We have istio configured to block traffic to things that aren’t known to the mesh, and we’ve got Sidecar objects defined with explicit services.
If kube-dns isn’t included in the egress.hosts list - somehow dns resolution still works.
The iptables rules created by istio intercept all traffic, including dns.
envoy’s config_dump doesn’t show any listeners for port 53
nslookup google.com 22.214.171.124 somehow works, so it looks like envoy is intercepting traffic for port 53 and resolving it for me, regardless of destinaion.
I’m just curious - where is that behaviour defined?