Troubleshoot the K8SAPIServerDNSLookupFailVMExtensionError error code (52)
This article discusses how to identify and resolve the K8SAPIServerDNSLookupFailVMExtensionError error (also known as error code ERR_K8S_API_SERVER_DNS_LOOKUP_FAIL, error number 52) that occurs when you try to start or create and deploy a Microsoft Azure Kubernetes Service (AKS) cluster.
Prerequisites
The nslookup DNS lookup tool for Windows nodes or the dig tool for Linux nodes.
Azure CLI, version 2.0.59 or a later version. If Azure CLI is already installed, you can find the version number by running
az --version.
Symptoms
When you try to start or create an AKS cluster, you receive the following error message:
Agents are unable to resolve Kubernetes API server name. It's likely custom DNS server is not correctly configured, please see https://aka.ms/aks/private-cluster#hub-and-spoke-with-custom-dns for more information.
Details: Code="VMExtensionProvisioningError"
Message="VM has reported a failure when processing extension 'vmssCSE'.
Error message: "Enable failed: failed to execute command: command terminated with exit status=52\n[stdout]\n{
"ExitCode": "52",
"Output": "Fri Oct 15 10:06:00 UTC 2021,aks- nodepool1-36696444-vmss000000\nConnection to mcr.microsoft.com 443 port [tcp/https]
Cause
The cluster nodes can't resolve the cluster's fully qualified domain name (FQDN) in Azure DNS. Run the following DNS lookup command on the failed cluster node to find DNS resolutions that are valid.
| Node OS | Command |
|---|---|
| Linux | dig <cluster-fqdn> |
| Windows | nslookup <cluster-fqdn> |
Solution
On your DNS servers and firewall, make sure that nothing blocks the resolution to your cluster's FQDN. Your custom DNS server might be incorrectly configured if something is blocking even after you run the nslookup or dig command and apply any necessary fixes. For help to configure your custom DNS server, review the following articles:
- Create a private AKS cluster
- Private Azure Kubernetes service with custom DNS server
- What is IP address 168.63.129.16?
When you use a private cluster that has a custom DNS, a DNS zone is created. The DNS zone must be linked to the virtual network. This occurs after the cluster is created. Creating a private cluster that has a custom DNS fails during creation. However, you can restore the creation process to a "success" state by reconciling the cluster. To do this, run the az resource update command in Azure CLI, as follows:
az resource update --resource-group <resource-group-name> \
--name <cluster-name> \
--namespace Microsoft.ContainerService \
--resource-type ManagedClusters
Also verify that your DNS server is configured correctly for your private cluster, as described earlier.
Note
Conditional Forwarding doesn't support subdomains.
More information
Contact us for help
If you have questions or need help, create a support request, or ask Azure community support. You can also submit product feedback to Azure feedback community.
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for