How do I troubleshoot DNS failures with Amazon EKS?

Last updated: 2021-09-17

The applications or pods that are using CoreDNS in my Amazon Elastic Kubernetes Service (Amazon EKS) cluster are failing internal or external DNS name resolutions.

Short description

Pods running inside the Amazon EKS cluster use the CoreDNS service's cluster IP as the default name server for querying internal and external DNS records. Applications can fail DNS resolutions if there are issues with the CoreDNS pods, the service configuration, or connectivity.

The CoreDNS pods are abstracted by a service object called kube-dns. To troubleshoot issues with your CoreDNS pods, verify that all the components of the kube-dns service are working. These components include, but are not limited to, service endpoint options and iptables rules.


The following resolution applies to the CoreDNS ClusterIP

1.    To get the ClusterIP of your CoreDNS service, run the following command:

kubectl get service kube-dns -n kube-system

2.    To verify that DNS endpoints are exposed and pointing to CoreDNS pods, run the following command:

kubectl -n kube-system get endpoints kube-dns


NAME       ENDPOINTS                                                        AGE
kube-dns,, + 1 more...   90d

Note: If the endpoint list is empty, then check the pod status of the CoreDNS pods.

3.    Verify that the pods aren't blocked by a security group or network access control list (network ACL) when communicating with CoreDNS.

For more information, see Why won't my pods connect to other pods in Amazon EKS?

Verify that the kube-proxy pod is working

Verify that the kube-proxy pod has access to API servers for your cluster by checking your logs for timeout errors to the control plane. Also, check for 403 unauthorized errors.

To get the kube-proxy logs, run the following command:

kubectl logs -n kube-system --selector 'k8s-app=kube-proxy'

Note: The kube-proxy gets the endpoints from the control plane and creates the iptables rules on every node.

Connect to the application pod to troubleshoot the DNS issue

1.    To run commands inside your application pods, run the following command to access a shell inside the running pod:

$ kubectl exec -it your-pod-name -- sh

You receive an error similar to the following when application pod doesn't have a shell binary available:

OCI runtime exec failed: exec failed: container_linux.go:348: starting container process caused "exec: \"sh\": executable file not found in $PATH": unknown
command terminated with exit code 126

To debug, update the image used in your manifest file to use another image, such as the busybox image (from the Docker website).

2.    To verify that the cluster IP of the kube-dns service is in your pod's /etc/resolv.conf, run the following command in the shell inside of the pod:

cat /etc/resolv.conf

The following example resolv.conf shows a pod that's configured to point at for DNS requests. The IP must match the ClusterIP of your kube-dns service.

search default.svc.cluster.local svc.cluster.local cluster.local ec2.internal
options ndots:5

Note: You can manage your pod's DNS configuration with the dnsPolicy field in the pod specification. If this field isn't populated, then the ClusterFirst DNS policy is used by default.

3.    To verify that your pod can resolve an internal domain using the default ClusterIP, run the following command in the shell inside the pod:

nslookup kubernetes


Name:       kubernetes.default.svc.cluster.local

4.    To verify that your pod can resolve an external domain using the default ClusterIP, run the following command in the shell inside the pod:


You see output similar to the following:

Non-authoritative answer:

5.    To verify that your pod can resolve using the IP address of the CoreDNS pod directly, run the following commands in the shell inside the pod:

nslookup kubernetes COREDNS_POD_IP


Note: Replace the COREDNS_POD_IP with one of the endpoint IPs from the kubectl get endpoints that you used earlier.

Get more detailed logs from coreDNS pods for debugging

1.    To enable the debug log of CoreDNS pods and add the log plugin to the CoreDNS ConfigMap, run the following command:

kubectl -n kube-system edit configmap coredns

2.    In the editor screen that appears in the output, add the log string. For example:

kind: ConfigMap
apiVersion: v1
  Corefile: |
    .:53 {
        log    # Enabling CoreDNS Logging
        kubernetes cluster.local {
          pods insecure

Note: Reloading the configuration CoreDNS takes several minutes. You can restart the pods one by one to apply the changes immediately.

3.    To check if the CoreDNS logs are failing or getting any hits from the application pod, run the following command:

kubectl logs --follow -n kube-system --selector 'k8s-app=kube-dns'

Search and ndots combination

DNS uses nameserver for name resolutions (usually the cluster IP of a kube-dns service). DNS uses search for completing a query name to a fully qualified domain name. The ndots value is the number of dots that must appear in a name to resolve a query before an initial absolute query is made.

For example, you can set the ndots option to the default value 5 in a domain name that's not fully qualified. Then, all external domains that don't fall under the internal domain cluster.local are appended to the search domains before querying.

See the following example with the /etc/resolv.conf setting of the application pod:

search default.svc.cluster.local svc.cluster.local cluster.local ec2.internal
options ndots:5

CoreDNS looks for five dots in the domain being queried. If the pod makes a DNS resolution call for, then your logs look similar to the following:

[INFO] - 36534 "A IN udp 54 false 512" NXDOMAIN qr,aa,rd 147 0.000473434s
[INFO] - 43241 "A IN udp 46 false 512" NXDOMAIN qr,aa,rd 139 0.000066171s
[INFO] - 15588 "A IN udp 42 false 512" NXDOMAIN qr,aa,rd 135 0.000137489s
[INFO] - 14916 "A IN udp 41 false 512" NXDOMAIN qr,rd,ra 41 0.001248388s
[INFO] - 65181 "A IN udp 28 false 512" NOERROR qr,rd,ra 106 0.001711104s

Note: NXDOMAIN means that the domain record wasn't found, and NOERROR means that the domain record was found.

Every search domain is prepended with before making the final call on the absolute domain at the end. The final domain name is appended with a dot ( . ) at the end, which makes it a fully qualified domain name. This means that for every external domain name query there could be four to five additional calls, which can overwhelm the CoreDNS pod.

To resolve this issue, either change ndots to 1 (that looks only for single dot). Or, append a dot ( . ) at the end of the domain that's queried or used. For example:


Be aware of VPC resolver (AmazonProvidedDNS) limits

The Amazon Virtual Private Cloud (Amazon VPC) resolver can accept only a maximum hard limit of 1024 packets per second per network interface. If more than one CoreDNS pod is on the same node, then the chances of hitting this limit are higher for external domain queries.

To use PodAntiAffinity (from the Kubernetes website) rules to schedule CoreDNS pods on separate instances, add the following options to the CoreDNS deployment:

- podAffinityTerm:
- key: k8s-app
operator: In
- kube-dns
weight: 100

Did this article help?

Do you need billing or technical support?