diff --git a/docs/vars.md b/docs/vars.md
index 38d66bcd317e0bfda8ebe4eefbaf50fa8012eb88..e158ee8826588de5f901fa12c587f66d7348e2b6 100644
--- a/docs/vars.md
+++ b/docs/vars.md
@@ -61,6 +61,10 @@ following default cluster parameters:
   bits in kube_pods_subnet dictates how many kube-nodes can be in cluster.
 * *skydns_server* - Cluster IP for DNS (default is 10.233.0.3)
 * *skydns_server_secondary* - Secondary Cluster IP for CoreDNS used with coredns_dual deployment (default is 10.233.0.4)
+* *enable_coredns_k8s_external* - If enabled, it configures the [k8s_external plugin](https://coredns.io/plugins/k8s_external/)
+  on the CoreDNS service.
+* *coredns_k8s_external_zone* - Zone that will be used when CoreDNS k8s_external plugin is enabled
+  (default is k8s_external.local)
 * *cloud_provider* - Enable extra Kubelet option if operating inside GCE or
   OpenStack (default is unset)
 * *kube_hostpath_dynamic_provisioner* - Required for use of PetSets type in
diff --git a/inventory/sample/group_vars/k8s-cluster/k8s-cluster.yml b/inventory/sample/group_vars/k8s-cluster/k8s-cluster.yml
index 92605b32d032eae4afd80c670dadef7159149807..ce66342a7e3e377e3466cbfd208382fa58fc2d20 100644
--- a/inventory/sample/group_vars/k8s-cluster/k8s-cluster.yml
+++ b/inventory/sample/group_vars/k8s-cluster/k8s-cluster.yml
@@ -135,6 +135,9 @@ dns_mode: coredns
 enable_nodelocaldns: true
 nodelocaldns_ip: 169.254.25.10
 nodelocaldns_health_port: 9254
+# Enable k8s_external plugin for CoreDNS
+enable_coredns_k8s_external: false
+coredns_k8s_external_zone: k8s_external.local
 
 # Can be docker_dns, host_resolvconf or none
 resolvconf_mode: docker_dns
diff --git a/roles/kubernetes-apps/ansible/templates/coredns-config.yml.j2 b/roles/kubernetes-apps/ansible/templates/coredns-config.yml.j2
index 9a1e628ff06e9abcec9f5696cd8b7a54fe6741d0..ad8be89584fcbc6d41319fee392772485bc63d3f 100644
--- a/roles/kubernetes-apps/ansible/templates/coredns-config.yml.j2
+++ b/roles/kubernetes-apps/ansible/templates/coredns-config.yml.j2
@@ -30,6 +30,9 @@ data:
         forward . /etc/resolv.conf {
           prefer_udp
         }
+{% endif %}
+{% if enable_coredns_k8s_external %}
+        k8s_external {{ coredns_k8s_external_zone }}
 {% endif %}
         cache 30
         loop
diff --git a/roles/kubespray-defaults/defaults/main.yaml b/roles/kubespray-defaults/defaults/main.yaml
index 13cdce8bf800bd502d39e057d6433e3e118873d2..2a5a0202a040cbab75e7e08b441a69b67d2ed544 100644
--- a/roles/kubespray-defaults/defaults/main.yaml
+++ b/roles/kubespray-defaults/defaults/main.yaml
@@ -89,6 +89,8 @@ kube_dns_servers:
 
 dns_servers: "{{kube_dns_servers[dns_mode]}}"
 
+enable_coredns_k8s_external: false
+coredns_k8s_external_zone: k8s_external.local
 
 # Kubernetes configuration dirs and system namespace.
 # Those are where all the additional config stuff goes