How does DNS resolution work?

We have istio configured to block traffic to things that aren’t known to the mesh, and we’ve got Sidecar objects defined with explicit services.

If kube-dns isn’t included in the egress.hosts list - somehow dns resolution still works.

The iptables rules created by istio intercept all traffic, including dns.

envoy’s config_dump doesn’t show any listeners for port 53

…but nslookup google.com 1.2.3.4 somehow works, so it looks like envoy is intercepting traffic for port 53 and resolving it for me, regardless of destinaion.

I’m just curious - where is that behaviour defined?

Envoy only intercepts TCP traffic, it doesn’t support UDP. So UDP traffic, like DNS, is handled normally as if Envoy isn’t there.