dns_filter: Add TCP listener support for DNS resolution
#45,850 opened on Jun 26, 2026
Repository metrics
- Stars
- (27,997 stars)
- PR merge metrics
- (Avg merge 8d) (303 merged PRs in 30d)
Description
Title: One line description dns_filter: Add TCP listener support for DNS resolution
Description:
Summary
The UDP DNS filter (envoy.filters.udp.dns_filter) currently only supports UDP. This proposal adds TCP DNS listener support to handle clients that use TCP for DNS resolution (e.g., via options use-vc in resolv.conf, or applications that explicitly configure TCP DNS).
Use Case
We're building a service mesh feature where Envoy acts as the authoritative DNS resolver for service discovery within a task/pod. The DNS filter resolves service names from an inline DNS table and forwards unknown queries to upstream resolvers.
While UDP covers ~99% of DNS traffic, some scenarios require TCP:
- Clients configured with options use-vc in /etc/resolv.conf
- Applications using DNS libraries with explicit TCP transport (Go's net.Resolver with TCP dial, Java's Netty DnsNameResolverBuilder)
- Fallback when UDP responses are truncated (TC bit set)
Without TCP support, these clients fail to resolve — the DNS filter can't fall back gracefully since it only binds a UDP listener.
Proposed Behavior
- Add a TCP listener filter equivalent to the existing UDP DNS filter
- Reuse the same DnsFilterConfig (server_config, client_config, access_log) for consistency
- Support the same inline DNS table and external upstream forwarding
- Handle DNS message framing over TCP (2-byte length prefix per RFC 1035 §4.2.2)
Related
- Existing UDP DNS filter: envoy.filters.udp.dns_filter
- PR for reference (if you want to link your existing PR): https://github.com/envoyproxy/envoy/pull/45615 (https://github.com/envoyproxy/envoy/pull/45615)
──────────────
[optional Relevant Links:]
Any extra documentation required to understand the issue.