KHV030 - Possible DNS Spoof

Issue description

Your Kubernetes DNS setup is vulnerable to spoofing attacks which impersonate your DNS for malicious purposes.
In this case the exploited vulnerability was ARP spoofing, but other methods could be used as well.

Remediation

Consider using DNS over TLS. CoreDNS (the common DNS server for Kubernetes) supports this out of the box, but your client applications might not.

References

• DNS Spoofing on Kubernetes Clusters
• KHV020 - Possible Arp Spoof
• CoreDNS DNS over TLS
• DNS over TLS spec