How does DNS resolution work?

mikebryant · August 9, 2019, 9:38am

We have istio configured to block traffic to things that aren’t known to the mesh, and we’ve got Sidecar objects defined with explicit services.

If kube-dns isn’t included in the egress.hosts list - somehow dns resolution still works.

The iptables rules created by istio intercept all traffic, including dns.

envoy’s config_dump doesn’t show any listeners for port 53

…but nslookup google.com 1.2.3.4 somehow works, so it looks like envoy is intercepting traffic for port 53 and resolving it for me, regardless of destinaion.

I’m just curious - where is that behaviour defined?

spikecurtis · August 9, 2019, 4:28pm

Envoy only intercepts TCP traffic, it doesn’t support UDP. So UDP traffic, like DNS, is handled normally as if Envoy isn’t there.

mikebryant · August 20, 2019, 1:02pm

Ohh. That explains it, thanks for the heads up. I feel stupid for missing that.

Topic		Replies	Views
Is DNS Interception available? Security	2	411	October 8, 2020
Istio-proxy: dns-over-tcp Networking	0	478	November 30, 2022
Envoy's traffic hijacking(port forward) rule is stored at the pod level or host level? Networking	2	1963	April 9, 2019
Rewrite Authority in Envoy Filter	0	966	August 8, 2019
Istio proxy protocol does not work for tcp stream on EKS Networking	0	1193	July 19, 2020

How does DNS resolution work?

Related Topics