Allow DNS Network Policy
A NetworkPolicy that permits DNS resolution to CoreDNS in kube-system, required when using default-deny policies.
Overview
This template creates a NetworkPolicy allowing DNS egress to CoreDNS in the kube-system namespace. When you apply a default-deny policy, all DNS lookups fail because pods cannot reach the DNS service. This companion policy restores DNS resolution while maintaining zero-trust for all other traffic.
Security threat addressed: A default-deny policy without DNS access breaks all service discovery, making the application non-functional. This policy restores only the minimum required network access.
When to use: Apply this immediately after deploying a default-deny egress NetworkPolicy. Every namespace with deny-all egress needs this DNS allow rule.
Threat Model
- Minimal egress surface: Rather than allowing all egress just for DNS, this policy restricts DNS traffic to only the kube-system namespace on port 53 (UDP and TCP).
- DNS-only access: Pods cannot reach any other service — they can only resolve names. Actual connections still require additional allow rules.
- Defense-in-depth complement: Works in conjunction with default-deny to implement a whitelist-only egress model.
MITRE ATT&CK:
- T1046 — Network Service Scanning: DNS resolution alone does not enable service scanning; actual connections are still blocked by the deny policy.
- T1048 — Exfiltration Over Alternative Protocol: DNS tunneling is a risk; this policy restricts DNS to the internal CoreDNS only, not arbitrary external resolvers.
Real-world scenario: You deploy a default-deny policy and your application starts failing health checks because it cannot resolve the database hostname. Adding this DNS allow rule restores service discovery while keeping all other egress blocked.
YAML Source
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-dns
namespace: default
labels:
app.kubernetes.io/name: k8s-security
app.kubernetes.io/part-of: k8s-security-pro
app.kubernetes.io/managed-by: k8s-security-pro
spec:
podSelector: {} # Applies to ALL pods in this namespace
policyTypes:
- Egress
egress:
# ALLOW DNS LOOKUPS
# When you apply a "Default Deny" policy, DNS lookups fail.
- to:
- namespaceSelector:
matchLabels:
kubernetes.io/metadata.name: kube-system
ports:
- protocol: UDP
port: 53
# ... truncated -- get full template at k8s-security.pro/pricingGet the complete template with TCP DNS, custom DNS configurations, and NodeLocal DNSCache support in the Starter tier.
Installation
kubectl:
kubectl apply -f 08_allow_dns_netpol.yamlHelm:
helm install k8s-security ./charts/k8s-security -f values-prod.yamlKustomize:
kubectl apply -k kustomize/overlays/prodVerification
# Verify the policy exists
kubectl get networkpolicy allow-dns -n <namespace>
# Test DNS resolution works
kubectl exec -n <namespace> <pod-name> -- nslookup kubernetes.default.svc.cluster.local
# Test that non-DNS egress is still blocked
kubectl exec -n <namespace> <pod-name> -- wget -q -O- --timeout=2 http://google.com 2>&1
# Expected: timeout (blocked by default-deny)CIS Benchmark References
- 5.3.2 — Ensure that all Namespaces have NetworkPolicies defined. This policy contributes to a complete network policy set.
- 5.3.1 — Ensure CNI supports NetworkPolicy and encryption. DNS policies require a compatible CNI.
MITRE ATT&CK References
- T1046 — Network Service Scanning: Allowing only DNS prevents full network scanning while maintaining name resolution.
- T1048 — Exfiltration Over Alternative Protocol: Restricting DNS to kube-system CoreDNS prevents DNS tunneling to external resolvers.
Further Reading
- Kubernetes Network Policies: The Complete Guide to Zero Trust Networking — Understand why DNS policies are essential alongside default deny and how to build a complete network policy set.
Get Full Access to This Template
This template is included in the Starter tier and above.
View Pricing Plans