Neuwerk

Traffic Flows

The Neuwerk handles DNS, cluster, and client traffic through different paths on purpose.

Not all traffic goes through the same path. Neuwerk treats four traffic classes differently because they have different security and operational requirements.

1. DNS Queries Targeted At The Neuwerk

Shape:

  • client -> Neuwerk management IP:53
  • UDP or TCP

This is the hostname-policy path. The Neuwerk parses the query, decides whether the source is allowed to resolve the requested hostname, and either:

  • returns NXDOMAIN locally, or
  • forwards the query to an upstream resolver

This traffic is handled by the control-plane DNS proxy, not by the generic packet fast path.

2. Neuwerk-Originated Upstream DNS Traffic

Shape:

  • Neuwerk -> configured upstream resolver
  • usually port 53

Once a client query is allowed, the Neuwerk becomes the DNS client. It validates the upstream response and uses successful IPv4 answers to populate the dynamic allowlist used by later packet decisions.

3. Cluster Replication And Cluster Admin Traffic

Shape:

  • Neuwerk node -> Neuwerk node
  • main RPC path plus separate join path

This traffic exists only when clustering is enabled. It carries replicated control-plane state and other node-to-node control-plane operations. It is not part of the protected client data path.

4. Client Traffic Evaluated Under Policy

Shape:

  • protected client -> external or internal destination

This is the normal dataplane path. The packet engine evaluates the compiled policy, applies stateful handling such as NAT and flow tracking, and decides whether to drop, forward, or steer the traffic to a control-plane service.

Why These Categories Matter

  • DNS policy problems usually start in the DNS proxy flow.
  • Cluster problems usually affect management and policy replay before they affect packet mechanics.
  • Generic allow or deny issues usually belong to the dataplane policy path.

Treating those flows separately makes troubleshooting faster because you can start with the right runtime instead of assuming every issue begins in packet forwarding.