Curriculum Modulesmodule-04Lesson 03

DNS Architecture, CoreDNS & Service Discovery Fundamentals

Version: 2.0.0

Purpose: Canonical lesson structure for Platform Engineering & AI Infrastructure Curriculum.

Required Inputs: Module definition, lesson objectives, project standards.

Outputs: Standards-compliant lesson markdown.

Lesson Metadata

  • Lesson ID: MOD-NET-03
  • Module: Networking Fundamentals (MOD-NET)
  • Difficulty: Intermediate
  • Estimated Duration: 50 minutes
  • Learning Track: 🟢 Core
  • Version: 2.0.0
  • Last Updated: 2026-06-28

Lesson Overview

This lesson explores the legendary hierarchical naming engine of the internet, decrypting how Linux translates human-readable domain names into machine-routable IP addresses. By mastering DNS record types, the /etc/resolv.conf resolver file, terminal debugging utilities (dig, nslookup), and CoreDNS service discovery mechanics, you will firmly establish the deep diagnostic intuition supporting our module capability: “I can configure network connections, manage DNS, set up a secure web proxy, and analyze network traffic.”

Learning Objectives

  • Define the hierarchical architecture of the Domain Name System (DNS), explaining Root Servers (.), Top-Level Domains (TLDs), and Authoritative Nameservers.
  • Deconstruct essential DNS record types: A, AAAA, CNAME, PTR, NS, and TXT.
  • Explain the exact execution mechanics of the Linux DNS resolver file (/etc/resolv.conf) and the local hosts override file (/etc/hosts).
  • Execute deep DNS query inspection and trace delegation paths using dig.
  • Explain how CoreDNS provides automated Service Discovery within modern Kubernetes cluster environments.

Prerequisites

  • Completion of MOD-NET-01 and MOD-NET-02.
  • Foundational terminal networking inspection skills (ping, ip addr, cat).

Why This Exists

In Lesson 02, we explored how the Linux kernel uses IP addresses (192.168.1.50) and routing tables to navigate physical wires. However, human beings are terrible at memorizing 32-bit dotted-decimal numbers, and completely incapable of memorizing 128-bit IPv6 hexadecimal strings.

If you had to type 142.250.190.46 into your browser every time you wanted to search Google, the internet would never have achieved global adoption.

Furthermore, in modern cloud and Kubernetes environments, IP addresses are highly ephemeral! If you deploy an AI microservice that queries a database container, that database container might be destroyed and recreated ten times a day, receiving a brand-new, completely random IP address every single time. If your AI microservice hardcodes the database’s IP address, it will break within hours.

To solve the twin challenges of human readability and dynamic cloud endpoints, computer scientists invented the Domain Name System (DNS) and Service Discovery. DNS acts as the decentralized master phonebook of the internet. By mastering DNS debugging utilities (dig) and Kubernetes CoreDNS mechanics, Platform Engineers can diagnose complex domain propagation delays, prevent resolver timeouts, and architect robust, self-healing microservice communication meshes.

Core Concepts

1. The DNS Hierarchical Tree

DNS is not a single massive database sitting in one server room. It is a highly secure, decentralized hierarchical tree distributed across the entire globe:

  • Root Nameservers (.): The absolute top of the tree. There are 13 master root server clusters globally (named A through M). They maintain the master index of Top-Level Domains.
  • Top-Level Domain (TLD) Nameservers: Manage specific domain endings (e.g., .com, .org, .io, .ai).
  • Authoritative Nameservers: The ultimate source of truth for a specific domain (e.g., google.com). They hold the actual plain-text table mapping the domain name to its exact IP address!
[ Root Servers (.) ] ──► [ TLD Servers (.com) ] ──► [ Authoritative Servers (google.com) ] ──► [ IP Address ]

2. Master DNS Record Types

When you query a nameserver, you must specify exactly what type of record you are looking for:

  • A Record: Maps a domain name to an IPv4 address (192.168.1.50).
  • AAAA Record: Maps a domain name to an IPv6 address.
  • CNAME (Canonical Name): Maps a domain name to another domain name (an alias). (e.g., www.example.com ──► example.com).
  • PTR (Pointer Record): The inverse of an A record! Maps an IP address back to a hostname (Reverse DNS Lookup).
  • NS (Nameserver Record): Identifies which authoritative nameservers manage the domain.
  • TXT (Text Record): Stores arbitrary text strings. Used heavily by Platform Engineers to verify domain ownership and configure email security SPF/DKIM keys!

3. The Linux Resolver (/etc/resolv.conf and /etc/hosts)

When an application asks the Linux kernel to connect to api.cloud.internal, how does the kernel resolve the name? It follows a strict two-step verification sequence:

  • /etc/hosts (The Local Override): The kernel first checks the plain-text file /etc/hosts. If you manually type 127.0.0.1 api.cloud.internal into this file, the kernel instantly uses that IP address and completely bypasses external DNS servers!
  • /etc/resolv.conf (The Master Resolver): If the name is not in /etc/hosts, the kernel inspects /etc/resolv.conf. This plain-text file contains the nameserver IP addresses (e.g., nameserver 8.8.8.8) to which the kernel will fire its UDP Layer 4 DNS query packets!

4. Inspecting DNS Queries (dig)

When you need to perform deep, rigorous inspection of DNS records and nameserver responses, you use dig (Domain Information Groper).

  • dig example.com: Prints the complete DNS response header, query time, and answer section.
  • dig +trace example.com: Performs an elite Iterative Trace, showing the exact hop-by-hop delegation path from the Root servers (.) to the TLD servers to the Authoritative servers!

5. Kubernetes CoreDNS and Service Discovery

In Kubernetes, every time you create a new microservice (e.g., my-database), Kubernetes automatically registers a DNS record inside an internal cluster DNS server named CoreDNS.

  • Service Discovery: When your AI web app attempts to connect to http://my-database, the container’s /etc/resolv.conf points directly to CoreDNS. CoreDNS instantly returns the dynamic internal ClusterIP of the database! If the database pods are destroyed and recreated with new IPs, CoreDNS automatically updates its internal tables. Your web app never breaks!

Architecture

Real-World Example

Think of DNS resolution as a strict layered process. At Layer 4: Application Request (e.g., The App Trying to find the Database), a request is made to look up a name. If it’s not found locally, it queries Layer 3: Local Resolver (e.g., The Main Phonebook Pointer / Resolver Config). The resolver forwards the request down to Layer 2: Internal DNS (e.g., The Directory Service / Internal Server) which handles all the internal numbers. But if you ask for an outside number, it escalates to Layer 1: External DNS (e.g., The Global Operators / Root & TLD) to find the final authority!

Imagine you are managing a massive server cluster. One morning, developers report that their apps have suddenly stopped communicating with an external cloud payment system.

You log into the failing app and execute curl https://api.stripe.com. The terminal freezes for 10 seconds and aborts with Could not resolve host.

Because you understand how Layer 3: Local Resolver works, you execute a structured investigation. First, you inspect the pointer file. The file points perfectly to Layer 2: Internal DNS.

Second, you manually ask the directory service for the address. The output returns connection timed out; no servers could be reached!

You instantly realize what happened: Layer 2: Internal DNS has crashed or become unreachable! Because the apps cannot reach the operator, they cannot translate names into numbers. You restart the operator, verify reachability, and your payment systems recover instantly!

Hands-on Demonstration

Let’s look at how an engineer inspects the active DNS resolver configuration in /etc/resolv.conf, performs deep DNS query inspection using dig, and executes a reverse DNS lookup.

Input 1: Inspecting Resolver Configuration and Hosts File

We use cat to inspect our master DNS resolver configuration file /etc/resolv.conf, and inspect the local override file /etc/hosts.

Code 1

# Inspect the active Linux DNS resolver configuration file.
cat /etc/resolv.conf
 
# Inspect the local plain-text hosts override file.
cat /etc/hosts

Expected Output 1

nameserver 127.0.0.53
options edns0 trust-ad
search ec2.internal

127.0.0.1 localhost
127.0.1.1 ip-192-168-1-50.ec2.internal

Explanation 1

Look at how beautifully transparent Linux is! /etc/resolv.conf reports nameserver 127.0.0.53, which is the local systemd-resolved DNS stub resolver daemon. search ec2.internal is an elite feature: if you type ping my-server, Linux automatically appends the search domain, querying my-server.ec2.internal! Notice /etc/hosts: 127.0.0.1 localhost guarantees that typing localhost instantly resolves to the loopback IP without touching external DNS!

Input 2: Inspecting DNS Records with dig

We use dig to inspect the A record of an external domain name, viewing the complete response header, flags, and answer section.

Code 2

# Inspect the IPv4 'A' record of the public example domain using dig.
dig example.com +noall +answer +stats

Expected Output 2

example.com.		86400	IN	A	93.184.215.14

;; Query time: 4 msec
;; SERVER: 127.0.0.53#53(127.0.0.53)
;; WHEN: Sun Jun 28 05:55:00 UTC 2026
;; MSG SIZE  rcvd: 56

Explanation 2

Notice how perfectly clean and professional dig output is! Let’s deconstruct the core values:

  • example.com. IN A 93.184.215.14: The answer! It confirms example.com maps to IPv4 address 93.184.215.14. 86400 is the TTL (Time-To-Live) in seconds (24 hours)—this tells our local resolver exactly how long it is allowed to cache this IP address before querying the authoritative server again!
  • Query time: 4 msec: Lightning-fast UDP Layer 4 lookup!
  • SERVER: 127.0.0.53#53: Confirms our query was successfully processed by our local resolver daemon on UDP Port 53!

Hands-on Lab

  • Objective: Inspect resolver files, perform deep DNS query inspections, verify record types, and simulate local hosts overrides.
  • Estimated Time: 15 minutes
  • Difficulty: Intermediate
  • Environment: Interactive Browser Terminal / Local Sandbox

Step-by-step Instructions

  1. Open your terminal sandbox.
  2. Type cat /etc/resolv.conf to identify your active DNS nameserver IP addresses.
  3. Type sudo apt update && sudo apt install -y dnsutils to ensure the dig utility is installed.
  4. Type dig google.com A +short to output only the clean IPv4 addresses of Google.
  5. Type dig google.com MX +noall +answer to inspect Google’s Mail Exchange (MX) DNS records.
  6. Type sudo sh -c "echo '127.0.0.1 fake-ai-service.com' >> /etc/hosts" to simulate a local DNS override.
  7. Type ping -c 2 fake-ai-service.com to verify that your local hosts file successfully intercepted the domain name!

Verification

dig example.com A +short

If your terminal successfully outputs the numeric IPv4 address (93.184.215.14), you have mastered Linux DNS inspection!

Troubleshooting

  • Issue: dig example.com returns ;; connection timed out; no servers could be reached.
  • Solution: Your local virtual machine or container sandbox has a broken outbound internet connection, or your cloud firewall is actively blocking UDP Port 53. Use ping 8.8.8.8 to verify outbound Layer 3 reachability.

Cleanup

# Safely remove the demonstration fake domain entry from your hosts file
sudo sed -i '/fake-ai-service.com/d' /etc/hosts

Production Notes

In enterprise Kubernetes engineering, Platform Engineers rely heavily on the search domain mechanics inside /etc/resolv.conf. When you deploy a Kubernetes pod, Kubelet automatically configures the pod’s resolv.conf with search my-namespace.svc.cluster.local svc.cluster.local cluster.local. This is why a microservice running inside the production namespace can simply connect to http://my-database. The Linux kernel automatically appends the search path, querying my-database.production.svc.cluster.local against CoreDNS!

Common Mistakes

  • Modifying /etc/resolv.conf Manually on Modern Linux: Beginners frequently open /etc/resolv.conf with a text editor and type nameserver 8.8.8.8. On modern Linux distributions (Ubuntu 20.04+, RHEL 8+), this file is automatically managed by a background daemon named systemd-resolved! The moment you reboot the server, systemd-resolved instantly overwrites your manual changes! You must configure DNS permanently using Netplan or NetworkManager!
  • Ignoring TTL During Migrations: Junior engineers frequently execute cloud server migrations by updating a DNS A record to point to a new server IP, completely baffled as to why 50% of customer traffic continues hitting the old server for 24 hours. If your old DNS record had a TTL (Time-To-Live) of 86400 (24 hours), global internet resolvers will cache the old IP address for a full day! Always lower your TTL to 300 (5 minutes) several days before executing a migration!

Failure-Driven Learning

Imagine a junior engineer attempts to connect to an external cloud API, but the connection fails because the system’s DNS resolver configuration file is corrupted or pointing to an invalid nameserver IP.

Simulated Failure

# Simulating a catastrophic DNS failure by pointing resolv.conf to a fake IP
sudo sh -c "echo 'nameserver 203.0.113.50' > /etc/resolv.conf"
 
# Attempt to resolve an external public domain name using curl
curl -I https://www.google.com

Output

curl: (6) Could not resolve host: www.google.com

Diagnosis & Recovery

Why did this fail? The fatal error Could not resolve host occurs because when curl asked the Linux kernel to resolve www.google.com, the kernel inspected /etc/resolv.conf, found nameserver 203.0.113.50, and fired UDP Port 53 DNS query packets to that IP. Because 203.0.113.50 is a dormant, non-existent IP address, the DNS queries timed out, leaving the kernel completely unable to discover Google’s IP address! To recover, the engineer must restore a valid nameserver IP (sudo sh -c "echo 'nameserver 8.8.8.8' > /etc/resolv.conf" or restart systemd-resolved), and domain resolution restores instantly!

Engineering Decisions

Hardcoded IP Endpoints vs. DNS Service Discovery

When architecting an enterprise microservice platform, engineering leaders must choose how applications locate their dependencies.

  • Hardcoded IP Endpoints: Microservices hardcode the exact static IP addresses of their database servers directly into configuration files. Simple and bypasses DNS lookup latency. However, if a server fails or scales horizontally, configuration files must be manually updated and applications restarted across the entire platform. Highly fragile.
  • DNS Service Discovery (CoreDNS / Consul): Microservices connect exclusively to logical domain names (http://payment-db.internal). Automated service discovery daemons continuously monitor container health, dynamically updating internal DNS tables with active IPs!
  • The Platform Decision: Platform Engineers strictly mandate DNS Service Discovery for all modern cloud-native architectures to ensure seamless horizontal scaling and automated failover reliability.

Best Practices

  • Master dig +trace: When debugging highly obscure domain propagation issues, execute dig +trace [domain]. It forces your machine to bypass local caches and query the global DNS tree hop-by-hop from the Root servers down!
  • Leverage /etc/hosts for Local Testing: When testing a brand-new cloud web server before updating public DNS records, manually paste the server’s public IP and domain name into your local workstation’s /etc/hosts file. This allows you to test the live server securely without impacting real customers!

Troubleshooting Guide

Issue 1: “dig returns NXDOMAIN” vs. “SERVFAIL”

  • Cause: You attempt to query a domain name using dig, but the query returns an error status in the header. Beginners view these errors as identical, but to a Platform Engineer, they indicate completely different failures!
  • Diagnosis & Solution:
    • NXDOMAIN (Non-Existent Domain): The DNS query successfully reached the authoritative nameserver for the domain, but the authoritative server proudly checked its internal tables and confirmed: “That specific subdomain name does not exist in my database!” Check for typos in your domain name!
    • SERVFAIL (Server Failure): The DNS query reached an intermediate resolver or authoritative server, but the server encountered a fatal internal software exception, database corruption, or DNSSEC validation failure! The server is physically failing to process the query. Inspect nameserver daemon health!

Summary

  • DNS is a decentralized hierarchical tree distributed across Root (.), TLD (.com), and Authoritative nameservers.
  • Master Record Types include A (IPv4), AAAA (IPv6), CNAME (Alias), PTR (Reverse Lookup), NS (Nameserver), and TXT (Text/Security).
  • /etc/hosts provides local domain overrides; /etc/resolv.conf defines the master nameserver IP addresses for external queries.
  • dig is the ultimate professional CLI utility for inspecting DNS response headers, TTLs, and execution traces.
  • CoreDNS provides automated Service Discovery in Kubernetes, allowing ephemeral microservices to locate each other via stable domain names.

Cheat Sheet

# Inspect the active Linux DNS resolver configuration file
cat /etc/resolv.conf
 
# Inspect the local plain-text hosts override file
cat /etc/hosts
 
# Inspect the IPv4 'A' record of a domain cleanly
dig [domain] +noall +answer
 
# Output only the raw IP address of a domain (Ultra-clean!)
dig [domain] +short
 
# Query a specific external DNS nameserver directly (e.g., Google 8.8.8.8)
dig @8.8.8.8 [domain]
 
# Perform an elite hop-by-hop iterative trace from the Root servers down
dig +trace [domain]
 
# Perform a reverse DNS lookup to find the hostname of an IP address
dig -x 8.8.8.8 +short
 
# Query specific record types (MX, CNAME, TXT, NS)
dig [domain] TXT +short

Knowledge Check

Multiple Choice Questions

  1. You are migrating a production database server to a new cloud virtual machine. You update the database’s DNS A record to point to the new IP address. However, for the next 4 hours, you notice that 50% of your microservices are still querying the old database server IP. What is the root cause of this split traffic?
    • A) The microservices are suffering from File Descriptor exhaustion.
    • B) The old DNS record had a high TTL (Time-To-Live) (e.g., 14400 seconds / 4 hours), causing local resolvers to cache the old IP address.
    • C) CoreDNS has completely run out of memory and triggered the OOM killer.
    • D) Private IP addresses cannot be updated in DNS tables.

Scenario Questions

You are investigating a Kubernetes pod that is throwing errors stating curl: (6) Could not resolve host: api.github.com. You want to verify exactly which DNS nameserver IP the pod is attempting to query. Based on what you learned in this lesson, what plain-text configuration file do you inspect inside the container, and what command would you run to test the nameserver?

Short Answer Questions

Explain the exact architectural difference between an A record and a CNAME record in DNS table management.

View Answers

Multiple Choice

  1. B - High TTLs cause downstream DNS resolvers and local caches to hold onto the old record until the TTL expires, leading to split traffic during migration.

Scenario

You would inspect /etc/resolv.conf to find the configured nameserver IP. To test the nameserver directly, you would run a command like dig @<nameserver_ip> api.github.com or nslookup api.github.com <nameserver_ip>.

Short Answer

An A record maps a domain name directly to an IPv4 address. A CNAME (Canonical Name) record maps a domain name (alias) to another domain name, forcing the resolver to do another lookup to find the ultimate IP address.

Interview Preparation

Beginner Questions

  • What is the Domain Name System (DNS)?
  • What is the purpose of the /etc/hosts file?
  • What does the dig command do?

Intermediate Questions

  • Explain the difference between an Authoritative nameserver and a Recursive resolver.
  • What is TTL (Time-To-Live) in DNS, and why is it critical during system migrations?

Advanced Questions

  • Explain how the Linux kernel handles DNS query packet serialization over UDP Port 53 versus TCP Port 53, and describe the specific conditions (e.g., response size > 512 bytes / EDNS0) that force a DNS resolver to fall back from UDP to TCP.

Scenario-Based Discussions

  • Discuss the operational trade-offs of implementing a centralized enterprise DNS architecture using internal bind servers versus deploying decentralized, cloud-native service discovery engines (e.g., Kubernetes CoreDNS / HashiCorp Consul) in a hybrid cloud environment.
View Answers

Beginner

  • DNS: The decentralized hierarchical naming system that translates human-readable domain names (like google.com) into machine-routable IP addresses.
  • /etc/hosts: A local plain-text override file that the kernel checks before making external DNS queries. It is highly useful for local testing and internal overrides.
  • dig command: A CLI utility for deep DNS query inspection, allowing engineers to view response headers, TTLs, and execute hop-by-hop delegation traces.

Intermediate

  • Authoritative nameserver vs Recursive resolver: An Authoritative nameserver holds the actual source-of-truth DNS records for a domain. A Recursive resolver (like 8.8.8.8) simply searches the DNS tree and asks the authoritative servers on your behalf, caching the result.
  • TTL (Time-To-Live): Specifies exactly how long downstream resolvers or local caches are allowed to hold onto a DNS record before re-querying. High TTLs during migrations cause old IP addresses to linger in global caches, resulting in split traffic.

Advanced

  • UDP vs TCP Port 53 fallback: DNS primarily uses lightning-fast UDP on Port 53. However, if a DNS response exceeds the legacy 512-byte limit of a UDP datagram (common with large TXT records or DNSSEC), the server sets the Truncated (TC) flag. The client resolver must then instantly reconnect over TCP Port 53 to securely receive the full payload. Modern EDNS0 extensions increase this UDP payload limit to 4096 bytes to reduce TCP fallback.

Scenario-Based Discussions

  • Centralized bind vs CoreDNS/Consul: Centralized internal BIND servers offer strict, single-pane-of-glass governance for enterprise domains but suffer from manual configuration bottlenecks and slow replication. Decentralized cloud-native engines (CoreDNS/Consul) provide dynamic, automated service discovery designed for ephemeral containers, automatically updating DNS records as pods scale or crash, at the cost of managing distributed state and split-brain resolution architectures across hybrid clouds.

Further Reading

  1. How DNS Works (Cloudflare Learning Center)
  2. Mastering the dig Command (Linux Handbook)
  3. Kubernetes DNS and CoreDNS Architecture (Official K8s Documentation)
  4. Understanding Linux /etc/resolv.conf and systemd-resolved
  5. Anatomy of the Domain Name System (Deep Technical Dive)
Lesson 02Lesson 04