πŸ“šBook Signing at KubeCon EU 2026Meet us at Booking.com HQ (Mon 18:30-21:00) & vCluster booth #521 (Tue 24 Mar, 12:30-1:30pm) β€” free book giveaway!RSVP Booking.com Event
KubernetesRecipes
Networking intermediate ⏱ 10 minutes K8s 1.21+

Kubernetes DNS Policy ClusterFirstWithHostNet

Configure Kubernetes DNS policies: ClusterFirst, ClusterFirstWithHostNet, Default, and None. Fix DNS resolution for hostNetwork pods and custom nameservers.

By Luca Berton β€’ β€’ πŸ“– 5 min read

πŸ’‘ Quick Answer: Use dnsPolicy: ClusterFirstWithHostNet when your pod uses hostNetwork: true but still needs to resolve cluster services (e.g., myservice.namespace.svc.cluster.local). Without it, hostNetwork pods use the node’s /etc/resolv.conf and can’t find cluster DNS.

The Problem

When a pod uses hostNetwork: true:

  • It gets the node’s /etc/resolv.conf instead of the cluster DNS
  • Service names like postgres.default.svc.cluster.local fail to resolve
  • The pod can reach external DNS but not internal Kubernetes services

This breaks DaemonSets (monitoring agents, log collectors) that need both host networking and cluster service access.

The Solution

DNS Policy Options

apiVersion: v1
kind: Pod
metadata:
  name: example
spec:
  # Choose one:
  dnsPolicy: ClusterFirst              # Default β€” uses cluster DNS (CoreDNS)
  dnsPolicy: ClusterFirstWithHostNet   # For hostNetwork pods needing cluster DNS
  dnsPolicy: Default                   # Uses node's /etc/resolv.conf
  dnsPolicy: None                      # Custom β€” must provide dnsConfig

ClusterFirstWithHostNet (The Fix)

apiVersion: apps/v1
kind: DaemonSet
metadata:
  name: monitoring-agent
spec:
  template:
    spec:
      hostNetwork: true
      dnsPolicy: ClusterFirstWithHostNet  # ← This is the fix
      containers:
        - name: agent
          image: monitoring-agent:1.0.0
          # Can now resolve both:
          # - external: google.com βœ“
          # - cluster: prometheus.monitoring.svc.cluster.local βœ“

How Each Policy Resolves DNS

graph TD
    A[Pod DNS Query] --> B{dnsPolicy}
    
    B -->|ClusterFirst| C[CoreDNS 10.43.0.10]
    C --> D{Cluster domain?}
    D -->|Yes .svc.cluster.local| E[Resolve internally]
    D -->|No| F[Forward to upstream]
    
    B -->|ClusterFirstWithHostNet| G[CoreDNS 10.43.0.10]
    G --> D
    
    B -->|Default| H[Node /etc/resolv.conf]
    H --> I[Node's configured DNS]
    
    B -->|None| J[Pod dnsConfig only]
    J --> K[Custom nameservers]

Check Current DNS Configuration

# See what resolv.conf the pod actually uses
kubectl exec myapp-pod -- cat /etc/resolv.conf

# For ClusterFirst:
# nameserver 10.43.0.10
# search default.svc.cluster.local svc.cluster.local cluster.local
# options ndots:5

# For Default (hostNetwork without fix):
# nameserver 8.8.8.8
# search hetzner.cloud
# (no cluster.local β€” can't resolve services!)

Custom DNS with dnsPolicy: None

apiVersion: v1
kind: Pod
metadata:
  name: custom-dns
spec:
  dnsPolicy: None
  dnsConfig:
    nameservers:
      - 10.43.0.10      # Cluster DNS
      - 1.1.1.1         # Cloudflare fallback
    searches:
      - default.svc.cluster.local
      - svc.cluster.local
      - cluster.local
      - example.com      # Custom search domain
    options:
      - name: ndots
        value: "3"       # Reduce DNS queries (default 5 is often too high)
      - name: timeout
        value: "2"
      - name: attempts
        value: "3"

ndots Optimization

# Default ndots:5 means any name with < 5 dots gets search domains appended
# "postgres" β†’ tries postgres.default.svc.cluster.local, postgres.svc.cluster.local, etc.
# Reducing ndots:2 means FQDNs (external.api.com) resolve faster

spec:
  dnsConfig:
    options:
      - name: ndots
        value: "2"

Common Issues

IssueCauseFix
hostNetwork pod can’t resolve servicesUsing dnsPolicy: Default implicitlySet dnsPolicy: ClusterFirstWithHostNet
Slow DNS resolutionndots:5 causes extra lookupsLower to ndots:2 or use FQDN with trailing dot
DNS timeoutCoreDNS pod not runningCheck kubectl get pods -n kube-system -l k8s-app=kube-dns
Wrong search domainIncorrect namespace in resolv.confVerify pod namespace matches expected searches
External DNS failsCoreDNS upstream not configuredCheck CoreDNS Corefile upstream block

Best Practices

  1. Always set ClusterFirstWithHostNet for hostNetwork pods β€” don’t rely on default
  2. Lower ndots to 2-3 for external-heavy workloads β€” reduces DNS query volume by 3-4Γ—
  3. Use FQDN with trailing dot for external names β€” api.example.com. skips search domains
  4. Monitor CoreDNS metrics β€” coredns_dns_requests_total and coredns_dns_responses_total
  5. Use dnsPolicy: None sparingly β€” only for split-horizon or multi-cluster DNS

Key Takeaways

  • ClusterFirst is the default β€” resolves cluster services via CoreDNS
  • ClusterFirstWithHostNet = ClusterFirst for hostNetwork: true pods (must be explicit)
  • Default uses node DNS β€” no cluster service resolution
  • None + dnsConfig gives full control β€” useful for custom DNS architectures
  • ndots:5 is the default and causes 4 extra DNS queries per external lookup β€” optimize for latency-sensitive apps
#dns #dnspolicy #hostnetwork #resolv-conf #coredns #networking
Luca Berton
Written by Luca Berton

Principal Solutions Architect specializing in Kubernetes, AI/GPU infrastructure, and cloud-native platforms. Author of Kubernetes Recipes and creator of CopyPasteLearn courses.

🌐 πŸ’Ό πŸ’»

πŸŽ“ Deepen Your Skills β€” Hands-on Courses

πŸ—οΈ
Terraform for Beginners

Provision the infrastructure behind your Kubernetes clusters with Terraform.

Start Learning β†’

Courses by CopyPasteLearn.com β€” Learn IT by Doing

Kubernetes Recipes book cover

Want More Kubernetes Recipes?

This recipe is from Kubernetes Recipes, our 750-page practical guide with hundreds of production-ready patterns.

Get the Book β†’ ← More Networking Recipes
← Back to All Recipes
Luca Berton Ansible Pilot Ansible by Example Open Empower K8s Recipes Terraform Pilot CopyPasteLearn ProteinLens