v1.6.1

What's Changed

New Features

• Add Reflex middleware for DNS amplification/reflection attack detection (#438)
  • Behavioral scoring based on query patterns (rate, types, amplification)
  • TCP connection proves real IP (clears suspicion)
  • Bounded memory with automatic cleanup (100K IPs max)
  • Learning mode for threshold tuning
  • Prometheus metrics for monitoring
• Add config validation flag -t/--test for CI/CD pipelines (#439)
• Add cache Prometheus metrics (hits, misses, evictions, prefetches, size, hit rate) (#439)

Bug Fixes

• Fix rate limiter CPU spike (140% at 800 QPS) under random IP attacks (#403)
• Fix concurrent CopyTo panic in resolver (#425)
• Fix response silently truncated without TC bit being set
• Fix MaxConcurrentQueries default value (#425)
• Fix Windows console ANSI escape codes issue (#401)

Improvements

• Add circuit breaker pattern to prevent querying known-down servers (#425)
• Add goroutine limiting (MaxConcurrentQueries) to prevent resource exhaustion (#425)
• Update zlog to v2 with improved Windows terminal support

Testing

• Add comprehensive tests for util, cache, resolver, kubernetes, blocklist packages
• Improved overall test coverage

Dependencies

• Bump github.com/miekg/dns from 1.1.66 to 1.1.68
• Bump github.com/quic-go/quic-go from 0.53.0 to 0.55.0
• Bump k8s.io/client-go from 0.33.2 to 0.34.2
• Bump golang.org/x/crypto from 0.41.0 to 0.45.0
• Bump github.com/prometheus/client_golang
• Other dependency updates

Full Changelog: v1.6.0...v1.6.1

v1.6.0

What's Changed

Major Performance Improvements

• Improve cache performance with new segment-based implementation (#395)
  • 98.6% performance improvement (from 1359 ns/op to 18.66 ns/op)
  • Zero allocations for all operations
  • Better concurrency with 256 segments
• Fix SyncUInt64Map memory leak (#394)
  • Fixed critical memory leak where deleted nodes were never freed
  • Implemented backward shift deletion

New Features

• Add Kubernetes DNS middleware with killer mode (#385)
• Implement endpoint support for headless services in sharded registry (#386)
• Add automatic TLS certificate reloading and cache memory optimization (#392)
• Added shared rate limiter

Bug Fixes

• Fix quic api issues
• Fix cache issues
• Fix K8s issues

Full Changelog: v1.5.3...v1.6.0

v1.5.3

What's Changed

Features

• Add Extended DNS Error (EDE) support with proper caching
• Add wildcard domain support to blocklist (*.example.com)
• Modernize codebase for Go 1.23+ compatibility

Bug Fixes

• Fix EDE information not being preserved in cached responses
• Fix goroutine leak in resolver fallback handling
• Fix context timeout errors returning blank EDE messages
• Fix DoQ test failures by removing KeepAlivePeriod
• Fix blocklist SOA record placement

Performance Improvements

• Optimize blocklist wildcard matching (360x faster for large lists)
• Add fast path for empty blocklists
• Use math/rand/v2 for better performance
• Optimize extractRRSet for single-type queries

Code Quality

• Replace interface{} with any throughout codebase
• Use slices package for slice operations
• Use clear() builtin for map/slice clearing
• Add comprehensive tests for EDE functionality
• Improve error handling with errors.Is()

Other Changes

• Rename zregister.go to registry.go for clarity
• Improve snap packaging with automatic release detection
• Add GitHub Actions workflow for snap releases
• Update documentation and examples

Full Changelog

v1.5.2...v1.5.3

v1.5.2

What's Changed

Critical Bug Fixes

• Updated zlog to v1.2.4 to fix NetBSD compilation issues

v1.5.1

What's Changed

Critical Bug Fixes

• Fixed NSEC validation for non-existent TLDs (e.g., random TLD queries)
• Fixed NXDOMAIN responses being incorrectly returned as NOERROR from cache
• Fixed goroutine leak in DNS resolver's singleflight operations
• Fixed SERVFAIL cache TTL from 5 seconds to 30 seconds to prevent repeated queries to failed servers

DNSSEC Improvements

• Implemented RFC 8914 Extended DNS Errors (EDE) support for better diagnostics
• Fixed RRSIG expiration handling in cache TTL calculations
• Improved NSEC/NSEC3 validation for better RFC compliance
• Fixed AD flag handling for authenticated responses

Performance Improvements

• Zero-allocation cache key generation using sync.Pool (~25% faster)
• Zero-allocation logging with migration to zlog v1.2.3
• Optimized NSEC coverage checks for better performance

Other Changes

• Migrated from log to zlog v1.2.3 for better performance
• Improved error messages with typed errors
• Better handling of single-name zones and edge cases
• Updated various dependencies for security and performance

What's Fixed

This release primarily addresses critical bugs discovered after v1.5.0, with a focus on DNSSEC validation correctness and cache performance. The SERVFAIL caching fix significantly improves performance when dealing with unreachable or failing authoritative servers.

Docker

docker pull ghcr.io/semihalev/sdns:v1.5.1

Checksums

Checksums will be automatically added by the release workflow.

Full Changelog: v1.5.0...v1.5.1

v1.5.0

What's Changed

Overview

SDNS v1.5.0 is a major release featuring comprehensive modernization, significant performance improvements, and new enterprise-grade features. This release marks a substantial upgrade with enhanced monitoring capabilities, improved caching mechanisms, and better operational visibility.

New Features

1. Domain Metrics with Prometheus Integration

• Per-domain query metrics: Track query counts for individual domains
• Prometheus integration: Export metrics in Prometheus format for monitoring
• Smart filtering: Automatically filters out single-label domains (TLDs)
• Configurable limits: Control maximum domains to track with domainmetricslimit
• Auto-eviction: Low-count domains are automatically evicted to maintain performance
• Configuration: Enable with domainmetrics = "on" in config

2. Dnstap Binary Logging Support

• Full dnstap protocol implementation: Industry-standard binary DNS message logging
• Unix socket support: Connect to dnstap collectors via Unix sockets
• Auto-reconnection: Automatic reconnection on connection failures
• Configurable logging: Choose to log queries, responses, or both
• Buffered writes: Efficient buffering for high-throughput environments
• 100% test coverage: Thoroughly tested implementation

3. TCP Connection Pooling with Keepalive

• Persistent TCP connections: Reuse TCP connections to root and TLD servers
• EDNS-Keepalive support: Properly implements RFC 7828 for connection persistence
• Configurable timeouts: Separate timeouts for root (5s) and TLD servers (10s)
• Connection pool management: Automatic cleanup and connection limiting
• Significant latency reduction: Eliminates TCP handshake overhead for subsequent queries
• Configuration: Enable with tcpkeepalive = true in config

4. High-Performance Caching System

• New SyncUInt64Map: Generic high-performance map with atomic operations
• Parallel nameserver lookups: Improved resolver performance with concurrent queries
• Smart cache eviction: Random bucket sampling for efficient eviction
• Separate positive/negative caches: Better cache management and hit rates
• Prefetch queue improvements: More efficient DNS prefetching

Performance Improvements

Benchmark Results (June 2025)

• Query throughput: 709 QPS (24% improvement from v1.3.3's 571 QPS)
• Average latency: 137ms (significantly faster than previous versions)
• Lost queries: Only 2 out of 50,000 (99.996% success rate)
• Runtime: 70.5s for 50,000 queries (19% faster than v1.3.3's 87.5s)
• Cache hit rate: Significantly improved with new caching architecture
• Memory efficiency: Better memory utilization with optimized data structures

Key Optimizations

• TCP Connection Pooling: Eliminates repeated TCP handshakes to authoritative servers
• Parallel nameserver lookups for faster resolution
• Lock-free data structures with atomic operations
• Efficient random sampling for cache eviction (avoiding O(n) iterations)
• Migrated to golang.org/x/sync/singleflight for deduplication

Code Modernization

Go 1.23 Compatibility

• Updated to Go 1.23 with modern patterns
• Proper error wrapping with %w format
• Use of strings.Cut for string operations
• HTTP clients with proper timeouts
• Modern test patterns and benchmarks

Improved Code Quality

• Test coverage: Significantly improved across all packages
• Race condition fixes: Resolved multiple race conditions
• Linting: Updated to latest golangci-lint with comprehensive checks
• Documentation: Enhanced inline documentation and configuration comments

Configuration Enhancements

New Configuration Options

# TCP Connection Pooling
tcpkeepalive = true               # Enable TCP connection pooling
roottcptimeout = "5s"             # TCP idle timeout for root servers
tldtcptimeout = "10s"             # TCP idle timeout for TLD servers
tcpmaxconnections = 100           # Maximum pooled TCP connections

# Domain metrics configuration
domainmetrics = "on"              # Enable domain metrics
domainmetricslimit = 10000        # Maximum domains to track

# Dnstap configuration  
dnstap = "on"                     # Enable dnstap logging
dnstappath = "/tmp/dnstap.sock"   # Unix socket path
dnstapidentity = "sdns"           # Server identity
dnstapversion = "1.5.0"           # Server version

Configuration File Improvements

• Detailed inline documentation for all options
• Better organization and grouping
• Validation with helpful error messages
• Config test coverage improved from 77.8% to 90.0%

Bug Fixes

• Fixed race conditions in resolver's parallel lookup
• Fixed race condition in blocklist's timesSeen map
• Fixed root priming issues
• Improved error handling throughout the codebase
• Fixed Windows path handling in tests

Upgrading to v1.5.0

No Breaking Changes

All changes in v1.5.0 are backward compatible. Existing configurations will continue to work without modification.

Recommended Actions

1. Review new configuration options (domain metrics, dnstap)
2. Update monitoring to utilize new Prometheus metrics
3. Consider enabling dnstap for comprehensive DNS logging
4. Test in staging environment before production deployment

Performance Tuning

• Adjust domainmetricslimit based on your traffic patterns
• Configure cache sizes based on available memory
• Enable prefetching for frequently accessed domains

Dependencies Updated

• golang.org/x/net: v0.31.0 → v0.33.0
• golang.org/x/sync: Added for singleflight implementation
• golangci-lint: Updated to v1.62.2
• Various other dependency updates for security and performance

Contributors

Special thanks to @semihalev (Yasar Alev) for leading this major release with comprehensive improvements across the entire codebase.

What's Next

• Continued performance optimizations
• Additional monitoring capabilities
• Enhanced DNSSEC validation
• Improved documentation and examples

For detailed changes, see PR #375.

v1.4.0

What's Changed

• Added new root key
• Fix docker file.
• Updated various dependencies.

Full Changelog: v1.3.7...v1.4.0

v1.3.7

What's Changed

• Added API bearer authentication
• Fix noad requests
• Fix trust servers name errors
• Updated various dependencies.

Full Changelog: v1.3.6...v1.3.7

v1.3.6

What's Changed

• Added anti-spoof protection
• Added DNSSEC onoff capability
• Bugfix on edns message size
• Updated various dependencies.

Full Changelog: View on GitHub

v1.3.5

What's Changed

• Added more docs.
• Security fixes.
• Updated various dependencies.
• Fixed various bugs.

Full Changelog: View on GitHub