Istio 1.8 and later versions enable sidecar proxies to serve as Domain Name System
(DNS) proxies. When an Alibaba Cloud Service Mesh (ASM) instance with the DNS proxy
feature enabled receives DNS queries from applications, the specified sidecar proxy
transparently intercepts the queries and resolves the DNS information in these queries.
This topic describes how to enable the DNS proxy feature for an ASM instance.
Background information
ASM uses Kubernetes services and defined service entries to configure hostname-to-IP-address
mappings for all services that an application may access. The specified sidecar proxy
transparently intercepts DNS queries that are sent from the application and resolves
the DNS information in these queries.
- If the application queries a service that is deployed in an ASM instance, the sidecar
proxy directly responds to the application.
- If the application queries a service that is not deployed in an ASM instance, the
sidecar proxy forwards the query to the upstream name servers that are defined in
/etc/resolv.conf.
Enable the DNS proxy feature for an ASM instance
Use the ASM console to enable the DNS proxy feature
- Log on to the ASM console.
- In the left-side navigation pane, choose .
- On the Mesh Management page, find the ASM instance that you want to configure. Click the name of the ASM
instance or click Manage in the Actions column.
- On the details page of the ASM instance, choose in the left-side navigation pane.
- On the Sidecar Proxy Setting page, click the Namespace tab.
- Select a namespace, click the
icon on the left of Enable DNS Proxy, select Enable DNS Proxy, and then click Update Settings.
- Restart the pod for which you want to make the DNS configuration take effect.
- Log on to the ACK console.
- In the left-side navigation pane of the ACK console, click Clusters.
- On the Clusters page, find the cluster that you want to manage and click the name of the cluster
or click Details in the Actions column. The details page of the cluster appears.
- In the left-side navigation pane of the details page, choose .
- On the Pods tab, find the pod that you want to restart and click Delete in the Actions column.
- In the Delete Pod message, click OK.
Wait until the pod restarts. The DNS configuration takes effect after the pod restarts.
Use Alibaba Cloud CLI to enable the DNS proxy feature
You can enable the DNS proxy feature for an ASM instance by using Alibaba Cloud CLI.
Run the following command to enable the DNS proxy feature:
aliyun servicemesh UpdateMeshFeature --ServiceMeshId=xxxx --DNSProxyingEnabled=true
To disable the DNS proxy feature, run the following command:
aliyun servicemesh UpdateMeshFeature --ServiceMeshId=xxxx --DNSProxyingEnabled=false
Verify the DNS proxy feature
- Create a service entry in the ASM instance.
Use the service entry to add https://aliyun.com to the service registry that is internally
maintained by the ASM instance.
- Log on to the ASM console.
- In the left-side navigation pane, choose .
- On the Mesh Management page, find the ASM instance that you want to configure. Click the name of the ASM
instance or click Manage in the Actions column.
- On the details page of the ASM instance, choose in the left-side navigation pane. On the ServiceEntry page, click Create from YAML.
- On the Create page, select a namespace from the Namespace drop-down list, enter code to configure a service entry in the code editor, and then
click Create.
apiVersion: networking.istio.io/v1beta1
kind: ServiceEntry
metadata:
name: mydnsproxying-sample
spec:
hosts:
- aliyun.com
location: MESH_EXTERNAL
ports:
- number: 443
name: https
protocol: TLS
resolution: DNS
- Deploy a sleep service in a Container Service for Kubernetes (ACK) cluster that is
added to the ASM instance.
- Create a sleep.yaml file that contains the following code:
##################################################################################################
# Sleep service
##################################################################################################
apiVersion: v1
kind: Service
metadata:
name: sleep
labels:
app: sleep
spec:
ports:
- port: 80
name: http
selector:
app: sleep
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: sleep
spec:
replicas: 1
selector:
matchLabels:
app: sleep
template:
metadata:
labels:
app: sleep
spec:
containers:
- name: sleep
image: pstauffer/curl
command: ["/bin/sleep", "3650d"]
imagePullPolicy: IfNotPresent
---
- Run the following command to deploy the sleep service:
kubectl apply -f sleep.yaml
- Run the following command to log on to the container of the sleep service and use
a curl command to access the URL of https://aliyun.com:
kubectl --kubeconfig=config.aliyun.worker.k8s -n mytest exec -it deploy/sleep -c sleep -- sh -c "curl -v https://aliyun.com""
Expected output:
* Rebuilt URL to: https://aliyun.com"
* Trying 240.240.**.**...
* TCP_NODELAY set
* Connected to aliyun.com (240.240.**.**) port 443 (#0)
The output indicates that the IP address 240.240.**.** is returned. The IP address
is not an actual public IP address. Instead, it is a virtual IP address that is automatically
assigned by the ASM instance. This is because the ASM instance uses iptables to intercept
requests that are sent to the kube-dns service and routes the requests to the sidecar
proxy that runs in the pod of the sleep service. When the pod of the sleep service
resolves aliyun.com to a virtual IP address and sends a request, the virtual IP address
is translated into the actual public IP address that is resolved by the sidecar proxy.
In this example, a service entry is created and the hostname of aliyun.com is added
to the service entry. When the pod of the sleep service queries aliyun.com from the
Istio DNS, the virtual IP address of aliyun.com is returned. If the pod uses the virtual
IP address to send a request by using the sidecar proxy, the virtual IP address is
translated into the actual public IP address.