Istio 1.8 and later versions enable sidecar proxies to serve as Domain Name System (DNS) proxies. When an Alibaba Cloud Service Mesh (ASM) instance with the DNS proxy feature enabled receives DNS queries from applications, the specified sidecar proxy transparently intercepts the queries and resolves the DNS information in these queries. This topic describes how to enable the DNS proxy feature for an ASM instance.

Prerequisites

Background information

ASM uses Kubernetes services and defined service entries to configure hostname-to-IP-address mappings for all services that an application may access. The specified sidecar proxy transparently intercepts DNS queries that are sent from the application and resolves the DNS information in these queries.
  • If the application queries a service that is deployed in an ASM instance, the sidecar proxy directly responds to the application.
  • If the application queries a service that is not deployed in an ASM instance, the sidecar proxy forwards the query to the upstream name servers that are defined in /etc/resolv.conf.

Enable the DNS proxy feature for an ASM instance

Use the ASM console to enable the DNS proxy feature

  1. Log on to the ASM console.
  2. In the left-side navigation pane, choose Service Mesh > Mesh Management.
  3. On the Mesh Management page, find the ASM instance that you want to configure. Click the name of the ASM instance or click Manage in the Actions column of the ASM instance.
  4. On the Instance Information page of the ASM instance, click Settings in the upper-right corner.
  5. In the Settings Update panel, select Enable DNS Proxy in the Traffic Management section. Then, click OK.
    Note To disable the DNS proxy feature, clear Enable DNS Proxy in the Traffic Management section in the Settings Update panel.

Use Alibaba Cloud CLI to enable the DNS proxy feature

You can enable the DNS proxy feature for an ASM instance by using Alibaba Cloud CLI. Run the following command to enable the DNS proxy feature:

aliyun servicemesh UpdateMeshFeature --ServiceMeshId=xxxx --DNSProxyingEnabled=true
To disable the DNS proxy feature, run the following command:
aliyun servicemesh UpdateMeshFeature --ServiceMeshId=xxxx --DNSProxyingEnabled=false

Verify the DNS proxy feature

  1. Create a service entry in an ASM instance with the DNS proxy feature enabled.
    Use the service entry to add https://aliyun.com to the service registry that is internally maintained by the ASM instance.
    1. Log on to the ASM console.
    2. In the left-side navigation pane, choose Service Mesh > Mesh Management.
    3. On the Mesh Management page, find the ASM instance that you want to configure. Click the name of the ASM instance or click Manage in the Actions column of the ASM instance.
    4. In the Create panel, select a namespace from the Namespace drop-down list, enter code to configure a service entry in the code editor, and then click OK.
      apiVersion: networking.istio.io/v1beta1
      kind: ServiceEntry
      metadata:
       name: mydnsproxying-sample
      spec:
       hosts:
       - aliyun.com
       location: MESH_EXTERNAL
       ports:
       - number: 443
         name: https
         protocol: TLS
       resolution: DNS
  2. Deploy a sleep service in a Container Service for Kubernetes (ACK) cluster that is added to the ASM instance.
    1. Create a sleep.yaml file that contains the following code:
      ##################################################################################################
      # Sleep service
      ##################################################################################################
      apiVersion: v1
      kind: Service
      metadata:
        name: sleep
        labels:
          app: sleep
      spec:
        ports:
        - port: 80
          name: http
        selector:
          app: sleep
      ---
      apiVersion: apps/v1
      kind: Deployment
      metadata:
        name: sleep
      spec:
        replicas: 1
        selector:
          matchLabels:
            app: sleep
        template:
          metadata:
            labels:
              app: sleep
          spec:
            containers:
            - name: sleep
              image: pstauffer/curl
              command: ["/bin/sleep", "3650d"]
              imagePullPolicy: IfNotPresent
      ---
    2. Run the following command to deploy the sleep service:
      kubectl apply -f sleep.yaml
  3. Run the following command to log on to the container of the sleep service and use a curl command to access the URL of https://aliyun.com:
    kubectl --kubeconfig=config.aliyun.worker.k8s -n mytest exec -it deploy/sleep -c sleep -- sh -c "curl -v https://aliyun.com""

    The following output is expected:

    * Rebuilt URL to: https://aliyun.com"
    *   Trying 240.240.**.**...
    * TCP_NODELAY set
    * Connected to aliyun.com (240.240.**.**) port 443 (#0)

    The output indicates that the IP address 240.240.**.** is returned. The IP address is not an actual public IP address. Instead, it is a virtual IP address that is automatically assigned by the ASM instance. This is because the ASM instance uses iptables to intercept requests that are sent to the kube-dns service and routes the requests to the sidecar proxy that runs in the pod of the sleep service. When the pod of the sleep service resolves aliyun.com to a virtual IP address and sends a request, the virtual IP address is translated into the actual public IP address that is resolved by the sidecar proxy.

    In this example, a service entry is created and the hostname of aliyun.com is added to the service entry. When the pod of the sleep service queries aliyun.com from the Istio DNS, the virtual IP address of aliyun.com is returned. If the pod uses the virtual IP address to send a request by using the sidecar proxy, the virtual IP address is translated into the actual public IP address.