{"id":3187,"date":"2020-06-16T13:41:15","date_gmt":"2020-06-16T08:11:15","guid":{"rendered":"https:\/\/opstree.com\/blog\/\/?p=3187"},"modified":"2020-06-16T20:34:28","modified_gmt":"2020-06-16T15:04:28","slug":"a-closer-look-at-coredns","status":"publish","type":"post","link":"https:\/\/opstree.com\/blog\/2020\/06\/16\/a-closer-look-at-coredns\/","title":{"rendered":"A Closer Look at coreDNS"},"content":{"rendered":"
\"\"
fig 1<\/figcaption><\/figure>\r\n
\r\n
\r\n
Introduction:<\/strong><\/figure>\r\n\r\n\r\n<\/div>\r\n<\/div>\r\n\r\n\r\n\r\n

The purpose of this blog is not to go deep into coreDNS rather explain how DNS works in kubernetes, what coreDNS contains and how the corefile uses plugins. So let’s get started.<\/p>\r\n

<\/p>\r\n\r\n\r\n\r\n

Pods communication<\/h2>\r\n\r\n\r\n\r\n

Before talking about coreDNS, I want everyone to know how kubernetes implements DNS in clusters. Let\u2019s say one pod i.e. test<\/em> wants to communicate with another pod, db<\/em>. So, we can do that by putting an entry in \/etc\/hosts file as shown in figure 1a.<\/em><\/p>\r\n\r\n\r\n\r\n

\r\n
\r\n
\r\n
\r\n
\r\n
\"\"
fig 1(a)<\/figcaption><\/figure>\r\n
<\/figcaption>\r\n<\/figure>\r\n<\/div>\r\n<\/div>\r\n<\/div>\r\n<\/div>\r\n

But, what if we are dealing with hundreds of pods that are being created and deleted every minute and need communication?\u00a0<\/p>\r\n\r\n\r\n\r\n

In this case, instead of making entries in \/etc\/hosts which<\/em> is not a suitable solution, we move these entries to a centralised DNS server i.e. 10.96.0.10 <\/em>as shown in figure 1b<\/em>. Now, we need to specify this IP in the pods at a certain location which happens to be inside the \/etc\/resolv.conf file as nameserver.<\/p>\r\n\r\n\r\n\r\n

\r\n
\r\n
\r\n
\r\n
\r\n
\r\n
\r\n
\"\"
fig 1(b)<\/figcaption><\/figure>\r\n
<\/figcaption>\r\n<\/figure>\r\n

Every time a new pod gets created, k8s do an entry of the new pod in the DNS server and a corresponding entry in \/etc\/resolv.conf file of the new pod as well, of course, pointing to the IP address of the DNS server as shown in figure 1c.<\/em><\/p>\r\n<\/div>\r\n<\/div>\r\n<\/div>\r\n<\/div>\r\n<\/div>\r\n<\/div>\r\n\r\n\r\n\r\n

\r\n
\"\"
fig 1(c)<\/figcaption><\/figure>\r\n
<\/figcaption>\r\n<\/figure>\r\n

Like I said above that we change the entry of \/etc\/hosts to centralised DNS server. Well, it is right but partially. DNS does not do the entry of pods as we do by editing \/etc\/hosts file in pods (Format: <pod_name> <IP>). Instead, it creates a new hostname by replacing dots into dashes in the IP address of pods like hostname<\/em>\u00a010-244-2-5 (Format: <hostname<\/em>> \u00a0 <IP>). Refer figure 1d<\/em> and look at the entry of DNS.<\/p>\r\n\r\n\r\n\r\n

\r\n
\r\n
\r\n
\"\"
fig 1(d)<\/figcaption><\/figure>\r\n
<\/figcaption>\r\n<\/figure>\r\n<\/div>\r\n<\/div>\r\n\r\n\r\n\r\n

Introducing coreDNS<\/h2>\r\n\r\n\r\n\r\n

Well, the above discussion was for understanding. Actually, pods communicate via services in a k8s cluster and coreDNS sets record for these services (by default, pods entries are disabled but you can enable them in corefile of coreDNS).<\/p>\r\n\r\n\r\n\r\n

Although CoreDNS and Kube-dns ultimately perform the same task, there are some key differences in implementation that affect resource consumption and performance. You can read about this thoroughly in coreDNS official docs.<\/a><\/p>\r\n\r\n\r\n\r\n

CoreDNS has been available in kubernetes since v1.9. It is a fast and flexible DNS server. The keyword flexible<\/em> here means you are given a lot of freedom with your DNS data which you can exercise using a range of plugins. If some functionality is not provided out of the box you can add it by writing a plugin<\/a>. It is written in the Go language.<\/em><\/p>\r\n\r\n\r\n\r\n

We deploy CoreDNS as a deployment object in the kube-system namespace in a cluster with a service named \u201ckube-dns\u201d. It requires a configuration file that we call corefile located at \/etc\/coredns\/Corefile.<\/p>\r\n\r\n\r\n\r\n

Corefile and plugins:<\/h4>\r\n\r\n\r\n\r\n

Corefile consists of a number of plugins, plugins are configured for error handling, reporting health, monitoring metrics, cache etc.<\/p>\r\n\r\n\r\n\r\n

The plugin that makes coreDNS to work with kubernetes is kubernetes plugin.<\/strong> In kubernetes plugin, top level domain of kubernetes cluster is set (cluster.local)<\/p>\r\n\r\n\r\n\r\n

Also, it watches for new services by default. For pods, you have to enable ‘pod mode’ in Corefile under kubernetes plugin by making an entry as \u2018pods POD MODE\u2019 in the cluster. If a new object gets created, it adds the record of service or pods in coreDNS server.<\/p>\r\n\r\n\r\n\r\n

The next step for the pods is to point to coreDNS IP address for DNS resolution by specifying nameserver in resolv.conf file. But, what address should it be?
Well, you don\u2019t need to care about this because DNS entries have been handled by the kubelet component.<\/p>\r\n\r\n\r\n\r\n

When we install coreDNS in a cluster, we expose it as a service, so the IP address of that service is configured as a nameserver in pods by kubelet.<\/p>\r\n\r\n\r\n\r\n

Again, my question is how does kubelet know this?<\/strong><\/p>\r\n\r\n\r\n\r\n

You can see the entry of coreDNS server in the kubelet configuration file as shown in figure 2a<\/p>\r\n\r\n\r\n\r\n

You can also configure kubelet and run as service and pass clusterDns IP in that service file.<\/p>\r\n\r\n\r\n\r\n

in minikube:\u00a0<\/strong><\/h4>\r\n\r\n\r\n\r\n
minikube ssh\r\ncat \/var\/lib\/kubelet\/config.yaml<\/pre>\r\n\r\n\r\n\r\n
\r\n
\r\n
\r\n
\r\n
\r\n
\"\"
fig 2(a)<\/figcaption><\/figure>\r\n
<\/figcaption>\r\n<\/figure>\r\n<\/div>\r\n<\/div>\r\n\r\n\r\n\r\n
Self hosted k8s:<\/span><\/p>\r\n<\/div>\r\n<\/div>\r\n\r\n\r\n\r\n
In our project we are not using managed kubernetes service, hence I’ll talk about self-hosted kubernetes cluster. You can check the clusterDns entry in kubelet service by doing ssh to any of the k8s node. Below is the service file we are using in our k8s cluster.<\/p>\r\n\r\n\r\n\r\n
\r\n
\r\n
[Unit]\r\nDescription=Kubernetes Kubelet\r\nDocumentation=https:\/\/github.com\/GoogleCloudPlatform\/kubernetes\r\nAfter=docker.service\r\nRequires=docker.service\r\n\r\n[Service]\r\nExecStart=\/usr\/bin\/kubelet \\\r\n\u00a0\u00a0--allow-privileged=true \\\r\n\u00a0\u00a0--cloud-provider= \\\r\n\u00a0\u00a0--cluster-dns=10.96.0.10\u00a0 \\\r\n\u00a0\u00a0--cluster-domain=cluster.local \\\r\n\u00a0\u00a0--container-runtime=docker \\\r\n\u00a0\u00a0--docker-endpoint=unix:\/\/\/var\/run\/docker.sock \\\r\n\u00a0\u00a0--network-plugin=cni \\\r\n\u00a0\u00a0--cni-bin-dir=\/opt\/cni\/bin \\\r\n\u00a0\u00a0--cni-conf-dir=\/etc\/cni\/net.d \\\r\n\u00a0\u00a0--kubeconfig=\/var\/lib\/kubelet\/kubeconfig \\\r\n\u00a0\u00a0--serialize-image-pulls=true \\\r\n\u00a0\u00a0--tls-cert-file=\/var\/lib\/kubernetes\/kubernetes.pem \\\r\n\u00a0\u00a0--tls-private-key-file=\/var\/lib\/kubernetes\/kubernetes-key.pem \\\r\n\u00a0\u00a0--system-reserved=memory=19227Mi \\\r\n\u00a0\u00a0--fail-swap-on=true \\\r\n\u00a0\u00a0--runtime-cgroups=\/systemd\/system.slice \\\r\n\u00a0\u00a0--kubelet-cgroups=\/systemd\/system.slice \\\r\n\u00a0\u00a0--pod-infra-container-image=<dockerregistry\/imagename:tag \\\r\n\u00a0\u00a0--log-dir=\/var\/log\/kubernetes \\\r\n\u00a0\u00a0--logtostderr=false \\\r\n\u00a0\u00a0--v=2\r\n\r\nRestart=always\r\nRestartSec=5\r\n\r\n[Install]\r\nWantedBy=multi-user.target\r\n<\/pre>\r\n<\/div>\r\n<\/div>\r\n\r\n\r\n\r\n\r\n\r\n
Kubernetes DNS Records<\/h2>\r\n\r\n\r\n\r\n
Format:\u00a0<\/strong><\/p>\r\n\r\n\r\n\r\n
For services: svcname.namespace.type.rootDomain
For pods: hostname.namespace.type.rootDomain<\/p>\r\n\r\n\r\n\r\n
Example:\u00a0\u00a0<\/strong><\/p>\r\n\r\n\r\n\r\n
For services: test-service.default.svc.cluster.local<\/p>\r\n\r\n\r\n\r\n
For pods: 10-244-2-5.default.pod.cluster.local<\/p>\r\n\r\n\r\n\r\n
Inside the Corefile:<\/h2>\r\n\r\n\r\n\r\n
We pass Corefile as a config map in the cluster so that it remains decoupled from the deployment object of coreDNS. It has the plugins already configured. You can get the list of plugin chains here<\/a>.<\/p>\r\n\r\n\r\n\r\n
\r\n
\r\n
.:53 {\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0errors<\/strong>\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0log<\/strong>\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0health<\/strong> {\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0lameduck 5s\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0}\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0ready<\/strong>\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0kubernetes<\/strong> cluster.local in-addr.arpa ip6.arpa {\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0pods insecure\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0fallthrough in-addr.arpa ip6.arpa\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0ttl 30\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0}\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0prometheus :9153\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0forward . \/etc\/resolv.conf\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0cache<\/strong> 30\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0loop<\/strong>\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0reload<\/strong>\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0loadbalance<\/strong>\r\n\u00a0\u00a0\u00a0\u00a0}\r\n<\/pre>\r\n<\/div>\r\n<\/div>\r\n\r\n\r\n\r\n
Let’s talk about kubernetes plugin, Using the kubernetes<\/em> plugin<\/strong>, CoreDNS will read zone data from a Kubernetes cluster. It implements the spec<\/a> defined for Kubernetes DNS-Based service discovery<\/p>\r\n\r\n\r\n\r\n
Format: <\/strong><\/p>\r\n\r\n\r\n\r\n
\r\n
\r\n
Kubernetes ZONE {\r\npods POD-MODE\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0fallthrough ZONE\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0ttl time_in_sec\r\n<\/pre>\r\n<\/div>\r\n<\/div>\r\n\r\n\r\n\r\n
kubernetes plugin block:<\/strong><\/p>\r\n\r\n\r\n\r\n
\r\n
\r\n
kubernetes cluster.local in-addr.arpa ip6.arpa {\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0pods insecure\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0fallthrough in-addr.arpa ip6.arpa\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0ttl 30\r\n<\/pre>\r\n<\/div>\r\n<\/div>\r\n\r\n\r\n\r\n
Inside the kubernetes<\/em> plugin block:<\/h2>\r\n\r\n\r\n\r\n
Inside the kubernetes plugin, there are a lot of options that you can go through here<\/a>.<\/p>\r\n\r\n\r\n\r\n
Let\u2019s discuss the option we are using in the above Corefile.<\/p>\r\n\r\n\r\n\r\n
pods<\/strong> POD-MODE sets the mode for handling IP-based pod A records, e.g.10-244-2-5.default.pod.cluster.local. in A 10.244.2.5. This option is provided to facilitate the use of SSL certs when connecting directly to pods.<\/p>\r\n\r\n\r\n\r\n
Value for POD-MODE that we have used:<\/strong><\/p>\r\n\r\n\r\n\r\n
insecure<\/span><\/strong>: Always return an A record<\/em> of pods.<\/p>\r\n\r\n\r\n\r\n
fallthrough [ZONES\u2026] <\/strong>If a query in the zones for which the plugin is authoritative it either returns a result, or it returns NXDOMAIN for the query. NXDOMAIN responses are created when a DNS has no listing for the domain requested. When fallthrough<\/em>\u00a0is enabled, instead of returning NXDOMAIN when a record is not found, the plugin will pass the request down the plugin chain which can include another plugin to handle the query.<\/p>\r\n\r\n\r\n\r\n
ttl<\/strong> allows you to set a custom TTL for responses. The default is 5 seconds. The minimum TTL allowed is 0 seconds, and the maximum is capped at 3600 seconds. Setting TTL to 0 will prevent records from being cached.<\/p>\r\n\r\n\r\n\r\n
Conclusion:<\/h2>\r\n\r\n\r\n\r\n
In this blog, we got to know how DNS plays an important role in kubernetes. coreDNS works with kubernetes by utilizing kubernetes plugin. It consists of various plugins that you can customize as per your use case. We got to know the format of kubernetes DNS records for services and pods. We explored kubelet configuration through which we learned how the kubelet component configures resolv.conf file. I hope this blog gives you some exposure to coreDNS which might help you to start off with the topic.<\/p>\r\n\r\n\r\n\r\n
Happy learning!<\/p>\r\n
Image Sources –\u00a0fig 1<\/a>, fig 1(a), 1(b), 1(c), and<\/a>\u00a0fig 1(d)<\/a><\/p>\r\n
Opstree is an End to End DevOps solution provider<\/p>\r\n
\r\n\r\n<\/p>\r\n
\r\n
contact us<\/a><\/div>\r\n<\/div>\r\n","protected":false},"excerpt":{"rendered":"
Introduction: The purpose of this blog is not to go deep into coreDNS rather explain how DNS works in kubernetes, what coreDNS contains and how the corefile uses plugins. So let’s get started.<\/p>\n","protected":false},"author":175681501,"featured_media":29900,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_coblocks_attr":"","_coblocks_dimensions":"","_coblocks_responsive_height":"","_coblocks_accordion_ie_support":"","jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":false,"jetpack_social_options":{"image_generator_settings":{"template":"highway","enabled":false},"version":2}},"categories":[28070474],"tags":[670489941,17846,768739309,71753,30351],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"https:\/\/opstree.com\/blog\/wp-content\/uploads\/2025\/11\/DevSecOps-1.jpg","jetpack_likes_enabled":true,"jetpack_sharing_enabled":true,"jetpack_shortlink":"https:\/\/wp.me\/pfDBOm-Pp","jetpack-related-posts":[],"_links":{"self":[{"href":"https:\/\/opstree.com\/blog\/wp-json\/wp\/v2\/posts\/3187"}],"collection":[{"href":"https:\/\/opstree.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/opstree.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/opstree.com\/blog\/wp-json\/wp\/v2\/users\/175681501"}],"replies":[{"embeddable":true,"href":"https:\/\/opstree.com\/blog\/wp-json\/wp\/v2\/comments?post=3187"}],"version-history":[{"count":25,"href":"https:\/\/opstree.com\/blog\/wp-json\/wp\/v2\/posts\/3187\/revisions"}],"predecessor-version":[{"id":3566,"href":"https:\/\/opstree.com\/blog\/wp-json\/wp\/v2\/posts\/3187\/revisions\/3566"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/opstree.com\/blog\/wp-json\/wp\/v2\/media\/29900"}],"wp:attachment":[{"href":"https:\/\/opstree.com\/blog\/wp-json\/wp\/v2\/media?parent=3187"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/opstree.com\/blog\/wp-json\/wp\/v2\/categories?post=3187"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/opstree.com\/blog\/wp-json\/wp\/v2\/tags?post=3187"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}