Add dns_gateway dynamic module example#56
Open
ovadiagal wants to merge 4 commits intoenvoyproxy:mainfrom
Open
Conversation
ovadiagal
force-pushed
the
go/wildcard-oneshot
branch
from
d787c4a to
0442f1d
Compare
ovadiagal
force-pushed
the
go/wildcard-oneshot
branch
from
5401d45 to
ba39360
Compare
ovadiagal
changed the title
dns_gateway dynamic module example
ovadiagal
force-pushed
the
go/wildcard-oneshot
branch
from
4f2574e to
a07a5ad
Compare
Signed-off-by: Gal Ovadia <ggalovadia@gmail.com> . Signed-off-by: Gal Ovadia <ggalovadia@gmail.com> rename Signed-off-by: Gal Ovadia <ggalovadia@gmail.com> , Signed-off-by: Gal Ovadia <ggalovadia@gmail.com> work Signed-off-by: Gal Ovadia <govadia@palantir.com> Signed-off-by: Gal Ovadia <ggalovadia@gmail.com> clean Signed-off-by: Gal Ovadia <govadia@palantir.com> Signed-off-by: Gal Ovadia <ggalovadia@gmail.com> cleanuP Signed-off-by: Gal Ovadia <ggalovadia@gmail.com> update to latest sdk Signed-off-by: Gal Ovadia <ggalovadia@gmail.com> cleanup Signed-off-by: Gal Ovadia <ggalovadia@gmail.com> cleanup Signed-off-by: Gal Ovadia <ggalovadia@gmail.com> style match lib.rs Signed-off-by: Gal Ovadia <ggalovadia@gmail.com> add tests, readme, Signed-off-by: Gal Ovadia <ggalovadia@gmail.com> clean Signed-off-by: Gal Ovadia <ggalovadia@gmail.com> Update lib.rs Signed-off-by: Gal Ovadia <ggalovadia@gmail.com> Update README.md Signed-off-by: Gal Ovadia <ggalovadia@gmail.com>
ovadiagal
force-pushed
the
go/wildcard-oneshot
branch
from
4a7b236 to
898d8d8
Compare
Signed-off-by: Gal Ovadia <ggalovadia@gmail.com>
Signed-off-by: Gal Ovadia <ggalovadia@gmail.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Dynamic module approach to solving this issue: Retrieve DNS resolution results at runtime #41605
This dynamic module can be used to implement egress policies by hostname (see this blog by Cloudflare which has some good context)
In this dynamic module, you'll find:
dns_gateway/mod.rsDNS gateway UDP listener filter. Intercepts DNS queries and returns synthetic responses for domains matching configured egress policies (exact or *. wildcard).
virtual_ip_cache.rsMaintains a mapping between FQDN and virtual IPs.
virtual_ip_cache::allocate()to get a virtual IP for a domain (reuses existing IP if the domain was seen before)virtual_ip_cache::lookup()to resolve a virtual IP back to its domain and metadatacache_lookup.rsNetwork filter that runs on new TCP connections. Looks up the destination virtual IP in the shared cache and writes the resolved domain and policy metadata into Envoy filter state, making them available to downstream filters via:
%FILTER_STATE(envoy.dns_gateway.domain:PLAIN)%%FILTER_STATE(envoy.dns_gateway.metadata.<key>:PLAIN)%Additional details can be found in the README file in this PR