coredns - beginner guide

To get started with coredns, we can edit config map in kube-system. 

kubectl edit cm/coredns -n kube-system

And then we are going to add the following 


apiVersion: v1
data:
  Corefile: |2

    hello.test:53 {
      errors
      log
      hosts {
        10.0.0.42 hello.test
      }
      reload
    }

    .:53 {
        errors
        health {
           lameduck 5s
        }
        ready
        kubernetes cluster.local in-addr.arpa ip6.arpa {
           pods insecure
           fallthrough in-addr.arpa ip6.arpa
           ttl 30
        }
        prometheus :9153
        forward . /etc/resolv.conf {
           max_concurrent 1000
        }
        cache 30 {
           disable success cluster.local
           disable denial cluster.local
        }
        loop
        reload
        loadbalance
    }
kind: ConfigMap
metadata:
  creationTimestamp: "2026-01-31T02:17:17Z"
  name: coredns
  namespace: kube-system
  resourceVersion: "1535"
  uid: d4726017-e1b2-47a3-abca-47b0c9196d14

 Let's pay attention to this part 

hello.test:53 {

      errors
      log
      hosts {
        10.0.0.42 hello.test
      }
      reload
    }


We are listening to port 53 for dns query. 

"errors" - logs error 

"log" - log query logs 

And listen for hello.test query and return 10.0.0.42 ip address (as shown below). The dns lookup must match exactly. 

hosts {
        10.0.0.42 hello.test
      }


if you do

dnslookup hello.test  -> returns OK 

dnslookup hello1.test -> return NXDOMAIN 

dnslookup my.hello.test -> return NXDOMAIN 

Here is an example where I do a dnslookup hello.test


You can see it is returning the configure ip address.

The example above is returning a static ip based on a query.  Let's do a more realistic example for dns server where request for abc.example.com will get redirected to a legit service in your kubenetes cluster. 

Let's start with this configuration

apiVersion: v1
data:
  Corefile: |
    .:53 {
        errors
        health {
           lameduck 5s
        }
        ready
       
        # Custom rewrite BEFORE kubernetes plugin
        rewrite stop {
          name regex ^(.*)\.example\.com\.$ {1}.default.svc.cluster.local.
          answer name (.*)\.default\.svc\.cluster\.local\. {1}.example.com.
        }
       
        kubernetes cluster.local in-addr.arpa ip6.arpa {
           pods insecure
           fallthrough in-addr.arpa ip6.arpa
           ttl 30
        }
        prometheus :9153
        forward . /etc/resolv.conf {
           max_concurrent 1000
        }
        cache 30
        loop
        reload
        loadbalance
    }
kind: ConfigMap
metadata:
  creationTimestamp: '2026-01-31T03:03:54Z'
  name: coredns
  namespace: kube-system
  resourceVersion: '4243'

We have a httpbin service here and it is deploy with a ip of "10.97.48.2". 


After we have configure our config map and do a restart 

kubectl rollout restart deployment/coredns -n kube-system

we will do this 

nslookup httpbin.example.com

As you can see, it returns 10.97.48.2, which matches the service ip for httpbin service. 


To do conditional fowarding 

A scenario where you forward dns query for corp.example.com to 10.0.0.53 custom dns server

.:53 {
    errors
    health
   
    # ===== EXAMPLE 3 START =====
    forward corp.example.com 10.0.0.53 {
      max_concurrent 50
      policy sequential  # Try first server, then fallback
    }
    # ===== EXAMPLE 3 END =====
   
    forward . /etc/resolv.conf  # Default forwarder for everything else
   
    kubernetes cluster.local in-addr.arpa ip6.arpa {
      pods insecure
      fallthrough in-addr.arpa ip6.arpa
    }
    cache 30
    loop
    reload
    loadbalance
}


  • nslookup api.corp.example.com → goes to 10.0.0.53
  • nslookup google.com → goes to public DNS via /etc/resolv.conf


Multi env resolution 

Here we use different dns server to resolve dns query. 

.:53 {
    errors
    health

    # Dev environment
    rewrite name regex ^(.*)\.dev\.example\.com\.$ {1}.dev.svc.cluster.local.
   
    # Prod environment
    rewrite name regex ^(.*)\.prod\.example\.com\.$ {1}.prod.svc.cluster.local.
   
    # Response rewrites (preserve original domain)
    rewrite stop {
      answer name (.*)\.dev\.svc\.cluster\.local\. {1}.dev.example.com.
      answer name (.*)\.prod\.svc\.cluster\.local\. {1}.prod.example.com.
    }

    kubernetes cluster.local in-addr.arpa ip6.arpa {
      pods insecure
      fallthrough in-addr.arpa ip6.arpa
    }
    forward . /etc/resolv.conf
    cache 30
    loop
    reload
    loadbalance
}


nslookup nginx.dev.example.com    # → dev namespace IP

nslookup nginx.prod.example.com   # → prod namespace IP


Multi dns server forwarding failover

In this setup, we will try corp.example.com against 2 internal dns server 10.0.0.53 and 10.0.0.54 before trying the public dns servers.


.:53 {
    errors
    health
   
    forward corp.example.com 10.0.0.53 10.0.0.54 {
      policy sequential   # Try 10.0.0.53 → if timeout, try 10.0.0.54
      max_fails 2         # Mark server dead after 2 failures
      health_check 1s     # Check every second
    }
   
    forward . 8.8.8.8 1.1.1.1 {
      policy random       # Load balance between public DNS
    }
   
    cache 30
    loop
    reload
}


Understanding core dns logs 

In a typical log you would see 

[INFO] 10.244.1.5:53321 - 45678 "A IN api.corp.example.com. udp 42 false 512"

Here is a breakdown of what it means 


Field
Meaning
Example Value
A
Query type (record type)
A = IPv4 address
IN
Query class
IN = Internet (standard)
api.corp.example.com.
Query name (FQDN)
Note trailing dot = fully qualified
udp
Transport protocol
udp vs tcp
42
Message size (bytes)
DNS query payload size
false
DNSSEC OK (DO) bit
❌ Client did NOT request DNSSEC
512
EDNS0 buffer size
Max UDP payload client can receive







Comments

Post a Comment

Popular posts from this blog

vllm : Failed to infer device type

Trying to run vllm without gpu will typicaly lands you into this issue. To resolve this issue: we can use set these both. Setting one does not work for me. So i had to configure both settings below:- 1.  environment variable CUDA_VISIBLE_DEVICES = "" 2. in the command line, change to use device cpu and remove  tensor-parallel-size. For example, python3 -m vllm.entrypoints.openai.api_server --port 8080 --model deepseek-ai/DeepSeek-R1 --device cpu --trust-remote-code --max-model-len 4096" References https://docs.vllm.ai/en/latest/getting_started/troubleshooting.html#failed-to-infer-device-type
Read more

android studio kotlin source is null error

Image
This org.jetbrains.kotlin.util.FileAnalysisException with a java.lang.IllegalArgumentException: source must not be null is a known issue that can sometimes occur with the Kotlin compiler. It seems to be related to how the compiler analyzes certain source code structures. When this happens, you need to go clean your project and do another rebuild.  For my case, I was trying to test out the databinding = true feature. 
Read more

gemini cli getting file not defined error

Image
 While trying to run gemini cli on my windows linux subsystem, i bump into this error here - "/Roaming/npm/node_modules/@google/gemini-cli/node_modules/undici/lib/web/webidl/index.js:512 webidl.is.File = webidl.util.MakeTypeAssertion(File)"  "ReferenceError: File is not defined" In Node.js, there’s no built-in File (until very recent Node 20+ with experimental WHATWG APIs). So, unless polyfilled, File is undefined, leading to the ReferenceError. And to resolve this, I had to upgrade to node 22 (might work for node 20) and then I was able to run it.
Read more