Trouble understanding how to reach virtual service using istio DNS proxy

I’ve gone through all the istio docs I can find on the DNS proxy, but I think there must be something I’m not understanding. I enabled DNS proxy using during install:

        ISTIO_META_DNS_CAPTURE: "true"

and looking at the logs for the istio-proxy container on one of my pods it seems like it’s active:

2022-04-26T22:19:45.377530Z	info	Apply proxy config from env {"proxyMetadata":{"ISTIO_META_DNS_AUTO_ALLOCATE":"true","ISTIO_META_DNS_CAPTURE":"true"}}

2022-04-26T22:19:45.378523Z	info	Effective config: binaryPath: /usr/local/bin/envoy
concurrency: 2
configPath: ./etc/istio/proxy
controlPlaneAuthPolicy: MUTUAL_TLS
discoveryAddress: istiod.istio-system.svc:15012
drainDuration: 45s
parentShutdownDuration: 60s
proxyAdminPort: 15000
serviceCluster: istio-proxy
statNameLength: 189
statusPort: 15020
terminationDrainDuration: 5s
    address: zipkin.istio-system:9411

2022-04-26T22:19:45.378534Z	info	JWT policy is third-party-jwt
2022-04-26T22:19:48.526390Z	info	platform detected is AWS
2022-04-26T22:19:50.378945Z	info	timed out waiting for platform detection, treating it as Unknown
2022-04-26T22:19:50.379195Z	info	Opening status port 15020
2022-04-26T22:19:50.379258Z	info	dns	Starting local udp DNS server on
2022-04-26T22:19:50.379403Z	info	dns	Starting local tcp DNS server on
2022-04-26T22:19:50.379411Z	info	CA Endpoint istiod.istio-system.svc:15012, provider Citadel
2022-04-26T22:19:50.379433Z	info	Using CA istiod.istio-system.svc:15012 cert with certs: var/run/secrets/istio/root-cert.pem
2022-04-26T22:19:50.379518Z	info	citadelclient	Citadel client using custom root cert: var/run/secrets/istio/root-cert.pem
2022-04-26T22:19:50.393563Z	info	ads	All caches have been synced up in 5.019587655s, marking server ready
2022-04-26T22:19:50.393845Z	info	sds	SDS server for workload certificates started, listening on "etc/istio/proxy/SDS"
2022-04-26T22:19:50.393872Z	info	xdsproxy	Initializing with upstream address "istiod.istio-system.svc:15012" and cluster "Kubernetes"
2022-04-26T22:19:50.393922Z	info	sds	Starting SDS grpc server
2022-04-26T22:19:50.394297Z	info	starting Http service at
2022-04-26T22:19:50.395833Z	info	Pilot SAN: [istiod.istio-system.svc]
2022-04-26T22:19:50.397352Z	info	Starting proxy agent

I am under the impression that using the DNS proxy would automatically make my virtual services (defined with a gateway of mesh as well as an ingress gateway) resolvable. But my app containers get a message of

forward host lookup failed: Unknown host

if I try to curl, nslookup, etc a virtual service.

Can someone point me in the right direction? Do I need to create a service entry?