forwarding dns query to envoy#1177
Conversation
Codecov ReportCaution This repository is currently using the Sentry GitHub App to receive Codecov PR comments. This integration will be deprecated on July 8, 2026. Please install the Codecov GitHub App to continue receiving coverage reports on your pull requests.
Additional details and impacted files@@ Coverage Diff @@
## main #1177 +/- ##
==========================================
- Coverage 68.19% 63.55% -4.64%
==========================================
Files 19 19
Lines 2182 2346 +164
==========================================
+ Hits 1488 1491 +3
- Misses 593 754 +161
Partials 101 101 ☔ View full report in Codecov by Harness. 🚀 New features to boost your workflow:
|
There was a problem hiding this comment.
Pull request overview
This PR introduces DNS query “triage” in the dataplane DNS proxy so queries can be forwarded to Envoy’s inline/egress DNS listeners when appropriate, while retaining Consul gRPC DNS as the fallback path.
Changes:
- Adds domain classification + virtual FQDN expansion/rewriting and Envoy UDP forwarding with NXDOMAIN/health-backoff fallback to Consul.
- Extends DNS server parameters to include datacenter and Envoy inline/egress DNS listener addresses.
- Wires the new params from Consul Dataplane (including fixed inline/egress listener ports).
Reviewed changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated 4 comments.
| File | Description |
|---|---|
| pkg/dns/dns.go | Adds triage logic, Envoy UDP forwarding, virtual FQDN rewrite, and listener backoff state. |
| pkg/consuldp/consul_dataplane.go | Passes datacenter + Envoy inline/egress listener addresses into the DNS server. |
| pkg/consuldp/config.go | Introduces constants for Envoy virtual DNS listener ports (8653/8654). |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| case domainClassExternal: | ||
| // Non-consul domain. | ||
| if !d.canTryEgressListener() { | ||
| return d.queryConsul(raw, proto) | ||
| } |
| case domainClassVirtual: | ||
| // Expand the short form to the full FQDN. | ||
| expandedName := expandVirtualFQDN(originalName, d.namespace, d.partition, d.datacenter) | ||
|
|
| return nil, "", fmt.Errorf("build dns name %q: %w", fqdn, err) | ||
| } | ||
| msg.Questions[0].Name = name | ||
| // Also rewrite additional / answer names if present (re-use same target). |
| // triageAndResolve is the main entry point for the virtual DNS triage logic. | ||
| // It classifies the domain, expands FQDNs, forwards to the right backend, and | ||
| // handles NXDOMAIN fallback. proto determines which protocol label is used for | ||
| // Consul gRPC queries. | ||
| func (d *DNSServer) triageAndResolve(raw []byte, proto pbdns.Protocol) ([]byte, error) { |
PCI review checklist
I have documented a clear reason for, and description of, the change I am making.
If applicable, I've documented a plan to revert these changes if they require more than reverting the pull request.
If applicable, I've documented the impact of any changes to security controls.
Examples of changes to security controls include using new access control methods, adding or removing logging pipelines, etc.