caching DNS server release , which is responsible for recursive name resolution. PowerDNS Recursor is built on the same codebase as PowerDNS Authoritative Server, but PowerDNS recursive and authoritative DNS servers are developed through different development cycles and are released as separate products. Project code licensed under GPLv2.
The server provides tools for remote statistics collection, supports instant restart, has a built-in engine for connecting Lua handlers, fully supports DNSSEC, DNS64, RPZ (Response Policy Zones), allows you to connect blacklists. It is possible to write the resolving results as BIND zone files. To ensure high performance, modern connection multiplexing mechanisms in FreeBSD, Linux and Solaris (kqueue, epoll, /dev/poll) are used, as well as a high-performance DNS packet parser capable of processing tens of thousands of parallel requests.
In the new version:
- In order to prevent leaks of information about the requested domain and increase privacy, the mechanism is enabled by default (), operating in “relaxed” mode. The essence of the mechanism is that the resolver does not mention the full name of the desired host in its requests to the upstream name server. For example, when determining the address for the host foo.bar.baz.com, the resolver will send the request "QTYPE=NS,QNAME=baz.com" to the authoritative server for the ".com" zone, without mentioning "foo.bar". In its current form, work in the “relaxed” mode is implemented.
- The ability to log outgoing requests to an authoritative server and responses to them in dnstap format has been implemented (for use, a build with the “-enable-dnstap” option is required).
- Simultaneous processing of several incoming requests transmitted over a TCP connection is provided, with results being returned as they are ready, and not in the order of requests in the queue. The limit of simultaneous requests is determined by the “«.
- Implemented a technique for tracking new domains (Newly Observed Domain), which can be used to identify suspicious domains or domains associated with malicious activity, such as distributing malware, participating in phishing, and being used to operate botnets. The method is based on identifying domains that have not previously been accessed and analyzing these new domains. Instead of tracking new domains against a complete database of all domains ever viewed, which requires significant resources to maintain, NOD uses a probabilistic framework (Stable Bloom Filter), which allows you to minimize memory and CPU consumption. To enable it, specify “new-domain-tracking=yes” in the settings.
- When running under systemd, the PowerDNS Recursor process now runs under the unprivileged user pdns-recursor instead of root. For systems without systemd and without chroot, the default directory for storing the control socket and pid file is now /var/run/pdns-recursor.
Additionally, Release , a high-performance authoritative DNS server (the recursor is designed as a separate application) that supports all modern DNS capabilities. The project is being developed by the Czech name registry CZ.NIC, written in C and licensed under GPLv3.
KnotDNS is characterized by a focus on high query processing performance, which uses a multi-threaded and mostly non-blocking implementation that scales well on SMP systems. Features such as adding and removing zones on the fly, zone transfers between servers, DDNS (dynamic updates), NSID (RFC 5001), EDNS0 and DNSSEC extensions (including NSEC3), response rate limits (RRL) are provided.
In the new release:
- Added 'remote.block-notify-after-transfer' setting to disable sending NOTIFY messages;
- Implemented experimental support for the Ed448 algorithm in DNSSE (requires GnuTLS 3.6.12+ and not yet released );
- The 'local-serial' parameter has been added to keymgr to obtain or set the SOA serial number for the signed zone in the KASP database;
- Added support for importing Ed25519 and Ed448 keys in BIND DNS server format to keymgr;
- The default 'server.tcp-io-timeout' setting has been increased to 500 ms and 'database.journal-db-max-size' has been reduced to 512 MiB on 32-bit systems.
Source: opennet.ru