I finally figured it out this morning.
Turns out local.global is resolving to 46.19.209.188:
$ dig local.global
; <<>> DiG 9.10.6 <<>> local.global
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 49407
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1280
;; QUESTION SECTION:
;local.global. IN A
;; ANSWER SECTION:
local.global. 3600 IN A 46.19.209.188
local.global. 3600 IN A 46.19.209.189
;; Query time: 241 msec
;; SERVER: 192.168.3.1#53(192.168.3.1)
;; WHEN: Fri May 01 10:13:33 CDT 2020
;; MSG SIZE rcvd: 73
I had global.multiCluster.enabled=true but I hadn’t added the .global section to CoreDNS yet. When global.multiCluster.enabled is set to true, /etc/resolv.conf has additional stuff added to it to search global as a suffix. This means all DNS queries were landing on *.local.global and resolving to the above addresses. Once I updated my Kubernetes CoreDNS to forward all *.global queries to the Istio CoreDNS instance, it started working as expected.