envoyproxy/envoy

dns_filter: Add TCP listener support for DNS resolution

Open

#45,850 opened on Jun 26, 2026

View on GitHub
 (1 comment) (0 reactions) (0 assignees)C++ (5,373 forks)batch import
area/dnsdns_filterenhancementhelp wanted

Repository metrics

Stars
 (27,997 stars)
PR merge metrics
 (Avg merge 8d) (303 merged PRs in 30d)

Description

Title: One line description dns_filter: Add TCP listener support for DNS resolution

Description:

Summary

The UDP DNS filter (envoy.filters.udp.dns_filter) currently only supports UDP. This proposal adds TCP DNS listener support to handle clients that use TCP for DNS resolution (e.g., via options use-vc in resolv.conf, or applications that explicitly configure TCP DNS).

Use Case

We're building a service mesh feature where Envoy acts as the authoritative DNS resolver for service discovery within a task/pod. The DNS filter resolves service names from an inline DNS table and forwards unknown queries to upstream resolvers.

While UDP covers ~99% of DNS traffic, some scenarios require TCP:

  • Clients configured with options use-vc in /etc/resolv.conf
  • Applications using DNS libraries with explicit TCP transport (Go's net.Resolver with TCP dial, Java's Netty DnsNameResolverBuilder)
  • Fallback when UDP responses are truncated (TC bit set)

Without TCP support, these clients fail to resolve — the DNS filter can't fall back gracefully since it only binds a UDP listener.

Proposed Behavior

  • Add a TCP listener filter equivalent to the existing UDP DNS filter
  • Reuse the same DnsFilterConfig (server_config, client_config, access_log) for consistency
  • Support the same inline DNS table and external upstream forwarding
  • Handle DNS message framing over TCP (2-byte length prefix per RFC 1035 §4.2.2)

Related

──────────────

[optional Relevant Links:]

Any extra documentation required to understand the issue.

Contributor guide