Simple Network Management Protocol) statistics bridge, as well as real-time graphing through remotely pollable statistics.

PowerDNS Recursor is a very powerful software that can handle hundreds of million of DNS resolutions, backed by multiple processors and the same state-of-the-art scripting functionality that is used on the PowerDNS Authoritative Server product. It is a very flexible and performant DNS resolution program written especially for GNU/Linux systems.

Under the hood and availability

PowerDNS is available on all major Linux distributions and uses a flexible backend architecture, specifically designed to enable access to DNS information from any data source. The software is written entirely in the C++ programming language and it’s available for download as native installers for Ubuntu/Debian and Red Hat/Fedora operating systems, as well as a source archive. It has been successfully tested on both 32-bit and 64-bit hardware platforms.

What is new in this release:

• Improvements:
• #6550, #6562: Add a subtree option to the API cache flush endpoint.
• #6566: Use a separate, non-blocking pipe to distribute queries.
• #6567: Move carbon/webserver/control/stats handling to a separate thread.
• #6583: Add _raw versions for QName / ComboAddresses to the FFI API.
• #6611, #6130: Update copyright years to 2018 (Matt Nordhoff).
• #6474, #6596, #6478: Fix a warning on botan >= 2.5.0.
• Bug Fixes:
• #6313: Count a lookup into an internal auth zone as a cache miss.
• #6467: Don't increase the DNSSEC validations counters when running with process-no-validate.
• #6469: Respect the AXFR timeout while connecting to the RPZ server.
• #6418, #6179: Increase MTasker stacksize to avoid crash in exception unwinding (Chris Hofstaedtler).
• #6419, #6086: Use the SyncRes time in our unit tests when checking cache validity (Chris Hofstaedtler).
• #6514, #6630: Add -rdynamic to C{,XX}FLAGS when we build with LuaJIT.
• #6588, #6237: Delay the loading of RPZ zones until the parsing is done, fixing a race condition.
• #6595, #6542, #6516, #6358, #6517: Reorder includes to avoid boost L conflict.

What is new in version :

• Bug fixes:
• #5930: Don't assume TXT record is first record for secpoll
• #6082: Don't add non-IN records to the cache

What is new in version 4.0.6:

• Bug fixes:
• Use the incoming ECS for cache lookup if use-incoming-edns-subnet is set
• when making a netmask from a comboaddress, we neglected to zero the port. This could lead to a proliferation of netmasks.
• Don't take the initial ECS source for a scope one if EDNS is off
• also set d_requestor without Lua: the ECS logic needs it
• Fix IXFR skipping the additions part of the last sequence
• Treat requestor's payload size lower than 512 as equal to 512
• make URI integers 16 bits, fixes ticket #5443
• unbreak quoting; fixes ticket #5401
• Improvements:
• with this, EDNS Client Subnet becomes compatible with the packet cache, using the existing variable answer facility.
• Remove just enough entries from the cache, not one more than asked
• Move expired cache entries to the front so they are expunged
• changed IPv6 addr of b.root-servers.net
• e.root-servers.net has IPv6 now
• hello decaf signers (ED25519 and ED448) Testing algorithm 15: ‘Decaf ED25519' ->'Decaf ED25519' -> ‘Decaf ED25519' Signature & verify ok, signature 68usec, verify 93usec Testing algorithm 16: ‘Decaf ED448' ->'Decaf ED448' -> ‘Decaf ED448' Signature & verify ok, signature 163usec, verify 252usec
• don't use the libdecaf ed25519 signer when libsodium is enabled
• do not hash the message in the ed25519 signer
• Disable use-incoming-edns-subnet by default

What is new in version 4.0.4:

• Bug fixes:
• commit 658d9e4: Check TSIG signature on IXFR (Security Advisory 2016-04)
• commit 91acd82: Don't parse spurious RRs in queries when we don't need them (Security Advisory 2016-02)
• commit 400e28d: Fix incorrect length check in DNSName when extracting qtype or qclass
• commit 2168188: rec: Wait until after daemonizing to start the RPZ and protobuf threads
• commit 3beb3b2: On (re-)priming, fetch the root NS records
• commit cfeb109: rec: Fix src/dest inversion in the protobuf message for TCP queries
• commit 46a6666: NSEC3 optout and Bogus insecure forward fixes
• commit bb437d4: On RPZ customPolicy, follow the resulting CNAME
• commit 6b5a8f3: DNSSEC: don't go bogus on zero configured DSs
• commit 1fa6e1b: Don't crash on an empty query ring
• commit bfb7e5d: Set the result to NoError before calling preresolve
• Additions and Enhancements:
• commit 7c3398a: Add max-recursion-depth to limit the number of internal recursion
• commit 3d59c6f: Fix building with ECDSA support disabled in libcrypto
• commit 0170a3b: Add requestorId and some comments to the protobuf definition file
• commit d8cd67b: Make the negcache forwarded zones aware
• commit 46ccbd6: Cache records for zones that were delegated to from a forwarded zone
• commit 5aa64e6, commit 5f4242e and commit 0f707cd: DNSSEC: Implement keysearch based on zone-cuts
• commit ddf6fa5: rec: Add support for boost::context >= 1.61
• commit bb6bd6e: Add getRecursorThreadId() to Lua, identifying the current thread
• commit d8baf17: Handle CNAMEs at the apex of secure zones to other secure zones

What is new in version 4.0.0:

• We changed many things internally to the nameserver:
• Moved to C++ 2011, a cleaner more powerful version of C++ that has allowed us to improve the quality of implementation in many places.c
• Implemented dedicated infrastructure for dealing with DNS names that is fully "DNS Native" and needs less escaping and unescaping.
• Switched to binary storage of DNS records in all places.
• Moved ACLs to a dedicated Netmask Tree.
• Implemented a version of RCU for configuration changes
• Instrumented our use of the memory allocator, reduced number of malloc calls substantially.
• The Lua hook infrastructure was redone using LuaWrapper; old scripts will no longer work, but new scripts are easier to write under the new interface.
• Due to these changes, PowerDNS Recursor 4.0.0 is almost an order of magnitude faster than the 3.7 branch.
• DNSSEC processing: if you ask for DNSSEC records, you will get them.
• DNSSEC validation: if so configured, PowerDNS perform DNSSEC validation of your answers.
• Completely revamped Lua scripting API that is "DNSName" native and therefore far less error prone, and likely faster for most commonly used scenarios. Loads and indexes a 1 million domain custom policy list in a few seconds.
• New asynchronous per-domain, per-ip address, query engine. This allows PowerDNS to consult an external service in realtime to determine client or domain status. This could for example mean looking up actual customer identity from a DHCP server based on IP address (option 82 for example).
• RPZ (from file, over AXFR or IXFR) support. This loads the largest Spamhaus zone in 5 seconds on our hardware, containing around 2 million instructions.
• All caches can now be wiped on suffixes, because of canonical ordering.
• Many, many more relevant performance metrics, including upstream authoritative performance measurements (‘is it me or the network that is slow').
• EDNS Client Subnet support, including cache awareness of subnet-varying answers.
• DNSSEC:
• As stated in the features section above, the PowerDNS Recursor now has DNSSEC processing and experimental DNSSEC validation support. DNSSEC processing means the nameserver will return RRSIG records when requested to do so by the client (by means of the DO-bit) and will always retrieve the RRSIGs even if the client does not ask for. It will perform validation and set the AD-bit in the response if the client requests validation. In fullblown DNSSEC-mode, the PowerDNS Recursor will validate the answers and set the AD-bit in validated answers if the client requests it and will SERVFAIL on bogus answers to all clients.
• The DNSSEC support is marked experimental, but functional at the moment, as it has 2 limitations:
• Negative answers validated but the NSEC proof is not fully checked.
• Zones that have a CNAME at the apex (which is ‘wrong' anyway) validate as Bogus.
• If you run with DNSSEC enabled and notice broken domains, do file an issue.

What is new in version 3.7.2:

• The most important part of this update is a fix for CVE-2015-1868.

What is new in version 3.6.2:

• commit ab14b4f: expedite servfail generation for ezdns-like failures (fully abort query resolving if we hit more than 50 outqueries)
• commit 42025be: PowerDNS now polls the security status of a release at startup and periodically. More detail on this feature, and how to turn it off, can be found in Section 2, "Security polling".
• commit 5027429: We did not transmit the right ‘local' socket address to Lua for TCP/IP queries in the recursor. In addition, we would attempt to lookup a filedescriptor that wasn't there in an unlocked map which could conceivably lead to crashes. Closes ticket 1828, thanks Winfried for reporting
• commit 752756c: Sync embedded yahttp copy. API: Replace HTTP Basic auth with static key in custom header
• commit 6fdd40d: add missing #include to rec-channel.hh (this fixes building on OS X).

What is new in version 3.5.3:

• 3.5 replaced our ANY query with A+AAAA for users with IPv6 enabled. Extensive measurements by Darren Gamble showed that this change had a non-trivial performance impact. We now do the ANY query like before, but fall back to the individual A+AAAA queries when necessary. Change in commit 1147a8b.
• The IPv6 address for d.root-servers.net was added in commit 66cf384, thanks Ralf van der Enden.
• We now drop packets with a non-zero opcode (i.e. special packets like DNS UPDATE) earlier on. If the experimental pdns-distributes-queries flag is enabled, this fix avoids a crash. Normal setups were never susceptible to this crash. Code in commit 35bc40d, closes ticket 945.
• TXT handling was somewhat improved in commit 4b57460, closing ticket 795.

What is new in version 3.3:

• This release fixes a number of small but persistent issues, rounds off the IPv6 support, and adds an important feature for many users of the Lua scripts.
• In addition, scalability on Solaris 10 has been improved.
• This release is identical to RC3.

What is new in version 3.3 RC3:

• This version fixes a number of small but persistent issues, rounds off the IPv6 support, and adds an important feature for many users of the Lua scripts.
• In addition, scalability on Solaris 10 has been improved.
• Since RC2, a harmless but scary message about an expired root has been removed.

What is new in version 3.3 RC2:

• This release fixes a number of small but persistent issues, rounds off the IPv6 support, and adds an important feature for many users of the Lua scripts.
• In addition, scalability on Solaris 10 has been improved.
• Since RC1, compilation on RHEL5 has been fixed.