Skip to content

How to Fix CoreDNS Forward Proxy Configuration Error

DodaTech Updated 2026-06-24 2 min read

In this tutorial, you'll learn about How to Fix CoreDNS Forward Proxy Configuration Error. We cover key concepts, practical examples, and best practices.

CoreDNS forward plugin returns SERVFAIL or queries time out when forwarding to external DNS servers — the forward targets are unreachable or configured incorrectly.

The Problem

$ dig @localhost google.com
;; status: SERVFAIL

# CoreDNS logs
[ERROR] plugin/forward: Failed to connect to "8.8.8.8:53":
dial tcp 8.8.8.8:53: i/o timeout

Step-by-Step Fix

Step 1: Configure forward plugin correctly

data:
  Corefile: |
    .:53 {
        errors
        health
        kubernetes cluster.local
        forward . 8.8.8.8 1.1.1.1 {
            max_concurrent 1000
            policy random
            health_check 5s
        }
        cache 30
    }

Step 2: Configure conditional forwarding

data:
  Corefile: |
    .:53 {
        kubernetes cluster.local
        forward . 8.8.8.8
    }

    internal.example.com:53 {
        errors
        forward . 192.168.1.10:53 {
            health_check 5s
        }
    }

Step 3: Test upstream connectivity

kubectl run dns-test --image=busybox --rm -it --restart=Never -- \
  nslookup google.com 8.8.8.8

Step 4: Check forward policy

# Available policies
forward . 8.8.8.8 1.1.1.1 {
    policy random       # Random selection (default)
    # policy round_robin # Sequential
    # policy sequential  # Try first, then second
    # policy first       # Always use first
}

Step 5: Add timeout settings

forward . 8.8.8.8 {
    expire 30s
    max_fails 3
    tls_servername dns.google
}

Prevention Tips

  • Use multiple forward targets for redundancy
  • Enable health checks on forward targets
  • Set max_concurrent to avoid resource exhaustion
  • Monitor forward plugin metrics for failure rates

Common Mistakes with forward proxy

  1. Misunderstanding that String is [Char] with poor performance for large text operations
  2. Using foldl instead of foldl' causing stack overflow on large lists
  3. Forgetting deriving (Show, Eq) on custom data types needed for debugging

These mistakes appear frequently in real-world COREDNS code. DodaTech's contributors have identified these patterns through analysis of open-source projects and production systems.

Practice Exercise

Write a pure function that safely divides two integers using Maybe, then test it with edge cases like division by zero and negative numbers.

This exercise reinforces the concepts covered in this guide. Try implementing it before checking online solutions.

FAQ

### Why does CoreDNS forward plugin fail with i/o timeout?

The upstream DNS server is not reachable from the CoreDNS pod. Check network policies, firewall rules, and whether the pod has egress access. Use kubectl exec to test connectivity: kubectl exec -n kube-system pod/coredns-xxxx -- nslookup google.com 8.8.8.8.

What is the difference between the forward and proxy plugins in CoreDNS?

The forward plugin is the recommended replacement for the deprecated proxy plugin. forward supports health checking, out-of-order responses, and connection reuse. Always use forward in current CoreDNS deployments.

How do I configure CoreDNS to forward specific domains to different resolvers?

Use multiple server blocks in the Corefile. Each block specifies a domain zone and its forward targets. Queries matching the domain in the first block are handled there, others fall through to the default block. This enables split DNS configurations.

Built by the developers of DodaTech

Doda Browser, DodaZIP & Durga Antivirus Pro