The following section outlines changes that have been made between DNS resolver service versions:
Attention: When you upgrade to DNS Resolver Service v3.3.1, you cannot downgrade to v3.0.7 or lower.
- Introduces source port randomization when forwarding DNS queries.
- Introduces support for Trust policies. Trust policies let you trust
certain domains that might be blocked and allow them to be resolved. For
example, you can create a trust policy that allows domains that might have
been incorrectly blocked by policies using threat detection. BlueCat
recommends configuring a global trust policy that includes internal domains
that can be characterized as tunneling or DGA.
Trust policies override block, redirect, and monitor policies.
- When a query comes in for a namespace where all the configured forwarders
are unreachable, it temporarily marks all forwarders as down and skips them
for any queries in that namespace until they become available. Health checks
are performed on the forwarders every second and after 5 failed attempts to
resolve a query, it marks the forwarder as down until a single successful
response is received. This accelerates the DNS response time to the client
and logs the timed-out queries as a SERVFAIL.
If SERVFAIL is added as a condition to the Response Code, the DRS will try to resolve the query in the next available namespace configured on the site.
- Previously, the service point network probe would log external connectivity tests once per hour. Starting in DRS v3.7.0, the network probe log frequency has been updated to once every 5 minutes.
- Previously, the service point controller would log excessive and repetitive event messages. DRS v3.7.0 introduces log rate limiting that drops events when a threshold has been reached.
- Introduced the ability to decommission Service Point v3 instances.
- Introduced the ability to log timed out queries in the query logs page of the Edge Cloud.
- Introduced support for SERVFAIL response codes.
- Introduced support for HINFO query types.
- Introduced improvements to the resiliency of service points in networks with
low bandwidth and high latency by increasing the following timeouts:
- Global DNS query timeout
- Timeout per Namespace
- Forwarder health check timeout threshold before a forwarder is marked as down
- Timeout when pulling a service point image
- Introduced an Anycast fix for the upgrade to 3.5.2.
- You can now use the service point diagnostics UI to retrieve a summary of
services running on the service point. The service point diagnostics can be
accessed through your browser through the following URL:
- Introduced updates to address CVE-2021-44228: A vulnerability in the Log4J Logging library can under some circumstances be exploited to run malicious code in the Java Virtual Machine.
- Addressed an issue where the routing-controller-service status within the response of the service point /v1/status/spDiagnostics API would return a status of BAD.
- Addressed an issue where the DNS resolver service /v1/status/health API would return a 500 internal server error.
- You can now configure EDNS Client Subnet (ECS) options when configuring namespaces. The EDNS Client Subnet option allows the namespace to forward the subnet information in DNS queries to downstream servers for geographical evaluation. You can configure an IPv4 and IPv6 prefix to forward. The namespace applies the specified IPv4 or IPv6 prefix as the ECS value, overriding any existing ECS value of incoming DNS queries. You can also disable overriding to ensure that the namespace forwards DNS queries with the existing ECS value.
- When configuring a namespace to use the Cisco Umbrella integration, you can now select the Encrypt queries using DNS over HTTPS option within a namespace to ensure that queries routed to Cisco Umbrella are encrypted using DNS over HTTPS (DoH).
- BlueCat Edge now exposes additional DNS message fields to examine security events and identify DNS service health. DNS message fields now include the response time, query ID, query class ID, query EDNS options, and response EDNS options.
- For sites that contain multiple namespaces, you can now configure a set of response codes within a namespace. If any of the configured DNS query response codes are returned to this namespace, the next namespace within a site will attempt to resolve the DNS queries. By default, NXDOMAIN is configured.
- Addressed the truncating of responses at 512 bytes when using UDP without EDNS.
- Addressed NXDOMAIN response behavior for Block Policy evaluation.
- Introduced support for utilizing the Source IP and CIDR as an operational matching criteria within a Namespace.
- Introduced the ability to resolve expired queries from cache when the upstream server is unavailable.
- Provided support for DNS/DHCP Server upgrades.
- Introduced updates to address multiple CVE vulnerabilities.
- Improved memory utilization to enhance resilience and restart conditions.
- Improved QPS performance with full query logging using a VM with current specifications. QPS guidance for various configurations will be published separately in a follow up communication.
- Vertical scalability: allocating additional memory and vCPUs will increase QPS performance within limits.
- DNS resolver services will now by default load balance queries to the
forwarders defined within a namespace. The DNS resolver service will select a
forwarder within a namespace using the following algorithm:
- Pick the server with least number of “in flight” queries.
- In case of a tie, pick the one with the lowest measured latency (over an average on the last 128 queries answered by that server).
- Default health check of upstream DNS servers (For example, forwarders configured within a namespace configuration). The DNS resolver service sends a health check query (a query for “a.root-servers.net.”) every second to determine the availability of a DNS server configured as a forwarder within a namespace. This record does not need to be resolved successfully for a positive health check, however the forwarder must return a status.
- DNS resolver services will now, by default, provide added resiliency by serving expired records from cache when the upstream DNS server defined in the namespace is unavailable. Expired records will be served when available in cache, for a duration of 1 hour after expiry.
- Configure the DNS resolver service to enable Custom Logging — securely store your data in DNS Edge Cloud to conduct advanced analysis, and/or send data in a standard JSON format to any HTTP/HTTPS endpoint on your network. For more information on how to configure this functionality, refer to Custom Logging.
- Introduce fix for the upgrade to 3.0.6.
- Introduce support to deploy DNS resolver services on a BlueCat DNS/DHCP Server.
- Initial introduction of support that enables customers to manage the DNS resolver service updates independently.