diff --git a/docs/dns-stack.md b/docs/dns-stack.md
index bd9e00d7491a68ff223b34d6fe7b7f56066b54c1..7f30c3641755f5968bcef0809196dc2493a58075 100644
--- a/docs/dns-stack.md
+++ b/docs/dns-stack.md
@@ -137,6 +137,16 @@ The following dns options are added to the docker daemon
 * timeout:2
 * attempts:2
 
+These dns options can be overridden by setting a different list:
+
+```yaml
+docker_dns_options:
+- ndots:{{ ndots }}
+- timeout:2
+- attempts:2
+- rotate
+```
+
 For normal PODs, k8s will ignore these options and setup its own DNS settings for the PODs, taking
 the --cluster_dns (either coredns or coredns_dual, depending on dns_mode) kubelet option into account.
 For ``hostNetwork: true`` PODs however, k8s will let docker setup DNS settings. Docker containers which
diff --git a/roles/container-engine/docker/tasks/set_facts_dns.yml b/roles/container-engine/docker/tasks/set_facts_dns.yml
index b884c7cf060b3a9cf3aa60eae58e88bfe5afd68f..5af3d64d58db59023c069343d16027ba927a3f3d 100644
--- a/roles/container-engine/docker/tasks/set_facts_dns.yml
+++ b/roles/container-engine/docker/tasks/set_facts_dns.yml
@@ -8,17 +8,6 @@
   debug:
     msg: "{{ docker_dns_servers }}"
 
-- name: set base docker dns facts
-  set_fact:
-    docker_dns_search_domains:
-      - 'default.svc.{{ dns_domain }}'
-      - 'svc.{{ dns_domain }}'
-    docker_dns_options:
-      - ndots:{{ ndots }}
-      - timeout:2
-      - attempts:2
-
-
 - name: add upstream dns servers
   set_fact:
     docker_dns_servers: "{{ docker_dns_servers + upstream_dns_servers|default([]) }}"
diff --git a/roles/kubespray-defaults/defaults/main.yaml b/roles/kubespray-defaults/defaults/main.yaml
index 2e41e9d8be6ec85f5e94e7d24723204bb3f899f1..5b7e5cd123c92dd0b97b5803fede9744bae848c2 100644
--- a/roles/kubespray-defaults/defaults/main.yaml
+++ b/roles/kubespray-defaults/defaults/main.yaml
@@ -75,6 +75,11 @@ epel_enabled: false
 cluster_name: cluster.local
 # Subdomains of DNS domain to be resolved via /etc/resolv.conf for hostnet pods
 ndots: 2
+# Default resolv.conf options
+docker_dns_options:
+- ndots:{{ ndots }}
+- timeout:2
+- attempts:2
 # Can be coredns, coredns_dual, manual, or none
 dns_mode: coredns
 
@@ -94,6 +99,9 @@ deploy_netchecker: false
 skydns_server: "{{ kube_service_addresses|ipaddr('net')|ipaddr(3)|ipaddr('address') }}"
 skydns_server_secondary: "{{ kube_service_addresses|ipaddr('net')|ipaddr(4)|ipaddr('address') }}"
 dns_domain: "{{ cluster_name }}"
+docker_dns_search_domains:
+- 'default.svc.{{ dns_domain }}'
+- 'svc.{{ dns_domain }}'
 
 kube_dns_servers:
   coredns: ["{{skydns_server}}"]
@@ -367,9 +375,9 @@ external_openstack_lbaas_monitor_timeout: "30s"
 external_openstack_lbaas_monitor_max_retries: "3"
 external_openstack_network_ipv6_disabled: false
 external_openstack_network_internal_networks:
-  - ""
+- ""
 external_openstack_network_public_networks:
-  - ""
+- ""
 
 ## List of authorization modes that must be configured for
 ## the k8s cluster. Only 'AlwaysAllow', 'AlwaysDeny', 'Node' and