Thu 13 Apr 2017  

getdns-1.1.0 release

aa47bca275b97f623dc6799cee97d3465fa46521d94bd9892e08e8d5d88f09c3

Dear all,

We are pleased to announce release 1.1.0 of our library implementation of the getdns API.

This version comes with the DNS Privacy stub resolver Stubby. Stubby encrypts DNS queries sent from a client machine (desktop or laptop) to a DNS Privacy resolver increasing end user privacy. Stubby is in the early stages of development but is suitable for technical/advanced users. A more generally user-friendly version is on the way! More information about Stubby is here:

Stubby will be build by default and will be installed in the ${PREFIX}/bin directory. Also the getdns_query test tool will be build and installed by default now. If you want the library only, you can disable building and installation of those programs with the --without-stubby and --without-getdns_query options to configure.

getdns_query (and Stubby) have had functionality added which was not part of the original API specification, but which we think is useful for other applications as well. This includes functions that have been added to deal with parsing and configuring getdns with a configuration file, and functions to serve DNS requests.

To handle configuration files, functions were added to convert strings to getdns native types, getdns_str2dict(), getdns_str2list(), getdns_str2bindata() and getdns_str2int(); A getdns_context can then be configured with a resulting getdns_dict with the new getdns_context_config() function. This can reduce the amount of code needed to setup a context in a C program.

It also provides default values for extensions and allows the trust anchor and root hints files to be directly specified. For example, the following piece of C code would configure the context to do DNSSEC roadblock avoidance (i.e. validate DNSSEC as stub, fallback to full recursive with hampering middleboxes), with alternative trust-anchor and root-hints.

if (GETDNS_RETURN_GOOD == getdns_str2dict(
    "{ dnssec_roadblock_avoidance: GETDNS_EXTENSION_TRUE"
    ", dns_root_servers: \"/etc/yeti/named.cache\""
    ", dnssec_trust_anchors: \"/etc/yeti/KSK.pub\""
    "}", &config_dict))
        getdns_context_config(context, config_dict);

More detailed (doxygen) documentation about the string to getdns data structure functions, and about configuring getdns_contexts with getdns_dicts is here:

The getdns_context_set_listen_addresses() function, allows the user to register a request handler function and list of addresses that will be listened on when the eventloop is run. The request handler function will be called when a DNS requests arrives, with the request in getdns reply dict format. The request handler may construct a response to the request and eventually has to call getdns_reply() with that response to answer the request (or NULL to cancel).

I will try to provide and example blog post on the website for this functionality shortly. For now, we have the doxygen documentation and the IETF97 hackathon project delaydns which was using this functionality:

Besides these new functions, we have much improved and more stable and robust scheduling of requests:

  • The default event loop, which is also used for synchronous requests, is now based on poll() instead of select() and does not inherit select()'s limits any more.
  • The limit on number of outstanding queries, set with the getdns_context_limit_outstanding_queries() function, will now also be obeyed in stub mode. This was an omission from the 1.0.0 release.
  • getdns will now queue up requests that could not be scheduled because of resource limitations, to be rescheduled when resources become available again.

We now also have:

Finally, we have a new draft MDNS-client implementation by Christian Huitema. To enable it, use the --enable-draft-mdns-client option to configure.

Happy Easter!


ChangeLog:
* 2017-04-13: Version 1.1.0
  * bugfix: Check size of tls_auth_name.
  * Improvements that came from Visual Studio static analysis
  * Fix to compile with libressl.  Thanks phicoh.
  * Spelling fixes.  Thanks Andreas Schulze.
  * bugfix: Reschedule request timeout when getting the DNSSEC chain.
  * getdns_context_unset_edns_maximum_udp_payload_size() to reset
    to default IPv4/IPv6 dependent edns max udp payload size.
  * Implement sensible default edns0 padding policy.  Thanks DKG.
  * Keep connections open with sync requests too.
  * Fix of event loops so they do not give up with naked timers with
    windows.  Thanks Christian Huitema.
  * Include peer certificate with DNS-over-TLS in combination with
    the return_call_reporting extension.
  * More fine grained control over TLS upstream retry and back off
    behaviour with getdns_context_set_tls_backoff_time() and
    getdns_context_set_tls_connection_retries().
  * New round robin over the available upstreams feaure.
    Enable with getdns_context_set_round_robin_upstreams()
  * Bugfix: Queue requests when no sockets available for outgoing queries.
  * Obey the outstanding query limit with STUB resolution mode too.
  * Updated stubby config file
  * Draft MDNS client implementation by Christian Huitema.
    Enable with --enable-draft-mdns-support to configure
  * bugfix: Let synchronous queries use fds > MAX_FDSETSIZE;
            By moving default eventloop from select to poll
    Thanks Neil Cook
  * bugfix: authentication failure for self signed cert + only pinset
  * bugfix: issue with session re-use making authentication appear to fail

* 2016-10-19: Version 1.1.0-a2
  * Improved TLS connection management
  * OpenSSL 1.1 support
  * Stubby, Server version of getdns_query that by default listens
    on 127.0.0.1 and ::1 and reads config from /etc/stubby.conf
    and $HOME/.stubby.conf

* 2016-07-14: Version 1.1.0a1
  * Conversion functions from text strings to getdns native types:
    getdns_str2dict(), getdns_str2list(), getdns_str2bindata() and
    getdns_str2int()
  * A getdns_context_config() function that configures a context
    with settings given in a getdns_dict
  * A a getdns_context_set_listen_addresses() function and companion
    getdns_reply() function to construct simple name servers.
  * Relocate getdns_query to src/tools and build by default
  * Enhancements to the logic used to select connection based upstream
    transports (TCP, TLS) to improve robustness and re-use of
    connections/upstreams.

Related

  How to keep your ISP’s nose out of your browser history with encrypted DNS
  Sun 08 Apr 2018
  Media   DNS Privacy   Stubby
Blog post on DNS privacy by Sean Gallagher on Ars Technica
  How to Use Pihole With Stubby
  Mon 08 Jan 2018
  Media   DNS Privacy   Stubby
Guide by Frank Santoso describing how to use Stubby in the blockhole for Internet advertisements solution Pi-HOLE
  getdns-1.3.0 release
  Fri 22 Dec 2017
  Stubby   Zero config DNSSEC
Bug-, robustness- and stability-fixes that came out of Stubby usage
  First release candidate for getdns-1.2.2
  Thu 14 Dec 2017
  Stubby   Zero config DNSSEC
Bug-, robustness- and stability-fixes that came out of Stubby usage
  Quad9, a Public DNS Resolver - with Security
  Tue 21 Nov 2017
  Media   DNS Privacy   Stubby
Blog post on how to configure Stubby for use with Quad9 by Stéphane Bortzmeyer on RIPE Labs
  Privacy: Using DNS-over-TLS with the Quad9 DNS Service
  Mon 20 Nov 2017
  Media   DNS Privacy   Stubby
Blog post on how to configure Stubby for use with Quad9 by Alex Band
  getdns-1.2.1 release
  Sat 11 Nov 2017
  Stubby
Just bug-, robustness- and stability-fixes
  First release candidate for getdns-1.2.1
  Fri 03 Nov 2017
  Stubby
Just bug-, robustness- and stability-fixes
  getdns-1.2.0 release
  Fri 29 Sep 2017
  Stubby   Zero config DNSSEC
Zero configuration DNSSEC, Stubby config in YAML format and resilient TLS upstream management
  First release candidate for getdns-1.2.0
  Fri 22 Sep 2017
  Stubby   Zero config DNSSEC
Zero configuration DNSSEC, YAML config files and resilient TLS upstream management
  DNS over TLS: experience from the Go6lab
  Tue 05 Sep 2017
  Media   DNS Privacy   Stubby
Jan Žorž giving Stubby a spin in this excellent article on ISOC's Deploy360 blog
  getdns-1.1.3 release
  Mon 04 Sep 2017
  Stubby
Bugfixes and Stubby in its own repository
  First release candidate for getdns-1.1.3
  Fri 25 Aug 2017
  Stubby
Bugfixes and Stubby in its own repository
  DNS Privacy daemon - Stubby
  Wed 23 Aug 2017
  Sara Dickinson   Stubby   DNS Privacy
A reference page on how to get up and running with Stubby!
  Der coole Stubby
  Fri 18 Aug 2017
  Media   DNS Privacy   Stubby
Stubby mentioned in article about progress in DNS privacy in c't magazine
  getdns-1.1.2 release
  Mon 03 Jul 2017
  Stubby
At runtime upstream statistics logging
  First release candidate for getdns-1.1.2
  Wed 28 Jun 2017
  Stubby
At runtime upstream statistics logging
  getdns-1.1.1 release
  Thu 15 Jun 2017
  Stubby
stubby.conf and DNS setup script + guidance
  First release candidate for getdns-1.1.1
  Thu 08 Jun 2017
  Stubby
stubby.conf and DNS setup script + guidance
  Second release candidate for getdns-1.1.0
  Thu 06 Apr 2017
  1.1.0 release   Stubby
Fixes for things uncovered during IETF98 Hackathon.
  Developing a monitoring plugin for DNS-over-TLS at the IETF hackathon
  Mon 27 Mar 2017
  Media   Hackathon   1.1.0 release   DNS Privacy
Stephane Bortzmeyer's blog post about developing a DNS-over-TLS monitor plugin at the IETF98 hackathon
  IETF98 Hackathon results
  Sun 26 Mar 2017
  Hackathon @ IETF98
  Sara Dickinson   Hackathon   1.1.0 release
Overview of the DNS hackathon projects at the IETF98
  First release candidate for getdns-1.1.0
  Thu 23 Mar 2017
  1.1.0 release   Stubby
New features release. Functions for serving DNS. Stubby on board!
  Another mention of Stubby in the register
  Tue 06 Dec 2016
  Media   Stubby   DNS Privacy
Stubby in The Register again in an article about IETF pervasive monitoring work
  The Register article about Stubby
  Tue 22 Nov 2016
  Media   Stubby   DNS Privacy
The popular UK online computer magazine theregister.co.uk published an article about Stubby
  heise.de article about Stubby
  Thu 17 Nov 2016
  Media   Stubby   DNS Privacy
The popular German online computer magazine Heise.de published an article about Stubby
  DNS Privacy
  Sun 13 Nov 2016
  Tutorial @ IETF97
  Sara Dickinson   Stubby   DNS Privacy
DNS Privacy tutorial mentioning stubby at the IETF97 in Seoul
  Stubby
  Wed 19 Oct 2016
  NANOG68
  Willem Toorop   Stubby
Introducting Stubby at the NANOG68 in Dallas
  Second alpha release for getdns-1.1.0
  Wed 19 Oct 2016
  1.1.0 release
Introducting Stubby, a Privacy and Security local end-point stub resolver
  First alpha release for getdns-1.1.0
  Thu 14 Jul 2016
  1.1.0 release
str 2 getdns type conversion functions. Configure a context by dict. Functions for creating simple servers.