dns: Add AppleDnsResolverConfig.include_unroutable_families config#20527
dns: Add AppleDnsResolverConfig.include_unroutable_families config#20527mattklein123 merged 9 commits intoenvoyproxy:mainfrom jpsim:jp-apple-dns-include-unroutable-families
AppleDnsResolverConfig.include_unroutable_families config#20527Conversation
If set, the resolver will avoid the system's heuristics to only return IPv4 or IPv6 addresses that it considers to be "routable", instead returning all possible IPv4 or IPv6 addresses. This setting is ignored if the DNS lookup family is set to v4-only or v6-only. This may be a useful setting to specify if the addresses considered unroutable by the system's heuristics may in practice be routable. Signed-off-by: JP Simard <jp@jpsim.com>
|
CC @envoyproxy/api-shepherds: Your approval is needed for changes made to |
|
This mostly exposing a way to configure the behavior we had prior to #18418. |
Can you elaborate on this? Would be curious to understand if the issue is the heuristics or that we probably should fundamentally have the escape hatch because heuristics are heuristics. CC @mattklein123 @yanavlasov |
Sure, for starters the heuristics are described here: envoy/source/extensions/network/dns_resolver/apple/apple_dns_impl.cc Lines 267 to 273 in d2df902 It's probably better to rely on the heuristic most of the time, vs listing all available interfaces, but specifically in the case of Happy Eyeballs, we want to take the process of determining the best interface into our own hands, in which case we think we might do a better job than the system heuristic. We're not sure though, which is why this is configurable and disabled by default. We intend to experiment with this in concert with Happy Eyeballs in Envoy Mobile in the near future. cc @goaway |
mattklein123
left a comment
There was a problem hiding this comment.
Thanks makes sense to me at a high level.
/wait
| // The resolver will avoid the system's heuristics to only return | ||
| // IPv4 or IPv6 addresses that it considers to be "routable", instead | ||
| // returning all possible IPv4 or IPv6 addresses. This setting is | ||
| // ignored if the DNS lookup family is set to v4-only or v6-only. | ||
| bool include_unroutable_families = 1; |
There was a problem hiding this comment.
This makes sense to me, but potentially mention that is useful with happy eyeballs and for parity with the c-ares implementation? I think it will make it more clear why someone would want to do this and answer @htuch concerns.
There was a problem hiding this comment.
Yes, definitely, this totally makes sense with the mention of Happy Eyeballs.
* main: (150 commits) examples: Cleanups for docker compose (#20777) adaptive concurrency / admission control: mark non-alpha (#20775) listeners: add unified matcher for filter chains (#20110) xds: don't allow multiple instances of a locality in the same priority (#20574) Update QUICHE from bac04054b to 8864d08f6 (#20747) http_connection_manager: support multiple SAN URIs for XFCC (#20724) contrib-sipproxy: Fix the coredump when teardown (#20580) bazel: Update to 5.1.1 thrift: Explicitly express no cluster header for weighted clusters (#20679) conn_pool_grid: try TCP immediately with h3 state FailedRecently (#20722) build: Pin distroless base image with sha (#20759) ci: Pin macos-latest VM version (#20758) compression: add zstd compressor and decompressor (#20434) ratelimit add support for custom http response code (#20520) delta-xds: fix wildcard resource versions (#20726) ci: remove no-op bazel option ci: add contrib target (#20732) Disable test for failing filters in filter_fuzz_test (#20742) build(deps): bump github/codeql-action from 2.1.7 to 2.1.8 (#20739) deps: Bump `com_github_bufbuild_buf` -> v1.3.1 (#20692) ... Signed-off-by: JP Simard <jp@jpsim.com>
* main: (52 commits) stats: change Stats::ScopePtr references to Stats::ScopeSharedPtr (#20871) stats: Repro & fix admin stats crash (#20855) Add async_files library to support filesystem buffering and filesystem caching (#20332) api: Add validate to required member. (#20881) docs: fix release notes (#20879) ext_proc: Support per-route GrpcService configuration. (#20757) matchers: extend network inputs to HTTP requests (#20796) listener: remove the peek from the listener filters (#20728) docs: fix doc link for composite filter (#20865) bazel: move shared action_env above enable_platform_specific_config build(deps): bump pyparsing from 3.0.7 to 3.0.8 in /tools/dependency (#20769) build(deps): bump setuptools from 62.0.0 to 62.1.0 in /tools/base (#20771) build(deps): bump actions/setup-python from 3.1.0 to 3.1.2 (#20770) dist: Add debian packaging (#17979) Add bazel option for enabling Universal Header Validator (#20845) tls: remove SHA-1 cipher suites from the defaults on the server-side (#20643) build(deps): bump actions/checkout from 3.0.0 to 3.0.1 (#20848) test: allow dispatcher test cases running on ipv6 only env (#20854) release: kick off 1.23 (#20849) release: 1.22 (#20847) ... Signed-off-by: JP Simard <jp@jpsim.com>
Signed-off-by: JP Simard <jp@jpsim.com>
Signed-off-by: JP Simard <jp@jpsim.com>
|
Just to drop a clarifying comment on here - we generally believe that having this heuristic in place on iOS should be an improvement, at least based on its description, but nonetheless, we have observed cases in practice where the Apple DNS API returns a single non-functional IP when we know that we've advertised both versions and the other version is the one that actually works. Being able to quantify its impact would be useful, and also being able to run an experiment where we let Happy Eyeballs take precedence in selecting the preferred IP seems worth trying. And since Apple left the value configurable, it also seems reasonable to allow it to be configured through EM's interface as well. |
Signed-off-by: JP Simard <jp@jpsim.com>
Signed-off-by: JP Simard <jp@jpsim.com>
htuch
left a comment
There was a problem hiding this comment.
LGTM, will defer to @mattklein123 to merge.
|
Thanks for the reviews and the discussion. I'll try to include more context up front in the future. |
Diff: envoyproxy/envoy@c96f711...60a13f3 Mostly pulling in for envoyproxy/envoy#20527 Signed-off-by: JP Simard <jp@jpsim.com>
Diff: envoyproxy/envoy@c96f711...60a13f3 Mostly pulling in for envoyproxy/envoy#20527 Signed-off-by: JP Simard <jp@jpsim.com>
…nvoyproxy#20527) If set, the resolver will avoid the system's heuristics to only return IPv4 or IPv6 addresses that it considers to be "routable", instead returning all possible IPv4 or IPv6 addresses. This setting is ignored if the DNS lookup family is set to v4-only or v6-only. This may be a useful setting to specify if the addresses considered unroutable by the system's heuristics may in practice be routable. Signed-off-by: JP Simard <jp@jpsim.com>
Diff: c96f711...60a13f3 Mostly pulling in for #20527 Signed-off-by: JP Simard <jp@jpsim.com>
Commit Message: dns: Add
AppleDnsResolverConfig.include_unroutable_familiesconfigAdditional Description: If set, the resolver will avoid the system's heuristics to only return IPv4 or IPv6 addresses that it considers to be "routable", instead returning all possible IPv4 or IPv6 addresses. This setting is ignored if the DNS lookup family is set to v4-only or v6-only. This may be a useful setting to specify if the addresses considered unroutable by the system's heuristics may in practice be routable.
Risk Level: Low, off by default, only impacts Apple platforms.
Testing: Added unit tests. I've confirmed both branches of the code paths are hit when the flag is on and off via Envoy Mobile on a physical iPhone.
Docs Changes: Proto docs added
Release Notes: Added
Platform Specific Features: Apple-platforms only