How Kubernetes Handles DNS: CoreDNS, iptables, and resolv.conf Explained
This article explores how Kubernetes resolves DNS queries by examining the Pod's resolv.conf configuration, the CoreDNS service implementation via iptables rules, and the impact of search and ndots options on query behavior, providing practical examples and optimization tips.
Pod DNS Overview
Kubernetes pods use the standard Linux DNS resolver configuration found in /etc/resolv.conf. A typical pod shows:
nameserver 10.96.0.10
search kube-system.svc.cluster.local svc.cluster.local cluster.local
options ndots:5Changing the nameserver on a host (e.g., to Google DNS) would look like:
nameserver 8.8.8.8
nameserver 8.8.4.4To test DNS resolution you can use the dig tool:
dig baidu.com @8.8.8.8DNS Server – nameserver
The address 10.96.0.10 is the ClusterIP of the kube-dns Service. Traffic to this IP on UDP/53 is redirected by iptables rules such as:
-A KUBE-SERVICES -d 10.96.0.10/32 -p udp -m udp --dport 53 -j KUBE-SVC-TCOU7JCQXEZGVUNUThe service chain then distributes traffic to the CoreDNS pods:
-A KUBE-SVC-TCOU7JCQXEZGVUNU -m statistic --mode random --probability 0.5 -j KUBE-SEP-Q3HNNZPXUAYYDXW2
-A KUBE-SVC-TCOU7JCQXEZGVUNU -j KUBE-SEP-BBR3Z5NWFGXGVHEZ
-A KUBE-SEP-Q3HNNZPXUAYYDXW2 -p udp -j DNAT --to-destination 172.32.3.219:53
-A KUBE-SEP-BBR3Z5NWFGXGVHEZ -p udp -j DNAT --to-destination 172.32.6.239:53Listing the CoreDNS pods confirms the IPs used above:
kubectl -n kube-system get pods -o wide | grep dns
coredns-646bc69b8d-jd22w 1/1 Running 172.32.6.239
coredns-646bc69b8d-p8pqq 1/1 Running 172.32.3.219Service Implementation Details
The Service object for DNS is defined as:
kubectl -n kube-system get svc | grep dns
kube-dns ClusterIP 10.96.0.10 53/UDP,53/TCP,9153/TCPWhen more than two CoreDNS pods exist, iptables rules can be extended to split traffic proportionally, e.g. for four pods:
-A KUBE-SVC-TCOU7JCQXEZGVUNU -m statistic --mode random --probability 0.25 -j KUBE-SEP-HTZHQHQPOHVVNWZS
-A KUBE-SVC-TCOU7JCQXEZGVUNU -m statistic --mode random --probability 0.3333 -j KUBE-SEP-3VNFB2SPYQJRRPK6
-A KUBE-SVC-TCOU7JCQXEZGVUNU -m statistic --mode random --probability 0.5 -j KUBE-SEP-Q3HNNZPXUAYYDXW2
-A KUBE-SVC-TCOU7JCQXEZGVUNU -j KUBE-SEP-BBR3Z5NWFGXGVHEZThese rules sequentially allocate fractions of the traffic to each pod, ensuring even distribution even as the number of pods grows.
resolv.conf Parameters
The search line appends domain suffixes when a query lacks enough dots, while the options ndots setting controls how many dots a name must contain before the search list is bypassed. Example configuration:
search kube-system.svc.cluster.local svc.cluster.local cluster.local
options ndots:5Without the search entry, a simple ping kube-dns fails; with it, the resolver tries kube-dns.kube-system.svc.cluster.local and succeeds.
Log excerpts illustrate how the resolver attempts each suffix in order, and how the ndots value influences the number of attempts. A low ndots can cause many unnecessary queries, increasing load on the DNS server.
Summary
The article demonstrates how Kubernetes routes DNS queries through iptables to CoreDNS pods, explains the role of resolv.conf settings such as search and ndots, and provides practical examples for debugging and optimizing DNS behavior in a cluster.
Signed-in readers can open the original source through BestHub's protected redirect.
This article has been distilled and summarized from source material, then republished for learning and reference. If you believe it infringes your rights, please contactand we will review it promptly.
Efficient Ops
This public account is maintained by Xiaotianguo and friends, regularly publishing widely-read original technical articles. We focus on operations transformation and accompany you throughout your operations career, growing together happily.
How this landed with the community
Was this worth your time?
0 Comments
Thoughtful readers leave field notes, pushback, and hard-won operational detail here.