Skip to content

forwarding dns query to envoy#1177

Draft
panman90 wants to merge 2 commits into
mainfrom
mansi/localized_dns
Draft

forwarding dns query to envoy#1177
panman90 wants to merge 2 commits into
mainfrom
mansi/localized_dns

Conversation

@panman90

@panman90 panman90 commented Jun 26, 2026

Copy link
Copy Markdown
Contributor

Summary
This PR updates the DNS proxy to triage queries before forwarding them, so virtual Consul DNS queries can be resolved by Envoy when possible. It adds support for forwarding .virtual.*.consul queries to Envoy’s inline DNS listener, forwarding external domains to Envoy’s egress DNS listener, and falling back to Consul when Envoy cannot answer or is unavailable.

Changes

  • introducing DNS query triage logic to classify requests as:
    virtual Consul domains
    non-virtual Consul domains
    external domains
  • expand short-form virtual DNS names into canonical fully qualified Consul names before forwarding to Envoy
  • rewrite successful Envoy responses back to the originally requested DNS name
  • fall back to Consul DNS resolution when:
    Envoy returns NXDOMAIN for virtual queries
    Envoy listeners are unavailable
    request rewriting or forwarding fails
  • add listener health backoff handling to avoid repeatedly forwarding to unhealthy Envoy listeners

PCI review checklist

  • I have documented a clear reason for, and description of, the change I am making.

  • If applicable, I've documented a plan to revert these changes if they require more than reverting the pull request.

  • If applicable, I've documented the impact of any changes to security controls.

    Examples of changes to security controls include using new access control methods, adding or removing logging pipelines, etc.

@codecov-commenter

codecov-commenter commented Jun 26, 2026

Copy link
Copy Markdown

Codecov Report

Caution

This repository is currently using the Sentry GitHub App to receive Codecov PR comments. This integration will be deprecated on July 8, 2026. Please install the Codecov GitHub App to continue receiving coverage reports on your pull requests.
❌ Patch coverage is 69.11765% with 63 lines in your changes missing coverage. Please review.
✅ Project coverage is 68.18%. Comparing base (7c99930) to head (2b067c1).
⚠️ Report is 5 commits behind head on main.

Files with missing lines Patch % Lines
pkg/dns/dns.go 76.21% 25 Missing and 19 partials ⚠️
pkg/consuldp/consul_dataplane.go 0.00% 19 Missing ⚠️
Additional details and impacted files
@@            Coverage Diff             @@
##             main    #1177      +/-   ##
==========================================
- Coverage   68.19%   68.18%   -0.01%     
==========================================
  Files          19       19              
  Lines        2182     2348     +166     
==========================================
+ Hits         1488     1601     +113     
- Misses        593      627      +34     
- Partials      101      120      +19     

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR introduces DNS query “triage” in the dataplane DNS proxy so queries can be forwarded to Envoy’s inline/egress DNS listeners when appropriate, while retaining Consul gRPC DNS as the fallback path.

Changes:

  • Adds domain classification + virtual FQDN expansion/rewriting and Envoy UDP forwarding with NXDOMAIN/health-backoff fallback to Consul.
  • Extends DNS server parameters to include datacenter and Envoy inline/egress DNS listener addresses.
  • Wires the new params from Consul Dataplane (including fixed inline/egress listener ports).

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 4 comments.

File Description
pkg/dns/dns.go Adds triage logic, Envoy UDP forwarding, virtual FQDN rewrite, and listener backoff state.
pkg/consuldp/consul_dataplane.go Passes datacenter + Envoy inline/egress listener addresses into the DNS server.
pkg/consuldp/config.go Introduces constants for Envoy virtual DNS listener ports (8653/8654).

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread pkg/dns/dns.go
Comment on lines +575 to +579
case domainClassExternal:
// Non-consul domain.
if !d.canTryEgressListener() {
return d.queryConsul(raw, proto)
}
Comment thread pkg/dns/dns.go
Comment on lines +590 to +593
case domainClassVirtual:
// Expand the short form to the full FQDN.
expandedName := expandVirtualFQDN(originalName, d.namespace, d.partition, d.datacenter)

Comment thread pkg/dns/dns.go Outdated
Comment thread pkg/dns/dns.go
Comment on lines +555 to +559
// triageAndResolve is the main entry point for the virtual DNS triage logic.
// It classifies the domain, expands FQDNs, forwards to the right backend, and
// handles NXDOMAIN fallback. proto determines which protocol label is used for
// Consul gRPC queries.
func (d *DNSServer) triageAndResolve(raw []byte, proto pbdns.Protocol) ([]byte, error) {

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 4 out of 4 changed files in this pull request and generated 3 comments.

Comment thread pkg/dns/dns.go
Comment on lines +298 to 300
logger.Debug("triaging dns request", "partition", d.partition, "namespace", d.namespace)
responseMsg, err := d.triageAndResolve(data, pbdns.Protocol_PROTOCOL_TCP)
if err != nil {
Comment thread pkg/dns/dns.go
Comment on lines +448 to +449
expanded := dnsmessage.MustNewName(canonicalName(expandedName))
original := dnsmessage.MustNewName(canonicalName(originalName))
Comment thread pkg/dns/dns.go
Comment on lines +351 to +352
// classifyDomain returns the class of the fully-qualified domain name.
// name must be in canonical (lower-case, trailing-dot-stripped) form.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants