How Does DNS Work in Kubernetes?

beginner|dnsdevopssrebackend developerCKACKAD
TL;DR

Kubernetes runs a DNS server (CoreDNS) as a cluster add-on that provides DNS-based service discovery. Every Service gets a DNS record (<service>.<namespace>.svc.cluster.local), and every Pod's /etc/resolv.conf is configured to use CoreDNS. This enables Pods to find Services by name instead of IP.

Detailed Answer

DNS is the primary mechanism for service discovery in Kubernetes. Instead of hardcoding IP addresses, Pods resolve Service names through DNS, and the cluster's DNS server (CoreDNS) returns the correct IP.

How It Works End-to-End

  1. A Pod wants to reach api-service
  2. The Pod's resolver reads /etc/resolv.conf which points to CoreDNS
  3. The search domains expand api-service to api-service.default.svc.cluster.local
  4. CoreDNS looks up the Service in the Kubernetes API
  5. CoreDNS returns the Service's ClusterIP
  6. The Pod connects to the ClusterIP, which kube-proxy routes to a backend Pod

Pod's resolv.conf

Every Pod gets a resolver configuration injected by the kubelet:

kubectl exec my-pod -- cat /etc/resolv.conf

nameserver 10.96.0.10
search default.svc.cluster.local svc.cluster.local cluster.local
options ndots:5

| Field | Value | Purpose | |---|---|---| | nameserver | 10.96.0.10 | CoreDNS ClusterIP | | search | default.svc.cluster.local ... | Short name expansion | | ndots | 5 | Names with fewer than 5 dots use search domains |

DNS Record Types

ClusterIP Service

api-service.default.svc.cluster.local → 10.96.45.12 (ClusterIP)

Headless Service (clusterIP: None)

db-headless.default.svc.cluster.local → 10.244.1.5, 10.244.2.8 (Pod IPs)
db-0.db-headless.default.svc.cluster.local → 10.244.1.5 (individual Pod)

ExternalName Service

external-api.default.svc.cluster.local → CNAME api.external.com

Search Domain Resolution

The ndots:5 setting means any name with fewer than 5 dots is tried with search domains first:

Lookup: api-service
Try 1: api-service.default.svc.cluster.local  ← Found!
Try 2: api-service.svc.cluster.local
Try 3: api-service.cluster.local
Try 4: api-service  (absolute lookup)

For external domains like google.com (1 dot, fewer than 5):

Try 1: google.com.default.svc.cluster.local  ← NXDOMAIN
Try 2: google.com.svc.cluster.local  ← NXDOMAIN
Try 3: google.com.cluster.local  ← NXDOMAIN
Try 4: google.com  ← Found!

This means external lookups generate extra DNS queries. For high-traffic external lookups, use a trailing dot (google.com.) or reduce ndots:

spec:
  dnsConfig:
    options:
      - name: ndots
        value: "2"

CoreDNS Architecture

CoreDNS runs as a Deployment with a Service in kube-system:

kubectl get deployment coredns -n kube-system
# NAME      READY   UP-TO-DATE   AVAILABLE   AGE
# coredns   2/2     2            2           30d

kubectl get service kube-dns -n kube-system
# NAME       TYPE        CLUSTER-IP   EXTERNAL-IP   PORT(S)
# kube-dns   ClusterIP   10.96.0.10   <none>        53/UDP,53/TCP

The Service is named kube-dns for historical compatibility, but it routes to CoreDNS Pods.

DNS Policy

Pods can configure their DNS behavior with dnsPolicy:

spec:
  dnsPolicy: ClusterFirst    # Default: use CoreDNS for cluster names

| Policy | Behavior | |---|---| | ClusterFirst (default) | Use CoreDNS. Fall back to node DNS for external names. | | Default | Use the node's resolv.conf directly (no cluster DNS) | | None | No auto-configuration. Must provide dnsConfig manually. | | ClusterFirstWithHostNet | Like ClusterFirst, but for Pods using hostNetwork |

DNS Lookup Example

# From inside a Pod
# Short name (same namespace)
nslookup api-service
# Server:    10.96.0.10
# Address:   10.96.0.10#53
# Name:      api-service.default.svc.cluster.local
# Address:   10.96.45.12

# Cross-namespace lookup
nslookup api-service.backend
# Name: api-service.backend.svc.cluster.local
# Address: 10.96.78.34

# Fully qualified name
nslookup api-service.backend.svc.cluster.local
# Name: api-service.backend.svc.cluster.local
# Address: 10.96.78.34

Why Interviewers Ask This

Interviewers ask this to verify you understand how service discovery works in Kubernetes, which is fundamental to how microservices communicate in a cluster.

Common Follow-Up Questions

What DNS records does Kubernetes create for a Service?
An A record mapping <service>.<namespace>.svc.cluster.local to the ClusterIP. For headless Services, it returns the individual Pod IPs.
How does the Pod's resolv.conf get configured?
The kubelet injects /etc/resolv.conf with the CoreDNS Service ClusterIP as the nameserver and search domains for the Pod's namespace.
What happens if CoreDNS is down?
Pods cannot resolve Service names and most inter-service communication fails. Existing connections using IPs continue to work, but new DNS lookups fail.

Key Takeaways

  • CoreDNS runs as a Deployment in kube-system and provides DNS for all cluster resources.
  • Services are accessible via <service>.<namespace>.svc.cluster.local DNS records.
  • Pod resolv.conf includes search domains that allow short names within the same namespace.

Related Questions

How Do You Configure CoreDNS in Kubernetes?What DNS Records Does a Headless Service Create?

You Might Also Like

What Is a Kubernetes Service and Why Do You Need One?How Does Service Discovery Work in Kubernetes?
Back to Dns Interview Questions