CoreDNS do not respect local DNS
Master System Design with Codemia
Enhance your system design skills with over 120 practice problems, detailed solutions, and hands-on exercises.
Introduction
When people say CoreDNS does not respect local DNS, they usually mean that names resolvable on the node itself stop resolving inside Kubernetes pods. That behavior is usually not CoreDNS ignoring you at random. It is a consequence of how pod DNS is generated, which upstream resolvers CoreDNS is told to use, and whether the node-local resolver is reachable from inside the cluster.
Understand the DNS Path in Kubernetes
Inside a Kubernetes cluster, a pod does not usually query the node resolver directly. The pod sends DNS queries to the cluster DNS service, often CoreDNS, and CoreDNS decides what to do next based on the Corefile.
A common configuration looks like this:
The key line is forward . /etc/resolv.conf. That does not mean "use whatever the pod sees in /etc/resolv.conf". It means CoreDNS reads its own resolver file inside the CoreDNS container. Depending on how the deployment is set up, that file may not contain the same servers or search domains as the host machine.
Why Node-Local DNS Often Fails
Many machines use a stub resolver on 127.0.0.1 or 127.0.0.53. That works on the host because the service is bound to the host loopback interface. But from inside a CoreDNS container, that address points to the container itself, not to the host resolver.
That leads to a confusing situation:
- the node can resolve internal company names
- the pod cannot resolve them
- CoreDNS forwarding to the node loopback address fails or times out
In other words, CoreDNS is following its upstream configuration exactly, but the upstream target is unreachable from that network namespace.
Fix the Upstream Resolver Explicitly
The safest approach is to point CoreDNS at reachable upstream DNS servers instead of relying on an implicit local stub. For example:
If your organization has internal DNS servers for private zones, forward directly to those addresses. That removes ambiguity and avoids dependence on the node's loopback resolver.
If you want pods to inherit a specific resolver file from the node, check the kubelet configuration. The resolvConf setting determines which resolver file kubelet uses when generating pod DNS settings.
That is relevant when the default node file points at a stub resolver but another file contains the real upstream nameservers.
Verify What CoreDNS Actually Sees
Before changing anything, inspect the environment from inside the cluster rather than assuming it matches the host.
Those checks answer three different questions:
- what CoreDNS is configured to do
- what resolver file exists inside the CoreDNS container
- what a regular pod can actually resolve
You need all three when debugging.
Common Pitfalls
The most common mistake is forwarding to 127.0.0.1 or 127.0.0.53. Those addresses only make sense on the host where the stub resolver is running. Inside a container they usually point nowhere useful.
Another issue is assuming that host DNS search domains automatically appear in pods. Pod DNS settings are generated by kubelet and may be different from the host machine, especially when dnsPolicy or custom pod DNS options are involved.
It is also easy to focus only on CoreDNS and miss split-horizon DNS. An internal zone may resolve correctly only when queries go to a specific enterprise resolver. If CoreDNS forwards to a public DNS server, private records will never appear.
Finally, remember that CoreDNS handles both cluster service discovery and external forwarding. Changing the Corefile carelessly can break cluster name resolution even if you were only trying to fix an upstream DNS problem.
Summary
- CoreDNS usually serves as the pod DNS entry point, not the host resolver.
- '
forward . /etc/resolv.confuses the resolver file visible to CoreDNS, not necessarily the node's local stub.' - Loopback resolvers such as
127.0.0.53often fail inside containers. - Prefer explicit, reachable upstream DNS servers for private and public zones.
- Debug from inside the cluster by checking the
Corefile, CoreDNS container resolver settings, and a real pod lookup.

