It Is Always DNS… Even at the Edge: Taming Proxy-Only Lookups Wi... Hector Monsalve & Thomas Gosteli

The session details Rush’s internal platform team tackling edge‑centric Kubernetes deployments, focusing on a stubborn DNS problem that emerged when customer firewalls restrict egress and provide DNS servers that cannot resolve public domains. By leveraging Selium’s service‑mesh capabilities, the team routes all outbound traffic through a controlled HTTP proxy, ensuring compliance with strict firewall rules while keeping applications oblivious to the underlying network complexities. Key insights include the use of Selium network policies to capture traffic, redirect it to Envoy configurations, and tunnel DNS queries over HTTPS (DoH) when CoreDNS returns NXDOMAIN responses. Because CoreDNS cannot forward DoH natively, a custom DNS‑over‑HTTPS proxy forwards queries to Cloudflare, then the response is sent back through the same proxy chain, preserving a single 443‑port allowance. During the live demo, the team showed a three‑container lab: a Kind cluster with CoreDNS pointing to a non‑resolving upstream, an HTTP proxy, and a DoH proxy. When a pod queried rush.com, the initial NXDOMAIN triggered the fallback to the DoH proxy, which resolved the name via Cloudflare and returned it to the application, illustrating the end‑to‑end flow. The approach eliminates per‑customer network tweaks, maintains security postures, and demonstrates how service‑mesh‑driven traffic redirection can solve edge DNS challenges. Caching at the proxy layer mitigates added latency, making the solution viable for regulated healthcare environments.