Set up DNS Proxy
Note: This guide only supports Cloud Service Mesh with Istio APIs and doesnot support Google Cloud APIs. For more information see,Cloud Service Mesh overview.DNS Proxy is a feature for providing the following capabilities:
- Propagating DNS entries of
Servicesacross clusters in amulti-cluster setup. - Populating DNS entries for
ServiceEntry.
Kubernetes provides DNS resolution only forServices in the local cluster.When you need to provide name resolution forServices in a remote clusters oruse an internal-only hostname withServiceEntry without having an additionalinternal-only DNS server, DNS Proxy provides a way to resolve DNS names for suchcases.
1.21.5-asm.39 dataplane.Configuring DNS Proxy
Cluster wide configuration
To configure DNS proxy in the cluster, addISTIO_META_DNS_CAPTURE proxymetadata to theConfigMap forMeshConfig. The name of theConfigMap has a formatofistio-<revision_name>. For the details of revision, refer tothe overview of the revision
apiVersion:v1data:mesh:|-...defaultConfig:proxyMetadata:ISTIO_META_DNS_CAPTURE: "true"...kind:ConfigMapmetadata:name:istio-<revision_name>namespace:istio-systemPer-proxy configuration
To configure DNS proxy for a proxy, add theISTIO_META_DNS_CAPTURE proxy metadataannotation as follows:
kind:Deploymentmetadata:name:app1namespace:ns1spec:...template:metadata:annotations:proxy.istio.io/config:|proxyMetadata:ISTIO_META_DNS_CAPTURE: "true"...Verifying
Name resolution forService across clusters
After themulti-cluster setup,deploy aService only in one of the clusters to verify the cross-cluster nameresolution.
When you have the following exampleServicens1/svc1,you can findClusterIP inService.
$kubectlget-nns1svc1kind:Servicemetadata:name:svc1namespace:ns1spec:...ClusterIP:210.200.1.1...Then, when usingcurl from theother cluster to theService, it should showtheClusterIP as follows.
curl-sS-vsvc1.ns1.svc.cluster.local*Trying210.200.1.1:80...Name resolution forServiceEntry
Add aServiceEntry with a hostname not registered in your DNS.To verify the name resolution the following example has explicit address192.168.123.123.
$kubectlapply-f-<<EOFapiVersion:networking.istio.io/v1beta1kind:ServiceEntrymetadata:name:test-service-entryspec:addresses:-"192.168.123.123"hosts:-not-existing-hostname.internalports:-name:httpnumber:80protocol:HTTPEOFThen, try DNS resolution in a Pod where DNS Proxy is enabled. For example, if you run acurl in the Pod, it should display the IP address as follows:
curl-sS-vnot-existing-hostname.internal*Trying192.168.123.123:80...Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.
Last updated 2026-02-19 UTC.