From 6849c4614dc9b8f53710da16ea9a35f5f1d91150 Mon Sep 17 00:00:00 2001
From: David McCormick <davidemccormick@gmail.com>
Date: Thu, 20 Dec 2018 14:37:40 +0000
Subject: [PATCH 1/2] Do not leak unqualified dns requests to upstream dns
 servers

---
 builtin/files/userdata/cloud-config-controller | 1 +
 1 file changed, 1 insertion(+)

diff --git a/builtin/files/userdata/cloud-config-controller b/builtin/files/userdata/cloud-config-controller
index 2e7e6e438..d68c1ef39 100644
--- a/builtin/files/userdata/cloud-config-controller
+++ b/builtin/files/userdata/cloud-config-controller
@@ -3625,6 +3625,7 @@ write_files:
                 - -k
                 - --min-port=1024
                 - --cache-size=1000
+                - --server=//{{.DNSServiceIP}}
                 - --server=/cluster.local/{{.DNSServiceIP}}
                 - --server=/in-addr.arpa/{{.DNSServiceIP}}
                 - --server=/ip6.arpa/{{.DNSServiceIP}}

From 70123fdedb7272ea68369afa35f4e2b99686f0ca Mon Sep 17 00:00:00 2001
From: David McCormick <davidemccormick@gmail.com>
Date: Thu, 10 Jan 2019 17:26:42 +0000
Subject: [PATCH 2/2] Add OptionalNodeResolverOptions

---
 builtin/files/cluster.yaml.tmpl                | 4 ++++
 builtin/files/userdata/cloud-config-controller | 5 +++++
 pkg/api/types.go                               | 9 +++++----
 3 files changed, 14 insertions(+), 4 deletions(-)

diff --git a/builtin/files/cluster.yaml.tmpl b/builtin/files/cluster.yaml.tmpl
index da129fc19..0b295a286 100644
--- a/builtin/files/cluster.yaml.tmpl
+++ b/builtin/files/cluster.yaml.tmpl
@@ -1319,6 +1319,10 @@ kubeDns:
   # When enabled, will enable a DNS-masq DaemonSet to make PODs to resolve DNS names via locally running dnsmasq
   # It is disabled by default.
   # nodeLocalResolver: false
+  # Extra DnsMasq options to use when running the nodeLocalResolver
+  # nodeLocalResolverOptions:
+  # - --neg-ttl=10
+  # - --no-ping
 
   # When enabled, will deploy kube-dns to K8s controllers instead of workers.
   # deployToControllers: false
diff --git a/builtin/files/userdata/cloud-config-controller b/builtin/files/userdata/cloud-config-controller
index d68c1ef39..0cfb502e0 100644
--- a/builtin/files/userdata/cloud-config-controller
+++ b/builtin/files/userdata/cloud-config-controller
@@ -3630,6 +3630,11 @@ write_files:
                 - --server=/in-addr.arpa/{{.DNSServiceIP}}
                 - --server=/ip6.arpa/{{.DNSServiceIP}}
                 - --log-facility=-
+                {{- if ne (len .KubeDns.NodeLocalResolverOptions) 0 }}
+                  {{- range .KubeDns.NodeLocalResolverOptions }}
+                - {{.}}
+                  {{- end }}
+                {{- end }}
                 ports:
                 - containerPort: 53
                   name: dns
diff --git a/pkg/api/types.go b/pkg/api/types.go
index 2d9f172a1..c509edd8e 100644
--- a/pkg/api/types.go
+++ b/pkg/api/types.go
@@ -246,10 +246,11 @@ type KubeDnsAutoscaler struct {
 }
 
 type KubeDns struct {
-	Provider            string            `yaml:"provider"`
-	NodeLocalResolver   bool              `yaml:"nodeLocalResolver"`
-	DeployToControllers bool              `yaml:"deployToControllers"`
-	Autoscaler          KubeDnsAutoscaler `yaml:"autoscaler"`
+	Provider                 string            `yaml:"provider"`
+	NodeLocalResolver        bool              `yaml:"nodeLocalResolver"`
+	NodeLocalResolverOptions []string          `yaml:"nodeLocalResolverOptions"`
+	DeployToControllers      bool              `yaml:"deployToControllers"`
+	Autoscaler               KubeDnsAutoscaler `yaml:"autoscaler"`
 }
 
 func (c *KubeDns) MergeIfEmpty(other KubeDns) {