CNCFKubernetesContainer OrchestrationIntermediate20 min read

What Is CoreDNS in Networking?

Also known as: CoreDNS, Kubernetes DNS, service discovery, CKA exam, Corefile

Reviewed byJohnson Ajibi· Senior Network & Security Engineer · MSc IT Security
On This Page

Quick Definition

CoreDNS translates human-readable names, like "my-app.svc.cluster.local", into IP addresses that computers understand. This is essential for services inside a Kubernetes cluster to find and communicate with each other. It is built with a plugin system, meaning you can add features like logging, caching, or custom name resolution easily. CoreDNS replaced an older tool called kube-dns and is now the default DNS server for Kubernetes.

Must Know for Exams

CoreDNS is a core topic in the CNCF Certified Kubernetes Administrator (CKA) exam. The exam objectives explicitly include "Troubleshoot cluster and node failures" and "Configure networking plugins and CNI plugins", both of which require understanding how CoreDNS works. The CKA exam tests whether a candidate can verify that CoreDNS is running, debug DNS resolution failures, and modify the Corefile to change cluster DNS behavior.

Questions may ask candidates to install CoreDNS manually, check the status of the CoreDNS pods, or forward unknown queries to an external DNS server. The CKA also covers service discovery, which is directly tied to CoreDNS. For the CKAD (Certified Kubernetes Application Developer) exam, while less focused on infrastructure, candidates still need to know that Services create DNS records and how to use those records in applications.

The CKS (Certified Kubernetes Security Specialist) exam touches on CoreDNS from a security perspective, such as limiting DNS queries, using network policies with DNS, and encrypting DNS traffic with DoT or DoH. In all these exams, common traps involve confusing CoreDNS with other networking components like kube-proxy or CNI plugins. Candidates must remember that CoreDNS is a DNS server, not a network proxy or firewall.

Another common exam objective is troubleshooting Pod-to-Pod communication. If a Pod cannot resolve a service name, the first step is often to check the CoreDNS Pod logs using `kubectl logs`. Understanding the structure of the Corefile and how plugins are chained is also tested.

The exam may present a broken Corefile and ask you to identify the missing plugin. Mastering CoreDNS is therefore not optional for anyone aiming for Kubernetes certification.

Simple Meaning

Imagine you live in a large apartment building with hundreds of units, but none of them have visible numbers. To send a package to your friend in apartment 5B, you would need a directory that maps "Sarah in 5B" to the exact location. CoreDNS is that directory for a Kubernetes cluster.

A Kubernetes cluster is like a city of containers, where each container is a tiny computer running a piece of an application. These containers constantly need to talk to each other, but they do not have fixed addresses because they can be moved or restarted automatically. CoreDNS solves this problem by keeping a constantly updated phone book.

When one container wants to talk to another service called "frontend", it asks CoreDNS for the current IP address. CoreDNS looks up the name, finds the correct container, and returns its current IP. This allows applications to use stable names instead of fragile, changing numbers.

CoreDNS is not just a simple phone book, however. It is highly customizable through plugins. You can teach it to look up names from other systems, like a corporate directory, a cloud provider, or even the public internet.

It can cache answers to speed things up, log queries for troubleshooting, and rewrite names if needed. Because CoreDNS is built by the Cloud Native Computing Foundation and is designed to be lightweight and secure, it is perfectly suited for the fast-moving world of containers and Kubernetes. Without CoreDNS, every service would need to hardcode IP addresses, breaking whenever a container restarts or scales up.

CoreDNS makes the cluster dynamic, resilient, and easy to manage.

Full Technical Definition

CoreDNS is an open-source, extensible DNS server written in Go, originally derived from Caddy, a web server. It operates on port 53 (the standard DNS port) and uses the DNS protocol as defined by RFC 1035. Its primary role in Kubernetes is as the cluster DNS, providing service discovery by resolving Service and Pod names to IP addresses.

In a standard Kubernetes deployment, CoreDNS runs as a Deployment with a single or multiple Pods, fronted by a ClusterIP Service. Each Pod in the cluster is configured via kubelet to use the CoreDNS Service IP as its nameserver. CoreDNS then reads cluster state from the Kubernetes API server using the Kubernetes plugin.

This plugin watches for changes in Services, Endpoints, and Pods, and automatically populates DNS records. For example, a Service named "api" in namespace "production" will get an A record for "api.production.

svc.cluster.local". Pods get their own A records and PTR records under the cluster domain. CoreDNS also supports forwarding queries it cannot resolve to external DNS servers, such as public nameservers or on-premise Active Directory.

The server is built around a plugin architecture. Each plugin is a middleware component that handles a specific function. Common plugins include the cache plugin for performance, the rewrite plugin for modifying queries, the log and errors plugins for debugging, and the health plugin for providing a health check endpoint.

Configuration is done through a Corefile, which is a simple text file that defines server blocks, zones, and plugin chains. Administrators can customize the Corefile to add or remove plugins, change behavior, or integrate with external systems. CoreDNS is a graduated project of the Cloud Native Computing Foundation (CNCF), meaning it has reached a high level of maturity and adoption.

Its modular design and low resource footprint make it suitable for both small edge clusters and large-scale production environments. It supports DNS over TLS (DoT) and DNS over HTTPS (DoH) for secure name resolution. CoreDNS also implements the NodeLocal DNSCache pattern, where a cache instance runs on each node to reduce latency and API server load.

Real-Life Example

Think of a large corporate office building with many departments: Engineering, Sales, HR, and Finance. Each department occupies a different floor, and each employee has a desk with a specific number. When someone from HR wants to send a document to the Finance manager, they do not walk around looking for a specific desk number.

Instead, they look at the company directory posted near the elevator. That directory lists "Finance Manager" and gives the floor and desk number. CoreDNS works exactly like that company directory.

In a Kubernetes cluster, every container is like an employee. Their individual IP addresses are like desk numbers, which change when they move (restart). The service names, like "finance-service", are like job titles.

CoreDNS is the directory board. When a container asks "Where is the finance-service?", CoreDNS looks up the current desk number and gives the answer. But CoreDNS is smarter than a static paper directory.

It updates automatically when employees move to a new desk (containers restart or scale up). It can also handle special cases. For example, if the company also has a subsidiary with their own directory, CoreDNS can check that as well.

This is like having a directory that can call another building to find information. CoreDNS does this through its forwarding plugin, sending queries to other DNS servers when needed. Additionally, if someone in Sales types a wrong name, such as "finanse-service", a normal directory would say "not found".

But CoreDNS with the rewrite plugin could automatically correct the spelling and return the right desk number. This makes the entire cluster more robust and user-friendly, just as a smart directory makes a large office building easier to navigate.

Why This Term Matters

In real IT work, especially in cloud-native environments, service discovery is not a luxury but a necessity. Without a system like CoreDNS, every piece of software would need hardcoded network addresses, which break the moment a container updates, scales, or moves. This makes deployments brittle, increases downtime, and requires manual intervention.

CoreDNS solves this by providing a dynamic, automated naming service that always returns the current IP address for a given service name. This directly impacts availability, scalability, and operational efficiency. For system administrators and DevOps engineers, CoreDNS reduces the cognitive load of tracking IP addresses manually.

They can design applications to use simple names like "database" or "redis-cache", and the underlying infrastructure handles the rest. CoreDNS also plays a critical role in security. By controlling which queries are allowed and how they are answered, administrators can prevent internal name leakage and enforce policies.

The plugin architecture allows teams to add logging, which helps in auditing and troubleshooting network issues. In multi-cluster or hybrid cloud setups, CoreDNS can be configured to federate with other DNS systems, enabling seamless name resolution across different environments. This is crucial for enterprises managing hundreds of microservices.

CoreDNS also supports DNS-based service mesh integration, where sidecar proxies use its records to route traffic. From a performance perspective, CoreDNS is lightweight and highly efficient, handling thousands of queries per second with minimal CPU and memory overhead. Its caching plugin reduces latency and offloads external DNS servers.

The health plugin allows monitoring tools to check if CoreDNS is alive, which is essential for maintaining cluster stability. In short, CoreDNS is the silent backbone that makes container orchestration practical and reliable. Without it, Kubernetes would be far less usable in production.

How It Appears in Exam Questions

CoreDNS appears in certification exam questions in several distinct patterns. The first category is command-based questions. For example, a question might ask you to list all DNS records for a given service.

The expected answer involves using `kubectl run` with a temporary Pod to perform a DNS lookup, such as `kubectl run busybox --image=busybox --restart=Never -- nslookup my-service`. Or it may ask you to verify that CoreDNS is running by checking the pods in the kube-system namespace: `kubectl get pods -n kube-system | grep coredns`. The second pattern is configuration questions.

These present a scenario where DNS resolution is failing for external names, and you must edit the CoreDNS ConfigMap to add a forward plugin pointing to an external DNS server like 8.8.8.

8. You would need to understand the Corefile syntax and which plugins handle forwarding. The third pattern is troubleshooting questions. A classic scenario: a new Pod cannot reach a database service by its name.

The question might show the service definition and the Pod's DNS configuration, then ask you to identify if the issue is with the service name, the namespace, or CoreDNS itself. You would need to check the Pod's /etc/resolv.conf, the service's DNS record, and the CoreDNS logs.

The fourth pattern is architecture questions. These ask about the role of CoreDNS in the cluster, such as "Which component is responsible for service discovery in Kubernetes?" or "What protocol does CoreDNS use?"

The fifth pattern is upgrade and scaling questions. The exam might ask you to increase the number of CoreDNS replicas for high availability using `kubectl scale deployment/coredns -n kube-system --replicas=3`. Understanding that CoreDNS uses a Deployment ensures you know how to scale it.

The final pattern is security questions. For example, you might be asked to enable TLS for CoreDNS to encrypt DNS queries. You would need to modify the Corefile to include the `tls` plugin and provide certificate paths.

These question types require both theoretical knowledge and practical hands-on experience with CoreDNS.

Study cncf-cka

Test your understanding with exam-style practice questions.

Practise

Example Scenario

You are a junior administrator managing a Kubernetes cluster for an e-commerce company. The cluster runs several microservices: a frontend web app, a product catalog service, a payment service, and a user authentication service. The product catalog service needs to query the authentication service every time a user logs in to verify their credentials.

Instead of hardcoding the IP address of the authentication service, the product catalog uses the name "auth-service" to find it. One day, you notice error logs showing that the product catalog cannot connect to "auth-service". You check the services and find that the authentication service is running but its Pods have been restarted due to a rolling update, so their IP addresses changed.

The product catalog still has old DNS entries. This is where CoreDNS comes in. CoreDNS is responsible for updating the DNS records every time a Pod or Service changes. You run a quick diagnostic by launching a temporary Pod and running `nslookup auth-service.

default.svc.cluster.local`. The lookup fails, indicating that CoreDNS does not have an entry for that service. You then check the CoreDNS Pod logs and find that the Kubernetes plugin is failing to connect to the API server due to a network policy blocking traffic.

After adjusting the network policy to allow traffic from CoreDNS to the API server, the DNS record becomes available, and the product catalog can authenticate users again. In this scenario, CoreDNS was the missing link that, once fixed, restored the entire application communication.

Common Mistakes

Thinking CoreDNS is a network proxy like kube-proxy.

kube-proxy handles network traffic forwarding and load balancing at the network layer, while CoreDNS is a DNS server that provides name resolution. They serve entirely different purposes.

Remember that CoreDNS answers the question 'What is the IP of this service?' while kube-proxy answers 'How do I send a packet to that IP?'.

Believing CoreDNS is only for Kubernetes and has no other uses.

CoreDNS is a general-purpose DNS server that can run standalone, in Docker, or in any environment. Its Kubernetes plugin is just one of many plugins. It can be used for local development, edge computing, or even as a public DNS server.

CoreDNS is a flexible DNS server that happens to be the default for Kubernetes, but it is not limited to Kubernetes.

Assuming DNS resolution automatically works for external domains like google.com without configuration.

By default, CoreDNS in Kubernetes only resolves names within the cluster domain. Without a forward plugin, it will fail for external domains.

To resolve external names, you must explicitly configure the forward plugin in the Corefile to point to an external DNS server, such as 8.8.8.8 or a corporate nameserver.

Using kubectl delete on the CoreDNS Deployment to fix a DNS issue.

Deleting the CoreDNS pods without a proper restart or update will cause a temporary DNS outage, making the entire cluster unable to resolve service names.

Instead of deleting, use kubectl scale to restart or use kubectl rollout restart deployment/coredns to gracefully restart the pods without downtime if multiple replicas exist.

Confusing the Corefile with a YAML configuration file.

The Corefile uses a unique syntax that is not YAML. Using YAML formatting will cause CoreDNS to fail to parse the configuration.

Learn the Corefile syntax, which uses brackets and indentation similar to a simple config file. Always validate your Corefile using `coredns -plugins` or a syntax checker before applying it.

Exam Trap — Don't Get Fooled

A question presents a scenario where Pods can communicate by IP but not by service name, and asks you to identify the faulty component. Many learners choose 'kube-proxy' because they associate networking with it. Always test DNS separately.

If Pods can ping each other's IPs, the network is working. The problem must then be with CoreDNS, its configuration, or the DNS records. In the exam, use a DNS tool like nslookup or dig from within a Pod to isolate the issue.

Commonly Confused With

CoreDNSvskube-proxy

kube-proxy is a network component that manages traffic routing and load balancing for Services using iptables or IPVS. CoreDNS is a DNS server that resolves service names to IPs. kube-proxy does not resolve names; CoreDNS does not route traffic.

A Pod sends a request to 'my-service'. CoreDNS resolves that name to an IP (e.g., 10.96.0.1). Then kube-proxy forwards the packet from the Pod to that IP.

CoreDNSvsCNI plugin (e.g., Calico, Flannel)

CNI plugins are responsible for setting up the network interfaces and IP addresses for Pods. CoreDNS uses those IP addresses to create DNS records, but it does not assign them. CNI works at layer 2/3; CoreDNS works at layer 7 (application).

Calico gives each Pod an IP like 10.1.1.5. CoreDNS then creates a DNS record mapping 'pod-name.namespace.pod.cluster.local' to 10.1.1.5.

CoreDNSvsService Mesh sidecar (e.g., Envoy, Istio)

A service mesh sidecar intercepts application traffic to add features like mTLS, retries, and observability. CoreDNS is only about name resolution. The sidecar may use CoreDNS results but does not replace it.

When a service calls another, it first queries CoreDNS for the IP. Then the sidecar proxy intercepts that connection to enforce security policies. CoreDNS gives the address; the sidecar manages the conversation.

CoreDNSvsetcd

etcd is a distributed key-value store that holds all cluster data, including service definitions. CoreDNS reads from etcd indirectly through the API server to build its DNS records, but CoreDNS does not store data itself.

When you create a Service, etcd stores that information. CoreDNS queries the API server, which reads from etcd, to get the service IP and create a DNS record.

Step-by-Step Breakdown

1

Configuration and Startup

CoreDNS is deployed as a set of Pods controlled by a Deployment. It loads its configuration from a Corefile, typically stored in a ConfigMap in the kube-system namespace. The Corefile defines which zones the server handles, which plugins to use, and how they are chained.

2

Initialization of the Kubernetes Plugin

When CoreDNS starts, the kubernetes plugin connects to the Kubernetes API server using the service account credentials mounted inside the Pod. It then begins watching for changes to Services, Endpoints, and Pods in the cluster.

3

Populating the DNS Database

As the kubernetes plugin receives events from the API server, it builds an in-memory DNS database. For each Service, it creates an A record mapping the service name (e.g., myservice.namespace.svc.cluster.local) to the Service's ClusterIP. Similarly, it creates records for headless services and Pods.

4

Handling DNS Queries

When a Pod’s application tries to resolve a name, its c library sends a DNS query to the nameserver listed in /etc/resolv.conf, which is the CoreDNS ClusterIP. CoreDNS receives the query on port 53, identifies the zone (e.g., cluster.local), and passes it through the configured plugin chain.

5

Plugin Processing and Response

Each plugin in the chain performs its function. For example, the cache plugin checks if it has a recent answer. The rewrite plugin may modify the query. Finally, the kubernetes plugin looks up the name in its database. If found, it returns the IP address. If not, the forward plugin passes the query to an external DNS server.

6

Caching and Return

The answer is cached by the cache plugin for the duration specified in the DNS record's TTL. CoreDNS then sends the DNS response packet back to the requesting Pod. The application now has the IP address and can initiate a connection.

7

Continuous Synchronization

Throughout its operation, CoreDNS continuously watches the API server. If a Service is deleted, its DNS record is removed. If a Pod is added, a new record is created. This ensures that the DNS database always reflects the current state of the cluster, enabling dynamic service discovery.

Practical Mini-Lesson

CoreDNS is not just a black box you deploy and forget. As a professional, you need to understand how to configure it, troubleshoot it, and optimize it. Start by examining your current CoreDNS configuration. Use `kubectl describe configmap coredns -n kube-system` to see the Corefile. A typical Corefile looks like this:

. { kubernetes cluster.local in-addr.arpa ip6.arpa { pods insecure fallthrough in-addr.arpa ip6.arpa } forward . /etc/resolv.conf cache 30 log errors }

This configuration tells CoreDNS to handle the cluster.local zone for internal names, forward all other queries to the system resolver, cache results for 30 seconds, and log all queries. You can modify this to add custom zones, restrict queries, or change the forward destination. For troubleshooting, always check CoreDNS's health. Use `kubectl get pods -n kube-system -l k8s-app=kube-dns` to ensure pods are running. Then inspect logs with `kubectl logs -n kube-system <coredns-pod>`. Common log entries include timeouts or connection refused messages. If external DNS fails, check that the forward plugin is correctly configured. You can also test DNS from within the cluster by launching a debug Pod: `kubectl run -it --rm debug --image=busybox -- sh` and then using `nslookup kubernetes.default`. This verifies that CoreDNS is working for internal names. For performance, consider increasing the number of CoreDNS replicas and enabling NodeLocal DNSCache to reduce latency. Security practices include enabling the `reload` plugin to load configuration changes without restarting, setting the `errors` plugin to capture failures, and using network policies to restrict which pods can query CoreDNS. In production, always monitor CoreDNS with Prometheus, as it exposes metrics like request count, error rate, and latency. These metrics help you spot issues before they cause outages. Remember that CoreDNS configuration changes require updating the ConfigMap and then restarting the pods or triggering a reload. To apply a new Corefile, edit the ConfigMap with `kubectl edit configmap coredns -n kube-system` and then run `kubectl rollout restart deployment/coredns -n kube-system` to apply changes without manual deletion. This knowledge is critical for maintaining a healthy Kubernetes cluster.

Memory Tip

Think of CoreDNS as the 'DNS directory' for your cluster. If you cannot reach a service by its name, check the directory first: look at CoreDNS logs and its Corefile.

Covered in These Exams

Related Glossary Terms

Frequently Asked Questions

What port does CoreDNS use?

CoreDNS uses port 53 for DNS queries and port 9153 for Prometheus metrics. It also uses port 8080 for health checks if the health plugin is configured.

How do I check if CoreDNS is running?

Use `kubectl get pods -n kube-system | grep coredns` to see the pods. Ensure they are in the Running state. You can also check the service with `kubectl get svc -n kube-system -l k8s-app=kube-dns`.

Can I use CoreDNS outside of Kubernetes?

Yes. CoreDNS is a general-purpose DNS server. You can run it on any Linux server, in Docker, or in a custom environment entirely independent of Kubernetes.

Why does my Pod timeout when trying to resolve external hostnames?

This usually means the forward plugin is not configured or is pointing to a DNS server that is unreachable. Check the Corefile in the coredns ConfigMap and ensure forward is set to a valid DNS resolver, such as 8.8.8.8.

What is a Corefile?

A Corefile is the configuration file for CoreDNS. It defines server blocks, zones, and plugin chains. It uses a simple text syntax, not YAML or JSON.

How do I modify CoreDNS configuration?

Edit the ConfigMap named coredns in the kube-system namespace. After making changes, restart the CoreDNS pods by running `kubectl rollout restart deployment/coredns -n kube-system` to apply the new configuration.

Does CoreDNS support DNS over HTTPS?

Yes, CoreDNS has a plugin called `forward` that supports DNS over HTTPS (DoH) and DNS over TLS (DoT) for secure name resolution.

What is the difference between CoreDNS and kube-dns?

kube-dns is the older DNS server for Kubernetes, consisting of three containers. CoreDNS is a single binary with a plugin architecture, more flexible, and is the current default. CoreDNS also has better performance and is easier to extend.

Summary

CoreDNS is an essential component in the Kubernetes ecosystem, acting as the cluster's DNS server for service discovery. It translates human-readable service names into IP addresses, enabling dynamic communication between containers. Its plugin-based architecture makes it highly customizable, allowing administrators to add features like caching, logging, forwarding, and security enhancements.

For certification exams like the CKA, CKAD, and CKS, understanding how to configure, troubleshoot, and secure CoreDNS is critical. Common exam scenarios include debugging DNS resolution failures, modifying the Corefile, and verifying service records. Mistakes often arise from confusing CoreDNS with other networking components like kube-proxy or CNI plugins.

To succeed, practice using kubectl commands to inspect CoreDNS pods, logs, and configuration, and learn the Corefile syntax. In real-world IT, CoreDNS ensures that applications remain resilient to changes in the underlying infrastructure, making it a cornerstone of cloud-native operations. Remember that CoreDNS is not just a Kubernetes tool but a versatile DNS server with broad applications beyond container orchestration.