envoy icon indicating copy to clipboard operation
envoy copied to clipboard
verified publisher icon envoyproxy

Question: Is envoy capable to forward udp traffic as tcp traffic?

Open livius-ungureanu opened this issue 3 years ago • 1 comments

Description:

The question is envoy capable to forward udp traffic as tcp traffic?

My specific use case is that I'd need to implement DNSOverTLs using envoy. This means, for example, that the local 127.0.01:53 traffic needs to be reverse proxied to 8.8.8.8:853.

Whereas I've got an Envoy config that forwards DNS traffic from localhost:53 to some external DNS server like 8.8.8.8:53 (i.e UDP to UDP forwarding) I could not configure Envoy to forward DNS traffic from localhost:53 to an external DnsOverTLS(DoT) server like 8.8.8.8:853 in order to achieve DoT. Since DoT implies that a TCP based TLS handshake happens first on 8.8.8.8:853 before falling back to UDP on port 53 (on the DoT server side) then the issue should be narrowed to convincing Envoy to forward DNS/UDP traffic from local port 53 as TCP traffic to the remote 8.8.8.8:853(i.e. UDP to TCP forwarding ). The first question: is this really possible?

static_resources:
  listeners:
    - name: listener_0
      address:
        socket_address:
          protocol: UDP
          address: 127.0.0.53
          port_value: 53
      udp_listener_config:
        downstream_socket_config:
          max_rx_datagram_size: 9000
      filter_chains:
        - filters:
          - name: envoy.filters.network.tcp_proxy
            typed_config: 
              '@type': "type.googleapis.com/envoy.extensions.filters.network.tcp_proxy.v3.TcpProxy"
              stat_prefix: tcp_proxy
              cluster: allbackend_cluster
  clusters:
    - name: allbackend_cluster
      connect_timeout: 1s
      type: STATIC
      transport_socket:
        name: envoy.transport_sockets.tls
        typed_config:
          "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext
          common_tls_context:
            validation_context:
              trusted_ca:
                filename: /etc/ssl/certs/ca-certificates.crt
      lb_policy: round_robin
      load_assignment:
        cluster_name: allbackend_cluster
        endpoints:
          - lb_endpoints:
            - endpoint:
                address:
                  socket_address:
                    address: 8.8.8.8
                    port_value: 853

livius-ungureanu avatar Aug 08 '22 11:08 livius-ungureanu

cc @yanjunxiang-google (as a dns_filter owner)

kyessenov avatar Aug 08 '22 18:08 kyessenov

This issue has been automatically marked as stale because it has not had activity in the last 30 days. It will be closed in the next 7 days unless it is tagged "help wanted" or "no stalebot" or other activity occurs. Thank you for your contributions.

github-actions[bot] avatar Sep 07 '22 20:09 github-actions[bot]

Sending udp traffic upstream as tcp traffic does not sound like a proxy behavior, but a gateway behavior. I am not aware of Envoy can support this. CC @yanavlasov

yanjunxiang-google avatar Sep 07 '22 21:09 yanjunxiang-google

This issue has been automatically marked as stale because it has not had activity in the last 30 days. It will be closed in the next 7 days unless it is tagged "help wanted" or "no stalebot" or other activity occurs. Thank you for your contributions.

github-actions[bot] avatar Oct 08 '22 00:10 github-actions[bot]

This issue has been automatically closed because it has not had activity in the last 37 days. If this issue is still valid, please ping a maintainer and ask them to label it as "help wanted" or "no stalebot". Thank you for your contributions.

github-actions[bot] avatar Oct 15 '22 04:10 github-actions[bot]