feat(network-disruption): add DNS resolver control

Adds per-host DNS resolution strategy control to allow
users to specify whether hostnames should be resolved
using pod or node nameservers.

This addresses issues with service mesh proxies (like
Istio DNS proxy) that intercept DNS queries and return
VIP addresses (240.x.x.x) that don't work with tc
traffic control rules.

Users can now specify dnsResolver field on each host
with strategies: "pod", "node", "pod-fallback-node"
(default), or "node-fallback-pod". The default behavior
maintains backward compatibility by trying pod DNS first
with automatic fallback to node DNS.

Resolves: #882

Jira: CHAOSPLT-1359

Author: aymericDD

api/v1beta1/network_disruption.go

@@ -105,6 +105,8 @@ type NetworkDisruptionHostSpec struct {
 	Flow string `json:"flow,omitempty" chaos_validate:"omitempty,oneofci=ingress egress"`
 	// +kubebuilder:validation:Enum=new;est;""
 	ConnState string `json:"connState,omitempty" chaos_validate:"omitempty,oneofci=new est"`
+	// +kubebuilder:validation:Enum=pod;node;pod-fallback-node;node-fallback-pod;""
+	DNSResolver string `json:"dnsResolver,omitempty" chaos_validate:"omitempty,oneofci=pod node pod-fallback-node node-fallback-pod"`
 }
 
 type NetworkDisruptionServiceSpec struct {
@@ -356,12 +358,12 @@ func (s *NetworkDisruptionSpec) GenerateArgs() []string {
 
 	// append hosts
 	for _, host := range s.Hosts {
-		args = append(args, "--hosts", fmt.Sprintf("%s;%d;%s;%s;%s", host.Host, host.Port, host.Protocol, host.Flow, host.ConnState))
+		args = append(args, "--hosts", fmt.Sprintf("%s;%d;%s;%s;%s;%s", host.Host, host.Port, host.Protocol, host.Flow, host.ConnState, host.DNSResolver))
 	}
 
 	// append allowed hosts
 	for _, host := range s.AllowedHosts {
-		args = append(args, "--allowed-hosts", fmt.Sprintf("%s;%d;%s;%s;%s", host.Host, host.Port, host.Protocol, host.Flow, host.ConnState))
+		args = append(args, "--allowed-hosts", fmt.Sprintf("%s;%d;%s;%s;%s;%s", host.Host, host.Port, host.Protocol, host.Flow, host.ConnState, host.DNSResolver))
 	}
 
 	// append services
@@ -597,7 +599,7 @@ func (s *NetworkDisruptionCloudSpec) Explain() []string {
 }
 
 // NetworkDisruptionHostSpecFromString parses the given hosts to host specs
-// The expected format for hosts is <host>;<port>;<protocol>;<flow>;<connState>
+// The expected format for hosts is <host>;<port>;<protocol>;<flow>;<connState>;<dnsResolver>
 func NetworkDisruptionHostSpecFromString(hosts []string) ([]NetworkDisruptionHostSpec, error) {
 	var err error
 
@@ -609,9 +611,10 @@ func NetworkDisruptionHostSpecFromString(hosts []string) ([]NetworkDisruptionHos
 		protocol := ""
 		flow := ""
 		connState := ""
+		dnsResolver := ""
 
-		// parse host with format <host>;<port>;<protocol>;<flow>;<connState>
-		parsedHost := strings.SplitN(host, ";", 5)
+		// parse host with format <host>;<port>;<protocol>;<flow>;<connState>;<dnsResolver>
+		parsedHost := strings.SplitN(host, ";", 6)
 
 		// cast port to int if specified
 		if len(parsedHost) > 1 && parsedHost[1] != "" {
@@ -636,13 +639,19 @@ func NetworkDisruptionHostSpecFromString(hosts []string) ([]NetworkDisruptionHos
 			connState = parsedHost[4]
 		}
 
+		// get DNS resolver strategy if specified
+		if len(parsedHost) > 5 && parsedHost[5] != "" {
+			dnsResolver = parsedHost[5]
+		}
+
 		// generate host spec
 		parsedHosts = append(parsedHosts, NetworkDisruptionHostSpec{
-			Host:      parsedHost[0],
-			Port:      port,
-			Protocol:  protocol,
-			Flow:      flow,
-			ConnState: connState,
+			Host:        parsedHost[0],
+			Port:        port,
+			Protocol:    protocol,
+			Flow:        flow,
+			ConnState:   connState,
+			DNSResolver: dnsResolver,
 		})
 	}
 

chart/templates/generated/chaos.datadoghq.com_disruptioncrons.yaml

@@ -267,6 +267,14 @@ spec:
                                   - est
                                   - ""
                                 type: string
+                              dnsResolver:
+                                enum:
+                                  - pod
+                                  - node
+                                  - pod-fallback-node
+                                  - node-fallback-pod
+                                  - ""
+                                type: string
                               flow:
                                 enum:
                                   - ingress
@@ -407,6 +415,14 @@ spec:
                                   - est
                                   - ""
                                 type: string
+                              dnsResolver:
+                                enum:
+                                  - pod
+                                  - node
+                                  - pod-fallback-node
+                                  - node-fallback-pod
+                                  - ""
+                                type: string
                               flow:
                                 enum:
                                   - ingress

chart/templates/generated/chaos.datadoghq.com_disruptionrollouts.yaml

@@ -268,6 +268,14 @@ spec:
                                   - est
                                   - ""
                                 type: string
+                              dnsResolver:
+                                enum:
+                                  - pod
+                                  - node
+                                  - pod-fallback-node
+                                  - node-fallback-pod
+                                  - ""
+                                type: string
                               flow:
                                 enum:
                                   - ingress
@@ -408,6 +416,14 @@ spec:
                                   - est
                                   - ""
                                 type: string
+                              dnsResolver:
+                                enum:
+                                  - pod
+                                  - node
+                                  - pod-fallback-node
+                                  - node-fallback-pod
+                                  - ""
+                                type: string
                               flow:
                                 enum:
                                   - ingress

chart/templates/generated/chaos.datadoghq.com_disruptions.yaml

@@ -258,6 +258,14 @@ spec:
                               - est
                               - ""
                             type: string
+                          dnsResolver:
+                            enum:
+                              - pod
+                              - node
+                              - pod-fallback-node
+                              - node-fallback-pod
+                              - ""
+                            type: string
                           flow:
                             enum:
                               - ingress
@@ -398,6 +406,14 @@ spec:
                               - est
                               - ""
                             type: string
+                          dnsResolver:
+                            enum:
+                              - pod
+                              - node
+                              - pod-fallback-node
+                              - node-fallback-pod
+                              - ""
+                            type: string
                           flow:
                             enum:
                               - ingress

docs/network_disruption.md

@@ -33,6 +33,7 @@ If your team has specific disruption requirements around what `protocol` to disr
 
 * [How do I decide my traffic flow? (Ingress vs Egress)](/docs/network_disruption/flow.md)
 * [What should I specify in hosts vs services?](/docs/network_disruption/hosts-and-services.md)
+* [How do I control DNS resolution for hostnames (e.g., bypassing Istio DNS proxy)?](/docs/network_disruption/hosts-and-services.md#case-5-controlling-dns-resolution-with-dnsresolver)
 * [What are `prio` qdiscs and how does the chaos-controller use them?](/docs/network_disruption/prio.md)
 * [How are changes in destination pods and services filtered on handled by the chaos-controller?](/docs/changes_handling.md#network-disruption-dynamic-service-resolution)
 

docs/network_disruption/hosts-and-services.md

@@ -223,6 +223,73 @@ If the `hosts` field contains a CIDR, the routing table is consulted. If the lis
 Instead of a CIDR block, hostnames can be provided in the `hosts` field. If the `chaos-controller` fails to resolve the `hosts` field to an IP address or a CIDR block, it then tries to resolve the potential hostname on each resolver listed in `/etc/resolv.conf` in order.
 Remember, this hostname must _not_ be a kubernetes service's hostname.
 
+### Case 5: Controlling DNS Resolution with `dnsResolver`
+
+When specifying hostnames in the `hosts` field, you can control which DNS resolver is used to resolve the hostname to an IP address. This is particularly useful in environments with service mesh proxies (like Istio) that intercept DNS queries and return virtual IPs (VIPs) that may not work for traffic disruption.
+
+The `dnsResolver` field supports the following strategies:
+
+| Strategy            | Description                                                                        |
+|---------------------|------------------------------------------------------------------------------------|
+| `pod`               | Uses only the pod's DNS configuration (`/etc/resolv.conf`)                         |
+| `node`              | Uses only the node's DNS configuration (`/mnt/host/etc/resolv.conf`)               |
+| `pod-fallback-node` | Tries pod DNS first, falls back to node DNS if resolution fails (default behavior) |
+| `node-fallback-pod` | Tries node DNS first, falls back to pod DNS if resolution fails                    |
+
+**Example: Bypassing Istio DNS Proxy**
+
+When Istio DNS proxy is enabled, pod-level DNS lookups may return VIP addresses (Class E subnet: 240.0.0.0/4) that don't work for network disruptions. In this case, use `dnsResolver: node` to bypass the Istio proxy and get the actual service IPs:
+
+```yaml
+apiVersion: chaos.datadoghq.com/v1beta1
+kind: Disruption
+metadata:
+  name: network-disruption-istio
+spec:
+  level: pod
+  selector:
+    app: my-service
+  network:
+    drop: 50
+    hosts:
+      - host: external-api.example.com
+        port: 443
+        protocol: tcp
+        dnsResolver: node  # Bypasses Istio DNS proxy, gets real IPs
+```
+
+**Example: Multiple hosts with different DNS strategies**
+
+```yaml
+network:
+  drop: 50
+  hosts:
+    # External service - use node DNS to avoid service mesh VIPs
+    - host: external-service.example.com
+      port: 443
+      protocol: tcp
+      dnsResolver: node
+
+    # Internal cluster service - use pod DNS for cluster-internal resolution
+    - host: internal-service.cluster.local
+      port: 8080
+      protocol: tcp
+      dnsResolver: pod
+
+    # Public API - use default behavior (pod-fallback-node)
+    - host: api.public.com
+      port: 443
+      protocol: tcp
+      # dnsResolver not specified = uses default "pod-fallback-node"
+```
+
+**When to use each strategy:**
+
+- **`node`**: Use when working with service meshes (Istio, Linkerd) that proxy DNS, or when you need to resolve external hostnames using the node's DNS servers (e.g., corporate DNS servers)
+- **`pod`**: Use for cluster-internal services or when you specifically want to use the pod's DNS configuration
+- **`pod-fallback-node`** (default): Use when you want resilience - try pod DNS first but fall back to node DNS if it fails
+- **`node-fallback-pod`**: Use when node DNS is preferred but you want pod DNS as a backup
+
 ### Some special cases
 
 Cluster IPs can also be specified to target the relevant pods.

injector/ipresolver.go

@@ -15,7 +15,8 @@ import (
 // resolveHost tries to resolve the given host
 // it tries to resolve it as a CIDR, as a single IP, or as a hostname
 // it returns a list of IP or an error if it fails to resolve the hostname
-func resolveHost(client network.DNSClient, host string) ([]*net.IPNet, error) {
+// dnsStrategy specifies the DNS resolution strategy to use (empty string uses default)
+func resolveHost(client network.DNSClient, host string, dnsStrategy string) ([]*net.IPNet, error) {
 	var ips []*net.IPNet
 
 	// return the wildcard 0.0.0.0/0 CIDR if the given host is an empty string
@@ -33,7 +34,12 @@ func resolveHost(client network.DNSClient, host string) ([]*net.IPNet, error) {
 		if ip == nil {
 			// if no IP has been parsed, fallback on a hostname
 			// and try to resolve it by using the container resolv.conf file
-			resolvedIPs, err := client.Resolve(host)
+			var resolvedIPs []net.IP
+			if dnsStrategy != "" {
+				resolvedIPs, err = client.ResolveWithStrategy(host, dnsStrategy)
+			} else {
+				resolvedIPs, err = client.Resolve(host)
+			}
 			if err != nil {
 				return nil, fmt.Errorf("can't resolve the given host with the configured dns resolver: %w", err)
 			}

injector/network_disruption.go

@@ -1114,7 +1114,7 @@ func (i *networkDisruptionInjector) watchHostChanges(ctx context.Context, interf
 
 		perHost:
 			for host, currentTcFilters := range hosts.hostFilterMap {
-				newIps, err := resolveHost(i.config.DNSClient, host.Host)
+				newIps, err := resolveHost(i.config.DNSClient, host.Host, host.DNSResolver)
 				if err != nil {
 					hostWatcherLog.Errorw("error resolving Host", tags.ErrorKey, err, tags.HostKey, host.Host)
 
@@ -1204,7 +1204,7 @@ func (i *networkDisruptionInjector) addFiltersForHosts(interfaces []string, host
 		}
 
 		// resolve given hosts if needed
-		ips, err := resolveHost(i.config.DNSClient, host.Host)
+		ips, err := resolveHost(i.config.DNSClient, host.Host, host.DNSResolver)
 		if err != nil {
 			return nil, fmt.Errorf("error resolving given host %s: %w", host.Host, err)
 		}