forwarding dns query to envoy#1177
Conversation
Codecov ReportCaution This repository is currently using the Sentry GitHub App to receive Codecov PR comments. This integration will be deprecated on July 8, 2026. Please install the Codecov GitHub App to continue receiving coverage reports on your pull requests.
Additional details and impacted files@@ Coverage Diff @@
## main #1177 +/- ##
==========================================
- Coverage 68.19% 68.18% -0.01%
==========================================
Files 19 19
Lines 2182 2348 +166
==========================================
+ Hits 1488 1601 +113
- Misses 593 627 +34
- Partials 101 120 +19 ☔ View full report in Codecov by Harness. 🚀 New features to boost your workflow:
|
There was a problem hiding this comment.
Pull request overview
This PR introduces DNS query “triage” in the dataplane DNS proxy so queries can be forwarded to Envoy’s inline/egress DNS listeners when appropriate, while retaining Consul gRPC DNS as the fallback path.
Changes:
- Adds domain classification + virtual FQDN expansion/rewriting and Envoy UDP forwarding with NXDOMAIN/health-backoff fallback to Consul.
- Extends DNS server parameters to include datacenter and Envoy inline/egress DNS listener addresses.
- Wires the new params from Consul Dataplane (including fixed inline/egress listener ports).
Reviewed changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated 4 comments.
| File | Description |
|---|---|
| pkg/dns/dns.go | Adds triage logic, Envoy UDP forwarding, virtual FQDN rewrite, and listener backoff state. |
| pkg/consuldp/consul_dataplane.go | Passes datacenter + Envoy inline/egress listener addresses into the DNS server. |
| pkg/consuldp/config.go | Introduces constants for Envoy virtual DNS listener ports (8653/8654). |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| case domainClassExternal: | ||
| // Non-consul domain. | ||
| if !d.canTryEgressListener() { | ||
| return d.queryConsul(raw, proto) | ||
| } |
| case domainClassVirtual: | ||
| // Expand the short form to the full FQDN. | ||
| expandedName := expandVirtualFQDN(originalName, d.namespace, d.partition, d.datacenter) | ||
|
|
| // triageAndResolve is the main entry point for the virtual DNS triage logic. | ||
| // It classifies the domain, expands FQDNs, forwards to the right backend, and | ||
| // handles NXDOMAIN fallback. proto determines which protocol label is used for | ||
| // Consul gRPC queries. | ||
| func (d *DNSServer) triageAndResolve(raw []byte, proto pbdns.Protocol) ([]byte, error) { |
| logger.Debug("triaging dns request", "partition", d.partition, "namespace", d.namespace) | ||
| responseMsg, err := d.triageAndResolve(data, pbdns.Protocol_PROTOCOL_TCP) | ||
| if err != nil { |
| expanded := dnsmessage.MustNewName(canonicalName(expandedName)) | ||
| original := dnsmessage.MustNewName(canonicalName(originalName)) |
| // classifyDomain returns the class of the fully-qualified domain name. | ||
| // name must be in canonical (lower-case, trailing-dot-stripped) form. |
Summary
This PR updates the DNS proxy to triage queries before forwarding them, so virtual Consul DNS queries can be resolved by Envoy when possible. It adds support for forwarding .virtual.*.consul queries to Envoy’s inline DNS listener, forwarding external domains to Envoy’s egress DNS listener, and falling back to Consul when Envoy cannot answer or is unavailable.
Changes
virtual Consul domains
non-virtual Consul domains
external domains
Envoy returns NXDOMAIN for virtual queries
Envoy listeners are unavailable
request rewriting or forwarding fails
PCI review checklist
I have documented a clear reason for, and description of, the change I am making.
If applicable, I've documented a plan to revert these changes if they require more than reverting the pull request.
If applicable, I've documented the impact of any changes to security controls.
Examples of changes to security controls include using new access control methods, adding or removing logging pipelines, etc.