diff --git a/README.md b/README.md
index ef42eca5dcfd13212e3244988912c0d13caa1ffc..db3799fba03997b195485d9ded899f3d901dca37 100644
--- a/README.md
+++ b/README.md
@@ -133,7 +133,7 @@ Note: Upstart/SysV init based OS types are not supported.
   - [cephfs-provisioner](https://github.com/kubernetes-incubator/external-storage) v2.1.0-k8s1.11
   - [rbd-provisioner](https://github.com/kubernetes-incubator/external-storage) v2.1.1-k8s1.11
   - [cert-manager](https://github.com/jetstack/cert-manager) v0.11.1
-  - [coredns](https://github.com/coredns/coredns) v1.6.9
+  - [coredns](https://github.com/coredns/coredns) v1.6.5
   - [ingress-nginx](https://github.com/kubernetes/ingress-nginx) v0.30.0
 
 Note: The list of validated [docker versions](https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG-1.16.md) was updated to 1.13.1, 17.03, 17.06, 17.09, 18.06, 18.09. kubeadm now properly recognizes Docker 18.09.0 and newer, but still treats 18.06 as the default supported version. The kubelet might break on docker's non-standard version numbering (it no longer uses semantic versioning). To ensure auto-updates don't break your cluster look into e.g. yum versionlock plugin or apt pin).
diff --git a/roles/download/defaults/main.yml b/roles/download/defaults/main.yml
index 1bbd1850e10da9dadef3a71b3c7d20b26468816e..09dead34777081b308071cf0fdd09ddf3b9f4629 100644
--- a/roles/download/defaults/main.yml
+++ b/roles/download/defaults/main.yml
@@ -511,7 +511,9 @@ nginx_image_tag: 1.17
 haproxy_image_repo: "{{ docker_image_repo }}/library/haproxy"
 haproxy_image_tag: 1.9
 
-coredns_version: "1.6.9"
+# Coredns version should be supported by corefile-migration (or at least work with)
+# bundle with kubeadm; if not 'basic' upgrade can sometimes fail
+coredns_version: "1.6.5"
 coredns_image_repo: "{{ docker_image_repo }}/coredns/coredns"
 coredns_image_tag: "{{ coredns_version }}"
 
diff --git a/roles/kubernetes-apps/ansible/templates/coredns-config.yml.j2 b/roles/kubernetes-apps/ansible/templates/coredns-config.yml.j2
index d8f42865d314f3287a57e4714b0cc597950e579a..4a42327ce2f1922710e2065b57b1985d359dbcd3 100644
--- a/roles/kubernetes-apps/ansible/templates/coredns-config.yml.j2
+++ b/roles/kubernetes-apps/ansible/templates/coredns-config.yml.j2
@@ -22,17 +22,14 @@ data:
 {% endif %}
     .:53 {
         errors
-        health
+        health {
+            lameduck 5s
+        }
         ready
         kubernetes {{ dns_domain }} in-addr.arpa ip6.arpa {
           pods insecure
 {% if enable_coredns_k8s_endpoint_pod_names %}
           endpoint_pod_names
-{% endif %}
-{% if resolvconf_mode == 'host_resolvconf' and upstream_dns_servers is defined and upstream_dns_servers|length > 0 %}
-          upstream {{ upstream_dns_servers|join(' ') }}
-{% else %}
-          upstream /etc/resolv.conf
 {% endif %}
           fallthrough in-addr.arpa ip6.arpa
         }