diff --git a/.gitignore b/.gitignore
index 8050e35fa713..14086e2c90e8 100644
--- a/.gitignore
+++ b/.gitignore
@@ -19,3 +19,4 @@ commercial_package
 .vale/styles/AsciiDocDITA
 .vale/styles/OpenShiftAsciiDoc
 .vale/styles/RedHat
+migrating/JIRA-9894-dns-capture-documentation-plan.md
diff --git a/migrating/checklists/ossm-migrating-read-me.adoc b/migrating/checklists/ossm-migrating-read-me.adoc
index c11a6309f855..82384004b9f0 100644
--- a/migrating/checklists/ossm-migrating-read-me.adoc
+++ b/migrating/checklists/ossm-migrating-read-me.adoc
@@ -38,6 +38,8 @@ include::modules/ossm-migrating-read-me-kubernetes-network-policy-management.ado
 
 include::modules/ossm-migrating-read-me-tls-configuration-change.adoc[leveloffset=+1]
 
+include::modules/ossm-migrating-read-me-dns-capture-configuration.adoc[leveloffset=+1]
+
 [role="_additional-resources"]
 [id="additional-resources_{context}"]
 == Additional resources
diff --git a/modules/ossm-migrating-2-and-3-differences.adoc b/modules/ossm-migrating-2-and-3-differences.adoc
index 371f67ca2777..d163ddc1a762 100644
--- a/modules/ossm-migrating-2-and-3-differences.adoc
+++ b/modules/ossm-migrating-2-and-3-differences.adoc
@@ -23,5 +23,6 @@ If you are a current {SMProductName} user, there are several important differenc
 * Support for Istioctl
 * Change to Kubernetes network policy management
 * Transport layer security (TLS) configuration change
+* DNS capture configuration for ServiceEntry resources
 
 You must be using {SMProduct} 2.6 to migrate to {SMProduct} 3.
\ No newline at end of file
diff --git a/modules/ossm-migrating-read-me-dns-capture-configuration.adoc b/modules/ossm-migrating-read-me-dns-capture-configuration.adoc
new file mode 100644
index 000000000000..7bf6daf76fc9
--- /dev/null
+++ b/modules/ossm-migrating-read-me-dns-capture-configuration.adoc
@@ -0,0 +1,22 @@
+// Module included in the following assemblies:
+//
+// * service-mesh-docs-main/migrating/checklists/ossm-migrating-read-me.adoc
+
+:_mod-docs-content-type: CONCEPT
+[id="ossm-migrating-read-me-dns-capture-configuration_{context}"]
+= DNS capture configuration for ServiceEntry resources
+
+[role="_abstract"]
+
+To maintain access to external services when migrating to {SMProductName} 3.0, you must explicitly enable DNS capture in the proxy metadata settings.
+
+This is required for any `ServiceEntry` resources that rely on DNS resolution. Failure to enable this feature results in application errors such as `Name or service not known`.
+
+{SMProduct} 2.6 enabled DNS capture by default to support federation, which did not align with the upstream {istio} project. {SMProduct} 3.0 removes this default configuration and aligns with the upstream project's multicluster topologies.
+
+To configure DNS capture in {SMProduct} 3.0, set the `ISTIO_META_DNS_AUTO_ALLOCATE` and `ISTIO_META_DNS_CAPTURE` fields to `true` in the `spec.values.meshConfig.defaultConfig.proxyMetadata` path of your `{istio}` resource. 
+
+[NOTE]
+====
+The equivalent of `spec.values.meshConfig.defaultConfig.proxyMetadata` in {SMProduct} 2.6 was `spec.proxy.runtime.container.env`.
+====