dynamic_forward_proxy: adding dns_resolvers to dns_cache used by the proxy filter

api/envoy/config/core/v3/resolver.proto

@@ -0,0 +1,23 @@
+syntax = "proto3";
+
+package envoy.config.core.v3;
+
+import "envoy/config/core/v3/address.proto";
+
+import "udpa/annotations/status.proto";
+
+option java_package = "io.envoyproxy.envoy.config.core.v3";
+option java_outer_classname = "ResolverProto";
+option java_multiple_files = true;
+option (udpa.annotations.file_status).package_version_status = ACTIVE;
+
+// [#protodoc-title: Resolver]
+
+// DNS resolver configuration which includes the underlying dns resolver addresses and options
+message DnsResolver {
+  // A list of dns resolver addresses
+  // Setting this value causes failure if the
+  // ``envoy.restart_features.use_apple_api_for_dns_lookups`` runtime value is true during
+  // server startup. Apple's API only allows overriding DNS resolvers via system settings.
+  repeated Address resolvers = 1;
+}

api/envoy/extensions/common/dynamic_forward_proxy/v3/BUILD

@@ -8,6 +8,7 @@ api_proto_package(
     deps = [
         "//envoy/config/cluster/v3:pkg",
         "//envoy/config/common/dynamic_forward_proxy/v2alpha:pkg",
+        "//envoy/config/core/v3:pkg",
         "@com_github_cncf_udpa//udpa/annotations:pkg",
     ],
 )

api/envoy/extensions/common/dynamic_forward_proxy/v3/dns_cache.proto

@@ -3,6 +3,7 @@ syntax = "proto3";
 package envoy.extensions.common.dynamic_forward_proxy.v3;
 
 import "envoy/config/cluster/v3/cluster.proto";
+import "envoy/config/core/v3/resolver.proto";
 
 import "google/protobuf/duration.proto";
 import "google/protobuf/wrappers.proto";
@@ -27,7 +28,7 @@ message DnsCacheCircuitBreakers {
 
 // Configuration for the dynamic forward proxy DNS cache. See the :ref:`architecture overview
 // <arch_overview_http_dynamic_forward_proxy>` for more information.
-// [#next-free-field: 9]
+// [#next-free-field: 10]
 message DnsCacheConfig {
   option (udpa.annotations.versioning).previous_message_type =
       "envoy.config.common.dynamic_forward_proxy.v2alpha.DnsCacheConfig";
@@ -101,4 +102,9 @@ message DnsCacheConfig {
   // ``envoy.restart_features.use_apple_api_for_dns_lookups`` runtime value is true during
   // server startup. Apple' API only uses UDP for DNS resolution.
   bool use_tcp_for_dns_lookups = 8;
+
+  // DNS resolver configuration
+  // If specified, DNS cache will perform resolution via the underlying DNS resolvers.
+  // Otherwise, default resolvers from /etc/resolv.conf will be used.
+  config.core.v3.DnsResolver dns_resolver = 9;
 }

docs/root/api-v3/common_messages/common_messages.rst

@@ -16,6 +16,7 @@ Common messages
   ../config/core/v3/grpc_service.proto
   ../config/core/v3/grpc_method_list.proto
   ../config/core/v3/http_uri.proto
+  ../config/core/v3/resolver.proto
   ../config/core/v3/socket_option.proto
   ../config/core/v3/udp_socket_config.proto
   ../config/core/v3/substitution_format_string.proto

docs/root/version_history/current.rst

@@ -60,7 +60,9 @@ Removed Config or Runtime
 
 New Features
 ------------
-* crash support: restore crash context when continuing to processing requests or responses as a result of an asynchronous callback that invokes a filter directly. This is unlike the call stacks that go through the various network layers, to eventually reach the filter. For  a concrete example see: ``Envoy::Extensions::HttpFilters::Cache::CacheFilter::getHeaders`` which posts a callback on the dispatcher that will invoke the filter directly.
+
+* crash support: restore crash context when continuing to processing requests or responses as a result of an asynchronous callback that invokes a filter directly. This is unlike the call stacks that go through the various network layers, to eventually reach the filter. For a concrete example see: ``Envoy::Extensions::HttpFilters::Cache::CacheFilter::getHeaders`` which posts a callback on the dispatcher that will invoke the filter directly.
+* dynamic_forward_proxy: added :ref:`dns_resolver<envoy_v3_api_field_extensions.common.dynamic_forward_proxy.v3.DnsCacheConfig.dns_resolver>` option to the DNS cache config in order use custom DNS resolvers instead of the system default resolvers.
 * http: a new field `is_optional` is added to `extensions.filters.network.http_connection_manager.v3.HttpFilter`. When
   value is `true`, the unsupported http filter will be ignored by envoy. This is also same with unsupported http filter
   in the typed per filter config. For more information, please reference

source/extensions/common/dynamic_forward_proxy/dns_cache_impl.cc

@@ -4,6 +4,7 @@
 
 #include "common/config/utility.h"
 #include "common/http/utility.h"
+#include "common/network/resolver_impl.h"
 #include "common/network/utility.h"
 
 // TODO(mattklein123): Move DNS family helpers to a smaller include.
@@ -20,8 +21,8 @@ DnsCacheImpl::DnsCacheImpl(
     const envoy::extensions::common::dynamic_forward_proxy::v3::DnsCacheConfig& config)
     : main_thread_dispatcher_(main_thread_dispatcher),
       dns_lookup_family_(Upstream::getDnsLookupFamilyFromEnum(config.dns_lookup_family())),
-      resolver_(main_thread_dispatcher.createDnsResolver({}, config.use_tcp_for_dns_lookups())),
-      tls_slot_(tls), scope_(root_scope.createScope(fmt::format("dns_cache.{}.", config.name()))),
+      resolver_(selectDnsResolver(config, main_thread_dispatcher)), tls_slot_(tls),
+      scope_(root_scope.createScope(fmt::format("dns_cache.{}.", config.name()))),
       stats_(generateDnsCacheStats(*scope_)),
       resource_manager_(*scope_, loader, config.name(), config.dns_cache_circuit_breaker()),
       refresh_interval_(PROTOBUF_GET_MS_OR_DEFAULT(config, dns_refresh_rate, 60000)),
@@ -46,6 +47,23 @@ DnsCacheImpl::~DnsCacheImpl() {
   }
 }
 
+Network::DnsResolverSharedPtr DnsCacheImpl::selectDnsResolver(
+    const envoy::extensions::common::dynamic_forward_proxy::v3::DnsCacheConfig& config,
+    Event::Dispatcher& main_thread_dispatcher) {
+  if (config.has_dns_resolver() && !config.dns_resolver().resolvers().empty()) {
+    const auto& resolver_addrs = config.dns_resolver().resolvers();
+    std::vector<Network::Address::InstanceConstSharedPtr> resolvers;
+    resolvers.reserve(resolver_addrs.size());
+    for (const auto& resolver_addr : resolver_addrs) {
+      resolvers.push_back(Network::Address::resolveProtoAddress(resolver_addr));
+    }
+    const bool use_tcp_for_dns_lookups = config.use_tcp_for_dns_lookups();
+    return main_thread_dispatcher.createDnsResolver(resolvers, use_tcp_for_dns_lookups);
+  }
+
+  return main_thread_dispatcher.createDnsResolver({}, config.use_tcp_for_dns_lookups());
+}
+
 DnsCacheStats DnsCacheImpl::generateDnsCacheStats(Stats::Scope& scope) {
   return {ALL_DNS_CACHE_STATS(POOL_COUNTER(scope), POOL_GAUGE(scope))};
 }

source/extensions/common/dynamic_forward_proxy/dns_cache_impl.h

@@ -46,6 +46,9 @@ class DnsCacheImpl : public DnsCache, Logger::Loggable<Logger::Id::forward_proxy
                const envoy::extensions::common::dynamic_forward_proxy::v3::DnsCacheConfig& config);
   ~DnsCacheImpl() override;
   static DnsCacheStats generateDnsCacheStats(Stats::Scope& scope);
+  static Network::DnsResolverSharedPtr selectDnsResolver(
+      const envoy::extensions::common::dynamic_forward_proxy::v3::DnsCacheConfig& config,
+      Event::Dispatcher& main_thread_dispatcher);
 
   // DnsCache
   LoadDnsCacheEntryResult loadDnsCacheEntry(absl::string_view host, uint16_t default_port,

test/extensions/common/dynamic_forward_proxy/BUILD

@@ -23,6 +23,7 @@ envoy_cc_test(
         "//test/test_common:simulated_time_system_lib",
         "//test/test_common:test_runtime_lib",
         "@envoy_api//envoy/config/cluster/v3:pkg_cc_proto",
+        "@envoy_api//envoy/config/core/v3:pkg_cc_proto",
         "@envoy_api//envoy/extensions/common/dynamic_forward_proxy/v3:pkg_cc_proto",
     ],
 )