Pod DNS Not Working - Part 2
Your pod can't reach CoreDNS. Is DNS broken — or is it a NetworkPolicy? ?
When cluster DNS is completely unreachable, there are only 2 real suspects:
1️⃣ CoreDNS itself is broken
2️⃣ A NetworkPolicy is silently blocking port 53
? First, check if CoreDNS is even running. Pods in kube-system
CrashLoopBackOff? Read the logs. The Corefile is almost
always the villain.
? The Corefile plugins you need to know:
→ kubernetes plugin: resolves service names like orders.default
→ forward plugin: sends external lookups to upstream DNS
→ cache plugin: remembers answers
→ loop plugin: kills CoreDNS on purpose if it detects a
forwarding loop (yes, on purpose — check the logs)
? If CoreDNS is healthy but the pod still can't reach it, the
real culprit is usually a NetworkPolicy. Default-deny egress
+ no rule for port 53 = silent DNS death. Fix it with an
egress rule allowing UDP AND TCP on port 53.
⚠️ Gotcha: NetworkPolicy can't target a Service. You allow traffic
to CoreDNS pods by label, or to the cluster DNS IP via ipBlock.
Save this for your next K8s outage. Or your next interview.
▶️ Part 1: https://youtube.com/shorts/J-zSd2lsMaI
▶️ Part 3: https://youtube.com/shorts/Tieokbq9jWg
? Ever been burned by a Corefile typo? Drop the story below.
#kubernetes #k8s #coredns #devops #kubernetesdns #networkpolicy
#devopsinterview #sre #cka #ckad #kubectl #cloudnative
#kubernetestroubleshooting #kubernetestutorial #kubernetestips
When cluster DNS is completely unreachable, there are only 2 real suspects:
1️⃣ CoreDNS itself is broken
2️⃣ A NetworkPolicy is silently blocking port 53
? First, check if CoreDNS is even running. Pods in kube-system
CrashLoopBackOff? Read the logs. The Corefile is almost
always the villain.
? The Corefile plugins you need to know:
→ kubernetes plugin: resolves service names like orders.default
→ forward plugin: sends external lookups to upstream DNS
→ cache plugin: remembers answers
→ loop plugin: kills CoreDNS on purpose if it detects a
forwarding loop (yes, on purpose — check the logs)
? If CoreDNS is healthy but the pod still can't reach it, the
real culprit is usually a NetworkPolicy. Default-deny egress
+ no rule for port 53 = silent DNS death. Fix it with an
egress rule allowing UDP AND TCP on port 53.
⚠️ Gotcha: NetworkPolicy can't target a Service. You allow traffic
to CoreDNS pods by label, or to the cluster DNS IP via ipBlock.
Save this for your next K8s outage. Or your next interview.
▶️ Part 1: https://youtube.com/shorts/J-zSd2lsMaI
▶️ Part 3: https://youtube.com/shorts/Tieokbq9jWg
? Ever been burned by a Corefile typo? Drop the story below.
#kubernetes #k8s #coredns #devops #kubernetesdns #networkpolicy
#devopsinterview #sre #cka #ckad #kubectl #cloudnative
#kubernetestroubleshooting #kubernetestutorial #kubernetestips
KodeKloud
...