How to Implement Non‑Intrusive In‑Cluster DNS with PolarisMesh

PolarisMesh is an open‑source service discovery and governance platform from Tencent, supporting both virtual‑machine and container environments. It provides service addressing, traffic routing, fault tolerance, and access control.

Traditional internal addressing uses a Virtual IP (VIP) and a layer‑4 load balancer, which leads to load, performance, and cost problems:

Load problem : all traffic passes through the VIP, increasing the load on the load‑balancer.

Performance problem : the extra hop adds tail latency, especially for large data packets.

Cost problem : maintaining a high‑performance VIP incurs significant monthly expenses.

To eliminate the VIP‑induced issues, the traffic can be sent directly to the target service instance. Two solution patterns are available:

Intrusive solution : the caller obtains the target address via an SDK before making a request, requiring integration of the SDK into the business framework.

Non‑intrusive solution : the caller resolves the target address using DNS, requiring no SDK integration.

PolarisMesh supports both centralized and distributed DNS implementations for the non‑intrusive approach.

Centralized DNS

Polaris server implements the DNS protocol. By modifying /etc/resolv.conf to set the Polaris server IP as the first nameserver, all DNS queries are forwarded to Polaris, which resolves service names to instance IPs and returns DNS responses.

Distributed DNS

Run the polaris-sidecar process alongside each business process and set 127.0.0.1 as the first nameserver in /etc/resolv.conf. The sidecar caches service address lists, synchronizes periodically with the Polaris server, and replies to DNS queries locally.

Capability comparison:

Service discovery: supported by both modes.

Service registration: not supported.

Tag routing: only distributed DNS supports.

Proximity routing: only distributed DNS supports.

Circuit breaking: supported by both.

Rate limiting: only distributed DNS partially supports.

Authentication: only distributed DNS supports.

Polaris chose the distributed DNS model to leverage sidecar proximity for richer governance features in DNS responses.

Future plans include extending the DNS protocol (e.g., SRV records) and adding rate‑limit and authentication capabilities.

References:

https://github.com/polarismesh/polaris-sidecar/blob/main/README.md

https://github.com/polarismesh/polaris-sidecar

https://github.com/polarismesh/polaris-controller