Last year we talked here on the blog about PowerDNS which is an open source DNS server and which is an excellent option to take into account since basically this is a DNS server with a database (within which it supports a wide variety of databases, including MySQL, PostgreSQL, SQLite3, Oracle and Microsoft SQL Server, as well as in LDAP) and plain text files in BIND format, as backend making it easy to manage a large number of DNS entries.
Now this time we are going to share the news of a project developed from the same base and which recently received a new version which is "PowerDNS Recursor".
About PowerDNS Recursor
This is responsible for the recursive translation of names y is based on the same basis of code that server PowerDNS, but with the difference that they are developed as part of different development cycles and released as separate products.
PowerDNS Recursor (pdns_recursor) is a DNS resolver, which runs as a separate process.
This part of PowerDNS is single threaded, but it is written as having multiple threads, by using Boost and the MTasker library, which is a simple multitasking cooperative library. It is also available as a standalone package.
The server provides tools for remote statistics collection, supports instant reboot, has a built-in engine for connecting Lua language drivers, fully supports DNSSEC, DNS64, RPZ (Response Policy Zones), allows you to connect blacklists.
Besides that allows you to record the resolution results in the form of BIND zone files. To ensure high performance, modern connection multiplexing mechanisms are used in FreeBSD, Linux, and Solaris (kqueue, epoll, / dev / poll), as well as a high-performance parser for DNS packets that can handle tens of thousands of parallel requests .
If you want to know more about it, you can check its characteristics this link.
What's new in PowerDNS Recursor 4.3
In this new version, developers worked to prevent information leaks about the requested domain and increase privacy, the minimization mechanism of QNAMES (RFC-7816), which works in «relaxed«, Is enabled by default.
The essence of the mechanism is that the solver doesn't mention the full hostname in your upstream name server queries.
Moreover the ability to log outgoing requests was implemented on an authorized server and the responses to them in the dnstap format (For use, an assembly with the –enable-dnstap option is required.
Simultaneous processing of multiple incoming requests transmitted over a TCP connection is provided and the results are returned as soon as they are ready and not in the order of the requests in the queue. The limit of concurrent requests is determined by the «max-concurrent-request-per-tcp-connection«.
A recently observed domain tracking technique has been implemented (NOD) that can be used to identify suspicious domains or domains related to malicious activities, such as the spread of malware, participation in phishing, and use to manage botnets.
The method is based on identifying domains that have not been accessed before and analyze these new domains. Instead of crawling new domains against the entire database of all viewed domains, which requires significant resources, NOD uses a probabilistic structure SBF (Stable Bloom Filter) to minimize memory and CPU consumption. To enable it, you must specify «new-domain-tracking = yes»In the settings.
Besides that when run in systemd, the process resourcer from PowerDNS now runs as the unprivileged user pdns-resource instead of root. For systems without systemd and without chroot, the default directory / var / run / pdns-recursor now used to store control socket and pid file.
Finally, for those who are interested in trying it, they can consult the details of its installation in this link.