diff --git a/BUILD b/BUILD
index c8d845c6..b0f2c33b 100644
--- a/BUILD
+++ b/BUILD
@@ -81,6 +81,7 @@ proto_library(
         "//envoy/config/filter/network/zookeeper_proxy/v1alpha1:pkg",
         "//envoy/config/filter/thrift/rate_limit/v2alpha1:pkg",
         "//envoy/config/filter/thrift/router/v2alpha1:pkg",
+        "//envoy/config/filter/udp/dns_filter/v2alpha:pkg",
         "//envoy/config/filter/udp/udp_proxy/v2alpha:pkg",
         "//envoy/config/grpc_credential/v2alpha:pkg",
         "//envoy/config/health_checker/redis/v2:pkg",
@@ -104,6 +105,7 @@ proto_library(
         "//envoy/data/accesslog/v2:pkg",
         "//envoy/data/cluster/v2alpha:pkg",
         "//envoy/data/core/v2alpha:pkg",
+        "//envoy/data/dns/v2alpha:pkg",
         "//envoy/data/tap/v2alpha:pkg",
         "//envoy/service/accesslog/v2:pkg",
         "//envoy/service/auth/v2:pkg",
@@ -150,6 +152,7 @@ proto_library(
         "//envoy/data/accesslog/v3:pkg",
         "//envoy/data/cluster/v3:pkg",
         "//envoy/data/core/v3:pkg",
+        "//envoy/data/dns/v3:pkg",
         "//envoy/data/tap/v3:pkg",
         "//envoy/extensions/access_loggers/file/v3:pkg",
         "//envoy/extensions/access_loggers/grpc/v3:pkg",
@@ -159,6 +162,7 @@ proto_library(
         "//envoy/extensions/common/dynamic_forward_proxy/v3:pkg",
         "//envoy/extensions/common/ratelimit/v3:pkg",
         "//envoy/extensions/common/tap/v3:pkg",
+        "//envoy/extensions/filter/udp/dns_filter/v3alpha:pkg",
         "//envoy/extensions/filters/common/fault/v3:pkg",
         "//envoy/extensions/filters/http/adaptive_concurrency/v3:pkg",
         "//envoy/extensions/filters/http/aws_lambda/v3:pkg",
diff --git a/envoy/config/filter/udp/dns_filter/v2alpha/BUILD b/envoy/config/filter/udp/dns_filter/v2alpha/BUILD
new file mode 100644
index 00000000..c6f01577
--- /dev/null
+++ b/envoy/config/filter/udp/dns_filter/v2alpha/BUILD
@@ -0,0 +1,13 @@
+# DO NOT EDIT. This file is generated by tools/proto_sync.py.
+
+load("@envoy_api//bazel:api_build_system.bzl", "api_proto_package")
+
+licenses(["notice"])  # Apache 2
+
+api_proto_package(
+    deps = [
+        "//envoy/api/v2/core:pkg",
+        "//envoy/data/dns/v2alpha:pkg",
+        "@com_github_cncf_udpa//udpa/annotations:pkg",
+    ],
+)
diff --git a/envoy/config/filter/udp/dns_filter/v2alpha/dns_filter.proto b/envoy/config/filter/udp/dns_filter/v2alpha/dns_filter.proto
new file mode 100644
index 00000000..8c616624
--- /dev/null
+++ b/envoy/config/filter/udp/dns_filter/v2alpha/dns_filter.proto
@@ -0,0 +1,48 @@
+syntax = "proto3";
+
+package envoy.config.filter.udp.dns_filter.v2alpha;
+
+import "envoy/api/v2/core/base.proto";
+import "envoy/data/dns/v2alpha/dns_table.proto";
+
+import "udpa/annotations/migrate.proto";
+import "udpa/annotations/status.proto";
+import "validate/validate.proto";
+
+option java_package = "io.envoyproxy.envoy.config.filter.udp.dns_filter.v2alpha";
+option java_outer_classname = "DnsFilterProto";
+option java_multiple_files = true;
+option (udpa.annotations.file_migrate).move_to_package =
+    "envoy.extensions.filter.udp.dns_filter.v3alpha";
+option (udpa.annotations.file_status).work_in_progress = true;
+option (udpa.annotations.file_status).package_version_status = ACTIVE;
+
+// [#protodoc-title: DNS Filter]
+// DNS Filter :ref:`configuration overview <config_udp_listener_filters_dns_filter>`.
+// [#extension: envoy.filters.udp_listener.dns_filter]
+
+// Configuration for the DNS filter.
+message DnsFilterConfig {
+  // This message contains the configuration for the Dns Filter operating
+  // in a server context. This message will contain the virtual hosts and
+  // associated addresses with which Envoy will respond to queries
+  message ServerContextConfig {
+    oneof config_source {
+      option (validate.required) = true;
+
+      // Load the configuration specified from the control plane
+      data.dns.v2alpha.DnsTable inline_dns_table = 1;
+
+      // Seed the filter configuration from an external path. This source
+      // is a yaml formatted file that contains the DnsTable driving Envoy's
+      // responses to DNS queries
+      api.v2.core.DataSource external_dns_table = 2;
+    }
+  }
+
+  // The stat prefix used when emitting DNS filter statistics
+  string stat_prefix = 1 [(validate.rules).string = {min_len: 1}];
+
+  // Server context configuration
+  ServerContextConfig server_config = 2;
+}
diff --git a/envoy/data/dns/v2alpha/BUILD b/envoy/data/dns/v2alpha/BUILD
new file mode 100644
index 00000000..702abad6
--- /dev/null
+++ b/envoy/data/dns/v2alpha/BUILD
@@ -0,0 +1,12 @@
+# DO NOT EDIT. This file is generated by tools/proto_sync.py.
+
+load("@envoy_api//bazel:api_build_system.bzl", "api_proto_package")
+
+licenses(["notice"])  # Apache 2
+
+api_proto_package(
+    deps = [
+        "//envoy/type/matcher:pkg",
+        "@com_github_cncf_udpa//udpa/annotations:pkg",
+    ],
+)
diff --git a/envoy/data/dns/v2alpha/dns_table.proto b/envoy/data/dns/v2alpha/dns_table.proto
new file mode 100644
index 00000000..b401a54b
--- /dev/null
+++ b/envoy/data/dns/v2alpha/dns_table.proto
@@ -0,0 +1,74 @@
+syntax = "proto3";
+
+package envoy.data.dns.v2alpha;
+
+import "envoy/type/matcher/string.proto";
+
+import "google/protobuf/duration.proto";
+
+import "udpa/annotations/status.proto";
+import "validate/validate.proto";
+
+option java_package = "io.envoyproxy.envoy.data.dns.v2alpha";
+option java_outer_classname = "DnsTableProto";
+option java_multiple_files = true;
+option (udpa.annotations.file_status).work_in_progress = true;
+option (udpa.annotations.file_status).package_version_status = ACTIVE;
+
+// [#protodoc-title: DNS Filter Table Data]
+// :ref:`DNS Filter config overview <config_udp_listener_filters_dns_filter>`.
+
+// This message contains the configuration for the DNS Filter if populated
+// from the control plane
+message DnsTable {
+  // This message contains a list of IP addresses returned for a query for a known name
+  message AddressList {
+    // This field contains a well formed IP address that is returned
+    // in the answer for a name query. The address field can be an
+    // IPv4 or IPv6 address. Address family detection is done automatically
+    // when Envoy parses the string. Since this field is repeated,
+    // Envoy will return one randomly chosen entry from this list in the
+    // DNS response. The random index will vary per query so that we prevent
+    // clients pinning on a single address for a configured domain
+    repeated string address = 1 [(validate.rules).repeated = {
+      min_items: 1
+      items {string {min_len: 3}}
+    }];
+  }
+
+  // This message type is extensible and can contain a list of addresses
+  // or dictate some other method for resolving the addresses for an
+  // endpoint
+  message DnsEndpoint {
+    oneof endpoint_config {
+      option (validate.required) = true;
+
+      AddressList address_list = 1;
+    }
+  }
+
+  message DnsVirtualDomain {
+    // The domain name for which Envoy will respond to query requests
+    string name = 1 [(validate.rules).string = {min_len: 2 well_known_regex: HTTP_HEADER_NAME}];
+
+    // The configuration containing the method to determine the address
+    // of this endpoint
+    DnsEndpoint endpoint = 2;
+
+    // Sets the TTL in dns answers from Envoy returned to the client
+    google.protobuf.Duration answer_ttl = 3 [(validate.rules).duration = {gt {}}];
+  }
+
+  // Control how many times envoy makes an attempt to forward a query to
+  // an external server
+  uint32 external_retry_count = 1;
+
+  // Fully qualified domain names for which Envoy will respond to queries
+  repeated DnsVirtualDomain virtual_domains = 2 [(validate.rules).repeated = {min_items: 1}];
+
+  // This field serves to help Envoy determine whether it can authoritatively
+  // answer a query for a name matching a suffix in this list. If the query
+  // name does not match a suffix in this list, Envoy will forward
+  // the query to an upstream DNS server
+  repeated type.matcher.StringMatcher known_suffixes = 3;
+}
diff --git a/envoy/data/dns/v3/BUILD b/envoy/data/dns/v3/BUILD
new file mode 100644
index 00000000..d61d877f
--- /dev/null
+++ b/envoy/data/dns/v3/BUILD
@@ -0,0 +1,13 @@
+# DO NOT EDIT. This file is generated by tools/proto_sync.py.
+
+load("@envoy_api//bazel:api_build_system.bzl", "api_proto_package")
+
+licenses(["notice"])  # Apache 2
+
+api_proto_package(
+    deps = [
+        "//envoy/data/dns/v2alpha:pkg",
+        "//envoy/type/matcher/v3:pkg",
+        "@com_github_cncf_udpa//udpa/annotations:pkg",
+    ],
+)
diff --git a/envoy/data/dns/v3/dns_table.proto b/envoy/data/dns/v3/dns_table.proto
new file mode 100644
index 00000000..ebecebeb
--- /dev/null
+++ b/envoy/data/dns/v3/dns_table.proto
@@ -0,0 +1,85 @@
+syntax = "proto3";
+
+package envoy.data.dns.v3;
+
+import "envoy/type/matcher/v3/string.proto";
+
+import "google/protobuf/duration.proto";
+
+import "udpa/annotations/status.proto";
+import "udpa/annotations/versioning.proto";
+import "validate/validate.proto";
+
+option java_package = "io.envoyproxy.envoy.data.dns.v3";
+option java_outer_classname = "DnsTableProto";
+option java_multiple_files = true;
+option (udpa.annotations.file_status).package_version_status = NEXT_MAJOR_VERSION_CANDIDATE;
+
+// [#protodoc-title: DNS Filter Table Data]
+// :ref:`DNS Filter config overview <config_udp_listener_filters_dns_filter>`.
+
+// This message contains the configuration for the DNS Filter if populated
+// from the control plane
+message DnsTable {
+  option (udpa.annotations.versioning).previous_message_type = "envoy.data.dns.v2alpha.DnsTable";
+
+  // This message contains a list of IP addresses returned for a query for a known name
+  message AddressList {
+    option (udpa.annotations.versioning).previous_message_type =
+        "envoy.data.dns.v2alpha.DnsTable.AddressList";
+
+    // This field contains a well formed IP address that is returned
+    // in the answer for a name query. The address field can be an
+    // IPv4 or IPv6 address. Address family detection is done automatically
+    // when Envoy parses the string. Since this field is repeated,
+    // Envoy will return one randomly chosen entry from this list in the
+    // DNS response. The random index will vary per query so that we prevent
+    // clients pinning on a single address for a configured domain
+    repeated string address = 1 [(validate.rules).repeated = {
+      min_items: 1
+      items {string {min_len: 3}}
+    }];
+  }
+
+  // This message type is extensible and can contain a list of addresses
+  // or dictate some other method for resolving the addresses for an
+  // endpoint
+  message DnsEndpoint {
+    option (udpa.annotations.versioning).previous_message_type =
+        "envoy.data.dns.v2alpha.DnsTable.DnsEndpoint";
+
+    oneof endpoint_config {
+      option (validate.required) = true;
+
+      AddressList address_list = 1;
+    }
+  }
+
+  message DnsVirtualDomain {
+    option (udpa.annotations.versioning).previous_message_type =
+        "envoy.data.dns.v2alpha.DnsTable.DnsVirtualDomain";
+
+    // The domain name for which Envoy will respond to query requests
+    string name = 1 [(validate.rules).string = {min_len: 2 well_known_regex: HTTP_HEADER_NAME}];
+
+    // The configuration containing the method to determine the address
+    // of this endpoint
+    DnsEndpoint endpoint = 2;
+
+    // Sets the TTL in dns answers from Envoy returned to the client
+    google.protobuf.Duration answer_ttl = 3 [(validate.rules).duration = {gt {}}];
+  }
+
+  // Control how many times envoy makes an attempt to forward a query to
+  // an external server
+  uint32 external_retry_count = 1;
+
+  // Fully qualified domain names for which Envoy will respond to queries
+  repeated DnsVirtualDomain virtual_domains = 2 [(validate.rules).repeated = {min_items: 1}];
+
+  // This field serves to help Envoy determine whether it can authoritatively
+  // answer a query for a name matching a suffix in this list. If the query
+  // name does not match a suffix in this list, Envoy will forward
+  // the query to an upstream DNS server
+  repeated type.matcher.v3.StringMatcher known_suffixes = 3;
+}
diff --git a/envoy/extensions/filter/udp/dns_filter/v3alpha/BUILD b/envoy/extensions/filter/udp/dns_filter/v3alpha/BUILD
new file mode 100644
index 00000000..d011b4d8
--- /dev/null
+++ b/envoy/extensions/filter/udp/dns_filter/v3alpha/BUILD
@@ -0,0 +1,14 @@
+# DO NOT EDIT. This file is generated by tools/proto_sync.py.
+
+load("@envoy_api//bazel:api_build_system.bzl", "api_proto_package")
+
+licenses(["notice"])  # Apache 2
+
+api_proto_package(
+    deps = [
+        "//envoy/config/core/v3:pkg",
+        "//envoy/config/filter/udp/dns_filter/v2alpha:pkg",
+        "//envoy/data/dns/v3:pkg",
+        "@com_github_cncf_udpa//udpa/annotations:pkg",
+    ],
+)
diff --git a/envoy/extensions/filter/udp/dns_filter/v3alpha/dns_filter.proto b/envoy/extensions/filter/udp/dns_filter/v3alpha/dns_filter.proto
new file mode 100644
index 00000000..e06c7873
--- /dev/null
+++ b/envoy/extensions/filter/udp/dns_filter/v3alpha/dns_filter.proto
@@ -0,0 +1,52 @@
+syntax = "proto3";
+
+package envoy.extensions.filter.udp.dns_filter.v3alpha;
+
+import "envoy/config/core/v3/base.proto";
+import "envoy/data/dns/v3/dns_table.proto";
+
+import "udpa/annotations/status.proto";
+import "udpa/annotations/versioning.proto";
+import "validate/validate.proto";
+
+option java_package = "io.envoyproxy.envoy.extensions.filter.udp.dns_filter.v3alpha";
+option java_outer_classname = "DnsFilterProto";
+option java_multiple_files = true;
+option (udpa.annotations.file_status).work_in_progress = true;
+option (udpa.annotations.file_status).package_version_status = NEXT_MAJOR_VERSION_CANDIDATE;
+
+// [#protodoc-title: DNS Filter]
+// DNS Filter :ref:`configuration overview <config_udp_listener_filters_dns_filter>`.
+// [#extension: envoy.filters.udp_listener.dns_filter]
+
+// Configuration for the DNS filter.
+message DnsFilterConfig {
+  option (udpa.annotations.versioning).previous_message_type =
+      "envoy.config.filter.udp.dns_filter.v2alpha.DnsFilterConfig";
+
+  // This message contains the configuration for the Dns Filter operating
+  // in a server context. This message will contain the virtual hosts and
+  // associated addresses with which Envoy will respond to queries
+  message ServerContextConfig {
+    option (udpa.annotations.versioning).previous_message_type =
+        "envoy.config.filter.udp.dns_filter.v2alpha.DnsFilterConfig.ServerContextConfig";
+
+    oneof config_source {
+      option (validate.required) = true;
+
+      // Load the configuration specified from the control plane
+      data.dns.v3.DnsTable inline_dns_table = 1;
+
+      // Seed the filter configuration from an external path. This source
+      // is a yaml formatted file that contains the DnsTable driving Envoy's
+      // responses to DNS queries
+      config.core.v3.DataSource external_dns_table = 2;
+    }
+  }
+
+  // The stat prefix used when emitting DNS filter statistics
+  string stat_prefix = 1 [(validate.rules).string = {min_len: 1}];
+
+  // Server context configuration
+  ServerContextConfig server_config = 2;
+}
diff --git a/versioning/BUILD b/versioning/BUILD
index 9fb68272..697aee00 100644
--- a/versioning/BUILD
+++ b/versioning/BUILD
@@ -82,6 +82,7 @@ proto_library(
         "//envoy/config/filter/network/zookeeper_proxy/v1alpha1:pkg",
         "//envoy/config/filter/thrift/rate_limit/v2alpha1:pkg",
         "//envoy/config/filter/thrift/router/v2alpha1:pkg",
+        "//envoy/config/filter/udp/dns_filter/v2alpha:pkg",
         "//envoy/config/filter/udp/udp_proxy/v2alpha:pkg",
         "//envoy/config/grpc_credential/v2alpha:pkg",
         "//envoy/config/health_checker/redis/v2:pkg",
@@ -105,6 +106,7 @@ proto_library(
         "//envoy/data/accesslog/v2:pkg",
         "//envoy/data/cluster/v2alpha:pkg",
         "//envoy/data/core/v2alpha:pkg",
+        "//envoy/data/dns/v2alpha:pkg",
         "//envoy/data/tap/v2alpha:pkg",
         "//envoy/service/accesslog/v2:pkg",
         "//envoy/service/auth/v2:pkg",