Understanding DNS Resolution in Kubernetes and CoreDNS Behavior

Overview

Some notes on how DNS works inside Kubernetes, how it differs from local development, and a few lessons learned about CoreDNS (especially during outages)

How DNS Resolution Works in Kubernetes

When a pod makes a DNS query like example.com, it doesn’t immediately hit the internet. Instead, the container’s /etc/resolv.conf points to the CoreDNS service IP inside the cluster. That’s where DNS queries go first.

Kubernetes injects search domains into the pod’s DNS config. So something like:

1curl my-service

might try resolving:

1my-service.my-namespace.svc.cluster.local

before even trying my-service as a full domain.

That’s where ndots matters.

What is "ndots"?

This is a setting in /etc/resolv.conf that controls when a domain is considered “fully qualified”.

If ndots=5, something like foo.bar will try resolving:

1foo.bar.my-namespace.svc.cluster.local
2foo.bar.svc.cluster.local
3foo.bar.cluster.local
4foo.bar.ap-northeast-1.compute.internal
5foo.bar

first, before trying foo.bar directly.

Why "ndots:1" Helped

At one point, I noticed a huge load on CoreDNS, with tons of lookups piling up even for domains that were already fully qualified.

Setting ndots:1 reduced the number of search paths DNS had to try. It made CoreDNS stop wasting effort trying to resolve things that didn’t need the cluster domain suffix.

Unless the app is intentionally resolving short, partial names (which is rare), ndots:1 seems like a solid default.

Also noticed some container images and Helm charts override this, so it’s good to confirm it explicitly.

Setting ndots:1 was as simple as adding this to the deployment.yaml to each microservice pods:

1dnsConfig:
2  options:
3    - name: ndots
4      value: '1'

What is CoreDNS?

It’s the default DNS server for Kubernetes clusters.

It listens for pod DNS queries and resolves them based on:

Service names inside the cluster
External domains via upstream resolvers (like 8.8.8.8)
Configured rewrite/forward rules in the CoreDNS configmap

Why It Matters During Outages

When something like CoreDNS goes down:

All internal service name resolution fails
Apps can’t talk to each other even if they’re healthy
Metrics might still show the pods are fine, which can be misleading

It’s one of those pieces that quietly does a lot — until it doesn’t.

Final Notes

Always check /etc/resolv.conf inside the pod
Watch CoreDNS metrics (e.g. query load, errors)
Consider ndots:1 unless there’s a reason not to

Might come back and add visual diagrams later if needed.

Understanding DNS Resolution in Kubernetes and CoreDNS Behavior

Table of Contents

Overview

How DNS Resolution Works in Kubernetes

What is "ndots"?

Why "ndots:1" Helped

What is CoreDNS?

Why It Matters During Outages

Final Notes

Related Articles

My Infrastructure Tools Setup Checklist: AWS, kubectl, Terraform & More

Optimizing Next.js on EKS: Tips I’ve learned as an SRE

Kubernetes Secrets Rotation: Versioned Pattern with Instant Rollback

Related Articles

My Infrastructure Tools Setup Checklist: AWS, kubectl, Terraform & More
8 min read
Complete kubectl, AWS CLI, and Terraform setup guide for Mac. Install and configure Kubernetes tools (k9s, kubectx, Istio, Flux) using Aqua for version management. Includes shell aliases and productivity tips for DevOps engineers.
KubernetesAWSTerraform

Optimizing Next.js on EKS: Tips I’ve learned as an SRE
4 min read
Lessons learnt by managing Next.js apps on EKS, covering health checks, scaling, caching, and logging.
Node.jsKubernetesNext.js

Kubernetes Secrets Rotation: Versioned Pattern with Instant Rollback
7 min read
How to rotate Kubernetes secrets safely in production using versioned naming, progressive rollout, and instant rollback strategies. No downtime, no incidents.
KubernetesAWSSecrets Manager