Enabling DNS Proxy on large Istio 1.10 installation

Hi there,

We’d like to understand more on the impact in enabling the DNS proxy feature.

We are planning to enable DNS proxy on an existing relatively large v1.10 cluster in order to simplify and stabilize our TCP egress configuration. Currently we have experienced problems with TCP service entries where we have seen clashes with other service entries resulting in services being routed to incorrect external services. We understand the limitations with TCP service entries being only able to route based on destination IP and port, however existing service entries have been created without understanding this limitation.

By enabling DNS proxy, in theory the existing problematic service entries would be fixed without any changes to existing applications and service entries.

We are using the standard istio-init system (vs the CNI) and I have seen that there are potential issues using CNI, so we should be okay there.

The statement below about certain applications being not compatible in the DNS proxy documentation makes us a hesitant to enable.

Is there any additional info as to which applications we should look for and will be problematic? We are running over a 100 services, so would be good to know if we are susceptible.

Is anyone using the DNS proxy feature in production?

Any info would be much appreciated…

Thank you!

Interested in the same. Do you have any new insights to share maybe?