Kubernetes 仅为本地集群中的 Services 提供 DNS 解析。如果您需要为远程集群中的 Services 提供域名解析,或者要对 ServiceEntry 使用仅限内部使用的主机名,但没有额外的仅限内部使用的 DNS 服务器,则在此类情况下,可以使用 DNS 代理来解析 DNS 域名。
[[["易于理解","easyToUnderstand","thumb-up"],["解决了我的问题","solvedMyProblem","thumb-up"],["其他","otherUp","thumb-up"]],[["很难理解","hardToUnderstand","thumb-down"],["信息或示例代码不正确","incorrectInformationOrSampleCode","thumb-down"],["没有我需要的信息/示例","missingTheInformationSamplesINeed","thumb-down"],["翻译问题","translationIssue","thumb-down"],["其他","otherDown","thumb-down"]],["最后更新时间 (UTC):2025-09-04。"],[],[],null,["# Set up DNS Proxy\n================\n\n| **Note:** This guide only supports Cloud Service Mesh with Istio APIs and does not support Google Cloud APIs. For more information see, [Cloud Service Mesh overview](/service-mesh/v1.25/docs/overview).\n\nDNS Proxy is a feature for providing the following capabilities:\n\n1. Propagating DNS entries of `Services` across clusters in a [multi-cluster setup](/service-mesh/v1.25/docs/gke-install-multi-cluster).\n2. Populating DNS entries for `ServiceEntry`.\n\nKubernetes provides DNS resolution only for `Services` in the local cluster.\nWhen you need to provide name resolution for `Services` in a remote clusters or\nuse an internal-only hostname with `ServiceEntry` without having an additional\ninternal-only DNS server, DNS Proxy provides a way to resolve DNS names for such\ncases.\n| **Note:** This feature is available from `1.21.5-asm.39` dataplane.\n\nConfiguring DNS Proxy\n---------------------\n\n### Cluster wide configuration\n\nTo configure DNS proxy in the cluster, add `ISTIO_META_DNS_CAPTURE` proxy\nmetadata to the `ConfigMap` for `MeshConfig`. The name of the `ConfigMap` has a format\nof `istio-\u003crevision_name\u003e`. For the details of revision, refer to [the overview\nof the revision](/service-mesh/v1.25/docs/revisions-overview) \n\n apiVersion: v1\n data:\n mesh: |-\n ...\n defaultConfig:\n proxyMetadata:\n ISTIO_META_DNS_CAPTURE: \"true\" \n ...\n kind: ConfigMap\n metadata:\n name: istio-\u003crevision_name\u003e\n namespace: istio-system\n\n### Per-proxy configuration\n\nTo configure DNS proxy for a proxy, add the `ISTIO_META_DNS_CAPTURE` proxy metadata\nannotation as follows: \n\n kind: Deployment\n metadata:\n name: app1\n namespace: ns1\n spec:\n ...\n template:\n metadata:\n annotations:\n proxy.istio.io/config: |\n proxyMetadata:\n ISTIO_META_DNS_CAPTURE: \"true\"\n ...\n\n### Verifying\n\n#### Name resolution for `Service` across clusters\n\nAfter the [multi-cluster setup](/service-mesh/v1.25/docs/gke-install-multi-cluster),\ndeploy a `Service` only in one of the clusters to verify the cross-cluster name\nresolution.\n\nWhen you have the following example `Service` `ns1/svc1`,\nyou can find `ClusterIP` in `Service`. \n\n $ kubectl get -n ns1 svc1\n kind: Service\n metadata:\n name: svc1\n namespace: ns1\n spec:\n ...\n ClusterIP: 210.200.1.1\n ...\n\nThen, when using `curl` from the *other* cluster to the `Service`, it should show\nthe `ClusterIP` as follows. \n\n curl -sS -v svc1.ns1.svc.cluster.local\n * Trying 210.200.1.1:80...\n\n#### Name resolution for `ServiceEntry`\n\nAdd a `ServiceEntry` with a hostname not registered in your DNS.\nTo verify the name resolution the following example has explicit address `192.168.123.123`. \n\n $ kubectl apply -f - \u003c\u003cEOF\n apiVersion: networking.istio.io/v1beta1\n kind: ServiceEntry\n metadata:\n name: test-service-entry\n spec:\n addresses:\n - \"192.168.123.123\"\n hosts:\n - not-existing-hostname.internal\n ports:\n - name: http\n number: 80\n protocol: HTTP\n EOF\n\nThen, try DNS resolution in a Pod where DNS Proxy is enabled. For example, if\nyou run a `curl` in the Pod, it should display the IP address as follows: \n\n curl -sS -v not-existing-hostname.internal\n * Trying 192.168.123.123:80..."]]
