Add DYNAMIC_DNS resolution type for wildcard hosts

networking/v1alpha3/service_entry.proto

@@ -560,6 +560,23 @@ message ServiceEntry {
     // specified in the hosts field, if wildcards are not used. DNS resolution
     // cannot be used with Unix domain socket endpoints.
     DNS_ROUND_ROBIN = 3;
+
+    // DYNAMIC_DNS will attempt to resolve the host name specified in
+    // the Host header or SNI to an IP address when handling traffic. This
+    // allows multiple DNS addresses to be represented by a single wildcard
+    // `host` entry without having to explicitly enumerate all possible
+    // endpoints. During DNS proxying, ztunnel will resolve all subdomains
+    // matching the wildcard host name to a VIP which isn't used for routing
+    // outside the mesh. `DYNAMIC_DNS` will provide configuration to a
+    // waypoint proxy to recover the original host name using information
+    // from SNI or a Host header in an HTTP Request. This original host name
+    // will then be resolved so that traffic can be routed to the intended
+    // IP address. This method of handling wildcard traffic is not
+    // compatible with raw TCP traffic where the original host cannot
+    // be recovered. `DYNAMIC_DNS` is only supported for wildcard hosts,
+    // `MESH_EXTERNAL` location and in ambient mode. The ServiceEntry must
+    // be bound to a waypoint. Specified endpoints will be ignored.
+    DYNAMIC_DNS = 4;
   }
 
   // Service resolution mode for the hosts. Care must be taken

releasenotes/notes/dynamic-dns-resolution.yaml

@@ -0,0 +1,11 @@
+apiVersion: release-notes/v2
+kind: feature
+area: traffic-management
+issue:
+  - https://github.com/istio/istio/issues/54540
+
+releaseNotes:
+  - |
+    **Added** a new `DYNAMIC_DNS` resolution option for `ServiceEntry` to enable
+    dynamic DNS resolution based on the request's Host header or SNI when the
+    ServiceEntry has a wildcard host.