NetworkPolicy Blocking DNS Traffic

critical

configurationUpdated Jan 19, 2026

Overly restrictive NetworkPolicies prevent pods from reaching CoreDNS service, causing 'connection refused' or timeout errors that appear as application-level DNS failures rather than network issues.

Sources

How to Troubleshoot Kubernetes DNS Issues (CoreDNS) - OneUptimeoneuptime.com

How to Debug DNS Resolution Issues in Kubernetes with CoreDNSoneuptime.com

Technologies:

CoreDNSSymptoms of this issue are visible in CoreDNS metrics and logs

KubernetesThe root cause of this issue originates in Kubernetes

How to detect:

Test network connectivity from application pods to CoreDNS service IP (10.96.0.10:53) using nc or telnet. Check for NetworkPolicies in application namespace and kube-system. Monitor for 'connection refused' errors in application logs while CoreDNS pods show no corresponding requests.

Recommended action:

Create NetworkPolicy allowing DNS egress to kube-system namespace for all pods. Policy must allow UDP/TCP port 53 to podSelector k8s-app=kube-dns. Verify CoreDNS service endpoints match pod IPs. Test connectivity from affected namespaces after applying policy. Monitor coredns_request_count to confirm traffic is reaching CoreDNS.