DNS resolver service change log - BlueCat Edge - Service Point v4.x.x

BlueCat Edge User Guide

Locale
English
Product name
BlueCat Edge
Version
Service Point v4.x.x

The following section outlines changes that have been made between DNS resolver service versions:

Attention:
  • Before you deploy a specific version of DNS resolver service, ensure that the version that you are deploying is supported on the Service Point v4 version that you have provisioned. For more information, refer to Software support matrix.
  • When you upgrade to DNS Resolver Service v3.3.1, you cannot downgrade to v3.0.7 or lower.

3.11.1

  • Resolves an issue where the /v1/status/health API would not work.
  • Resolves an issue where the DNS resolver service diagnostics UI browser page would not load.
  • Resolves an issue where the DNS resolver service would cache a truncated response of a client query with no EDNS UDP size from a BIND forwarder, resulting in truncated cached responses returned to clients that creates a query loop.
  • Resolves an issue where the DNS resolver service would fail to create a namespace due to an inconsistency in the filesystem, resulting in no active namespace on the DNS resolver service. This would cause the DNS resolver service to not match queries to a namespace in the DNS logs and return NXDOMAIN responses to clients.
Attention: If you are running DNS resolver service v3.10.0 or earlier, BlueCat recommends upgrading to software version 3.11.1 directly.

3.11.0

  • Introduces support for Edge Resolver service.

    Edge Resolver introduces a new discovery service that can be configured to discover DNS forward and reverse lookup zones across multiple Address Manager configurations and DNS views. The zones discovered by the service are then stored in the Cloud Instance where they are then distributed to the DNS Resolver Service (starting in version 3.11.0). This is done through Site configurations containing Discovered Namespaces. The Discovered Namespaces can be further configured to provide granular control over different discovered environments. In the Discovered Namespace, you can also configure fallback forwarders for the DNS Resolver Service to use to recursively resolve queries for all other zones not found by the discovery service.

    The discovery service uses user-supplied configurations to discover one or more DNS spaces across Address Manager. Each DNS zone that is discovered also contains information about the DNS servers that are authoritative for that zone or forwarder of that zone. With this understanding of per-zone forwarders, BlueCat Edge can now perform resolution across these DNS zones without the need to specify forwarders for the namespace.

    Once you have discovered the DNS information, deploy DRS to the service point that provides recursive resolution. DRS evaluates any domains found in the Address Manager list and its internal knowledge of cloud zones to resolve any query needs to follow CNAME chains.

  • Introduces negative cache TTL, providing the ability to configure a flexible TTL refresh on cached NXDOMAIN records to ensure new records added can be queried and resolved immediately.
  • Introduces enhancements to custom logging that allow the use of any HTTPS destination, including cloud-based SIEMs, when sending DNS queries and responses.
  • Introduces BlueCat Threat Protection IP Lists.

    BlueCat Threat Protection includes data from partner feeds, including additional lists curated by the BlueCat internal research team to protect against IP addresses that employ malware, botnets, exploits, and spam. BlueCat Threat Protection IP lists are denoted by the BlueCat Threat Protection <list type> name and the Threat Intelligence IP list type.

  • Introduces additional response details for DNS answers, including the original DNS answer and specific matching elements that led to the policy match or action.

    When a query is received by DNS resolver service and the service point, the query information logged in the DNS activity table displays the answer that was processed by the DNS resolver service. When viewing the query information, you can now see additional information about the original DNS answer and matching elements that led to a policy match or action.

  • Introduces updates to EDNS Client Subnet (ECS) prefix lengths.

    Previously, when configuring the EDNS Client Subnet (ECS) prefix length on a namespace, a limitation existed where the IPv4 source prefix could only be between 0 and 24, and the IPv6 source prefix could only be between 0 and 56.

    Starting in DNS Resolver Service v3.11.0, the IPv4 source prefix length limitation has been removed and you can configure a prefix between 0 and 32. Additionally, the IPv6 source prefix length limitation has also been removed and you can configure a prefix between 0 and 128.

  • Introduces enhancements to SERVFAIL response handling. When the Serve Expired Queries from cache option is selected on a namespace, Edge can now serve queries from the expired cache not only when forwarders are unavailable, but also when a SERVFAIL response is received from a forwarder.
  • Introduces the ability to view whether source information is coming from the cache, stale cache, or if it is a cache miss and retrieved. You can view this information by querying DNS Resolver Service with NSID EDNS data, such as using dig +nsid @<servicepoint-ip> <query question>.
  • Resolves an issue where the "Warning: Client COOKIE mismatch" warning message would appear when performing a dig command on the service point. This would occur when looking up a DNS record executive due to the service point sending back a response that contained a different EDNS cookie than the original dig requested.
  • Resolves an issue where previously, when two namespaces have source IP lists configured and there is a common IP address between the two lists, one of the namespaces is matched instead of both when a query is sent from that source IP. This would result in an inconsistent query response code. This issue has been resolved and when a source IP is common between two IP lists that exist in different namespaces, the query returns a NOERROR.
  • Resolves an issue where previously, Service Points would fail to load new namespaces if the Service Point was running low on disk space. Additionally, this would cause the DNS resolver service to write additional logs, resulting in additional disk space usage. This issue has been resolved and the DNS Resolver Service suppresses extraneous logs.
  • Resolves an issue where previously, when the Service Point received a policy update that might have been corrupted, the DNS Resolver Service would incorrectly handle the update and crash.
Attention: You cannot download Service Point v3 images if the site version is running DRS v3.11.0. For more information on Service Point v4 and migrating your Service Point v3 instances to Service Point v4, refer to the following topics:

3.10.0

  • Introduces IPv6 support for namespace configurations.
  • Introduces support for non-standard DNS ports, allowing namespaces to forward queries to ports other than the default DNS port (53).
  • Introduces the ability to update the IP addresses associated to DNS resolver service by selecting from a list of available addresses on the service point.

3.9.1

  • Introduces a fix where the IP addresses added to the Source IP Lists in a namespace were not evaluated correctly while providing DNS resolution. This issue only impacts namespaces configured on Service Point v4 instances.

3.9.0

  • Introduces source port randomization when forwarding DNS queries.

3.8.0

  • Introduces support for Trust policies. Trust policies let you trust certain domains that might be blocked and allow them to be resolved. For example, you can create a trust policy that allows domains that might have been incorrectly blocked by policies using threat detection. BlueCat recommends configuring a global trust policy that includes internal domains that can be characterized as tunneling or DGA.

    Trust policies override block, redirect, and monitor policies.

3.7.0

  • When a query comes in for a namespace where all the configured forwarders are unreachable, it temporarily marks all forwarders as down and skips them for any queries in that namespace until they become available. Health checks are performed on the forwarders every second and after 5 failed attempts to resolve a query, it marks the forwarder as down until a single successful response is received. This accelerates the DNS response time to the client and logs the timed-out queries as a SERVFAIL.

    If SERVFAIL is added as a condition to the Response Code, the DRS will try to resolve the query in the next available namespace configured on the site.

  • Previously, the service point network probe would log external connectivity tests once per hour. Starting in DRS v3.7.0, the network probe log frequency has been updated to once every 5 minutes.
  • Previously, the service point controller would log excessive and repetitive event messages. DRS v3.7.0 introduces log rate limiting that drops events when a threshold has been reached.

3.6.0

  • Introduced the ability to decommission Service Point v3 instances.
  • Introduced the ability to log timed out queries in the query logs page of the Edge Cloud.
  • Introduced support for SERVFAIL response codes.
  • Introduced support for HINFO query types.

3.5.4

  • Introduced improvements to the resiliency of service points in networks with low bandwidth and high latency by increasing the following timeouts:
    • Global DNS query timeout
    • Timeout per Namespace
    • Forwarder health check timeout threshold before a forwarder is marked as down
    • Timeout when pulling a service point image

3.5.3

  • Introduced an Anycast fix for the upgrade to 3.5.2.

3.5.2

  • You can now use the service point diagnostics UI to retrieve a summary of services running on the service point. The service point diagnostics can be accessed through your browser through the following URL: http://<service_point_IP>/ui
  • Introduced updates to address CVE-2021-44228: A vulnerability in the Log4J Logging library can under some circumstances be exploited to run malicious code in the Java Virtual Machine.

3.4.2

  • Addressed an issue where the routing-controller-service status within the response of the service point /v1/status/spDiagnostics API would return a status of BAD.

3.4.1

  • Addressed an issue where the DNS resolver service /v1/status/health API would return a 500 internal server error.

3.4.0

  • You can now configure EDNS Client Subnet (ECS) options when configuring namespaces. The EDNS Client Subnet option allows the namespace to forward the subnet information in DNS queries to downstream servers for geographical evaluation. You can configure an IPv4 and IPv6 prefix to forward. The namespace applies the specified IPv4 or IPv6 prefix as the ECS value, overriding any existing ECS value of incoming DNS queries. You can also disable overriding to ensure that the namespace forwards DNS queries with the existing ECS value.
  • When configuring a namespace to use the Cisco Umbrella integration, you can now select the Encrypt queries using DNS over HTTPS option within a namespace to ensure that queries routed to Cisco Umbrella are encrypted using DNS over HTTPS (DoH).
  • BlueCat Edge now exposes additional DNS message fields to examine security events and identify DNS service health. DNS message fields now include the response time, query ID, query class ID, query EDNS options, and response EDNS options.
  • For sites that contain multiple namespaces, you can now configure a set of response codes within a namespace. If any of the configured DNS query response codes are returned to this namespace, the next namespace within a site will attempt to resolve the DNS queries. By default, NXDOMAIN is configured.

3.3.3

  • Addressed the truncating of responses at 512 bytes when using UDP without EDNS.

3.3.2

  • Addressed NXDOMAIN response behavior for Block Policy evaluation.

3.3.1

  • Introduced support for utilizing the Source IP and CIDR as an operational matching criteria within a Namespace.
  • Introduced the ability to resolve expired queries from cache when the upstream server is unavailable.
  • Provided support for DNS/DHCP Server upgrades.

3.2.3

  • Introduced updates to address multiple CVE vulnerabilities.
  • Improved memory utilization to enhance resilience and restart conditions.

3.2.2

  • Improved QPS performance with full query logging using a VM with current specifications. QPS guidance for various configurations will be published separately in a follow up communication.
  • Vertical scalability: allocating additional memory and vCPUs will increase QPS performance within limits.
  • DNS resolver services will now by default load balance queries to the forwarders defined within a namespace. The DNS resolver service will select a forwarder within a namespace using the following algorithm:
    • Pick the server with least number of “in flight” queries.
    • In case of a tie, pick the one with the lowest measured latency (over an average on the last 128 queries answered by that server).
  • Default health check of upstream DNS servers (For example, forwarders configured within a namespace configuration). The DNS resolver service sends a health check query (a query for “a.root-servers.net.”) every second to determine the availability of a DNS server configured as a forwarder within a namespace. This record does not need to be resolved successfully for a positive health check, however the forwarder must return a status.
  • DNS resolver services will now, by default, provide added resiliency by serving expired records from cache when the upstream DNS server defined in the namespace is unavailable. Expired records will be served when available in cache, for a duration of 1 hour after expiry.
  • Configure the DNS resolver service to enable Custom Logging — securely store your data in BlueCat Edge Cloud to conduct advanced analysis, and/or send data in a standard JSON format to any HTTP/HTTPS endpoint on your network. For more information on how to configure this functionality, refer to Custom Logging.

3.0.7

  • Introduce fix for the upgrade to 3.0.6.

3.0.6

  • Introduce support to deploy DNS resolver services on a BlueCat DNS/DHCP Server.

3.0.4

  • Initial introduction of support that enables customers to manage the DNS resolver service updates independently.