How Kubernetes Handles DNS: CoreDNS, iptables, and resolv.conf Explained

Pod DNS Overview

Kubernetes pods use the standard Linux DNS resolver configuration found in

/etc/resolv.conf

. A typical pod shows:

<code>nameserver 10.96.0.10
search kube-system.svc.cluster.local svc.cluster.local cluster.local
options ndots:5</code>

Changing the nameserver on a host (e.g., to Google DNS) would look like:

<code>nameserver 8.8.8.8
nameserver 8.8.4.4</code>

To test DNS resolution you can use the

dig

tool:

<code>dig baidu.com @8.8.8.8</code>

DNS Server – nameserver

The address

10.96.0.10

is the ClusterIP of the

kube-dns

Service. Traffic to this IP on UDP/53 is redirected by iptables rules such as:

<code>-A KUBE-SERVICES -d 10.96.0.10/32 -p udp -m udp --dport 53 -j KUBE-SVC-TCOU7JCQXEZGVUNU</code>

The service chain then distributes traffic to the CoreDNS pods:

<code>-A KUBE-SVC-TCOU7JCQXEZGVUNU -m statistic --mode random --probability 0.5 -j KUBE-SEP-Q3HNNZPXUAYYDXW2
-A KUBE-SVC-TCOU7JCQXEZGVUNU -j KUBE-SEP-BBR3Z5NWFGXGVHEZ
-A KUBE-SEP-Q3HNNZPXUAYYDXW2 -p udp -j DNAT --to-destination 172.32.3.219:53
-A KUBE-SEP-BBR3Z5NWFGXGVHEZ -p udp -j DNAT --to-destination 172.32.6.239:53</code>

Listing the CoreDNS pods confirms the IPs used above:

<code>kubectl -n kube-system get pods -o wide | grep dns
coredns-646bc69b8d-jd22w   1/1 Running   172.32.6.239
coredns-646bc69b8d-p8pqq   1/1 Running   172.32.3.219</code>

Service Implementation Details

The Service object for DNS is defined as:

<code>kubectl -n kube-system get svc | grep dns
kube-dns   ClusterIP   10.96.0.10   53/UDP,53/TCP,9153/TCP</code>

When more than two CoreDNS pods exist, iptables rules can be extended to split traffic proportionally, e.g. for four pods:

<code>-A KUBE-SVC-TCOU7JCQXEZGVUNU -m statistic --mode random --probability 0.25 -j KUBE-SEP-HTZHQHQPOHVVNWZS
-A KUBE-SVC-TCOU7JCQXEZGVUNU -m statistic --mode random --probability 0.3333 -j KUBE-SEP-3VNFB2SPYQJRRPK6
-A KUBE-SVC-TCOU7JCQXEZGVUNU -m statistic --mode random --probability 0.5 -j KUBE-SEP-Q3HNNZPXUAYYDXW2
-A KUBE-SVC-TCOU7JCQXEZGVUNU -j KUBE-SEP-BBR3Z5NWFGXGVHEZ</code>

These rules sequentially allocate fractions of the traffic to each pod, ensuring even distribution even as the number of pods grows.

resolv.conf Parameters

The

search

line appends domain suffixes when a query lacks enough dots, while the

options ndots

setting controls how many dots a name must contain before the search list is bypassed. Example configuration:

<code>search kube-system.svc.cluster.local svc.cluster.local cluster.local
options ndots:5</code>

Without the

search

entry, a simple

ping kube-dns

fails; with it, the resolver tries

kube-dns.kube-system.svc.cluster.local

and succeeds.

Log excerpts illustrate how the resolver attempts each suffix in order, and how the

ndots

value influences the number of attempts. A low

ndots

can cause many unnecessary queries, increasing load on the DNS server.

Summary

The article demonstrates how Kubernetes routes DNS queries through iptables to CoreDNS pods, explains the role of

resolv.conf

settings such as

search

and

ndots

, and provides practical examples for debugging and optimizing DNS behavior in a cluster.