DNS Spoofing Attacks inside a Cluster

How can I protect myself against DNS spoofing attacks in a Kubernetes cluster?
For example. A customer creates a project on a node with a namespace called “com” and a service called “google”

As far as I have tested this, every DNS request within the cluster to google.com should go to the namespace mentioned above. That would be fatal.
Is there a central place where I can specify that the internal DNS (CoreDNS) is only used for internal DNS queries? The external DNS lookups should always be forwarded to the upstream DNS server.

Is there a policy or a config for this that can be used to get the problem under control?

This is an unfortunate side-effect of aggressive use of search paths. There are 3 main options I see

  1. Don’t create a “com” namespace or allow your users to do so.
  2. Disable search paths via DNSPolicy = “None” + DNSConfig
  3. Always use fully qualified names, including a trailing period, which pypasses any search expansion