Scaling DNS on AKS with Cilium: NodeLocal DNSCache, LRP, and FQDN Policies

Simone_Rodigari

Microsoft

Jan 23, 2026

Standard Kubernetes DNS forces every pod to traverse the network fabric to a centralized CoreDNS service, a design that becomes a scaling and latency bottleneck at cluster scale. By default, pods send DNS queries to the kube-dns Service IP, which kube-proxy translates to CoreDNS endpoints via iptables rules. NodeLocal DNSCache removes this network hop by resolving queries locally on each node.h node.

Why Adopt NodeLocal DNSCache? The primary drivers for adoption are usually: Eliminating Conntrack Pressure: In high-QPS UDP DNS scenarios, conntrack contention and UDP tracking can cause interm...

Updated Mar 10, 2026

Version 4.0

ebpf

Simone_Rodigari

Microsoft

Joined January 23, 2025

View Profile

Linux and Open Source Blog

Follow this blog board to get notified when there's new activity

e4567ujhfr5678iokjn

Copper Contributor

Mar 03, 2026

Just to add a comment about my case, in my setup, `dnsPolicy: ClusterFirst` prevents Node LocalDNS from running since it's reporting a loop.
For now I changed to `Default` and it's working.

Simone_Rodigari
Microsoft
Mar 10, 2026
Good catch, this is correct.

The node-local-dns pods should use dnsPolicy: Default. If ClusterFirst is used, the pod resolver may point to the kube-dns service, which in this setup is redirected by the Cilium Local Redirect Policy back to the local NodeLocal DNS instance, potentially causing a loop.

Both the upstream Kubernetes NodeLocal DNS manifest and Cilium guidance recommend dnsPolicy: Default so the cache pod does not resolve via cluster DNS.

I have updated the article accordingly. Thanks for pointing it out!

Blog Post

Scaling DNS on AKS with Cilium: NodeLocal DNSCache, LRP, and FQDN Policies