Cilium Feature Proposal

Is your proposed feature related to a problem?

Cilium agent uses a DNS proxy to intercept all DNS queries and obtain necessary information for enforcing toFQDN network policies. However, the lifecycle of this proxy is coupled with that of cilium agent. This presents a few challenges when the cilium agent is down. New connections to domains that were already resolved would still fail even though eBPF plumbing for the necessary CIDR based policy is in place. This happens because for endpoints with FQDN policy in place all DNS requests are redirected to the DNS proxy which is unavailable when the agent is down.

Related #14333 #13194

Describe the feature you'd like

This CFP proposes ways to remove this dependency and introduce a mechanism to allow components external to the cilium agent to populate the FQDN to IP mappings. This should allow for a high availability (HA) mode of DNS proxy.

Describe your proposed solution

We built proof of concepts for two approaches. 1. A standalone DNS proxy (SDP) running alongside cilium agent 2. Node local DNS plugin that can update mappings in Cilium agent. Currently we prefer the SDP method purely from an ease of maintenance perspective.

Previous solutions have been described here in detail. Will create an updated CFP in design-cfps to discuss next steps for SDP method.