Unable to route to external http proxy when using a kubernetes service for DNS resolution of proxy addresses

I have use case where we want to route certain requests via a corporate HTTP proxy. Based on this guide I was able to configure the external access successfully. For context I’ve added a example ServiceEntry:

apiVersion: networking.istio.io/v1beta1
kind: ServiceEntry
metadata:
  name: proxy
spec:
  addresses:
    - 10.1.1.1
    - 10.1.1.2
  exportTo:
  - .
  hosts:
  - foo.proxy # this is technically ignored when protocol is TCP
  location: MESH_EXTERNAL
  ports:
  - name: tcp
    number: 3128
    protocol: TCP

This works when we have the app automatically resolve to one of the proxy addresses above (i.e: host file entry).

In an effort to provide automatic DNS resolution I setup a a k8s Service without selectors as per the docs. In a non istio namespace, this allows me to resolve foo.proxy.default.cluster.local without the host file entries as expected e.g:

curl -v --proxy foo.default.svc.cluster.local:3128 https://blah.com

However within a istio namespace with the existing ServiceEntry (above) it fails with a 404 Not Found . The logs show:

2021-08-11T08:56:47.088919Z debug   envoy router    [C1114][S1115555414526221653] no cluster match for URL ''
2021-08-11T08:56:47.088928Z debug   envoy http  [C1114][S1115555414526221653] Sending local reply with details route_not_found

There are no further istio configurations in this namespace besides the ServiceEntry detailed above.

The only noticeable difference now to me is, instead of connecting directly to the external addresses (10.1.1.1/10.1.1.2) it would be making a connection to the service ClusterIP but given that this is within the mesh I would have thought that no further configuration is required.

Can I get some pointers on why this might not be working?

See solution here: