diff --git a/docs/dns-stack.md b/docs/dns-stack.md
index 808b8aae46e9b0eb2171d556e534fc2bbb0648f3..09609f602a8a63b19add8f039e22076873a0c592 100644
--- a/docs/dns-stack.md
+++ b/docs/dns-stack.md
@@ -51,6 +51,13 @@ aforementioned vars:
 * Resolvconf's head/base files are disabled from populating anything into the
   `/etc/resolv.conf`.
 
+It is important to note that multiple search domains combined with high ``ndots``
+values lead to poor performance of DNS stack, so please choose it wisely.
+The dnsmasq DaemonSet can accept lower ``ndots`` values and return NXDOMAIN
+replies for [bogus internal FQDNS](https://github.com/kubernetes/kubernetes/issues/19634#issuecomment-253948954)
+before it even hits the kubedns app. This enables dnsmasq to serve as a
+protective, but still recursive resolver in front of kubedns.
+
 DNS configuration details
 -------------------------
 
@@ -106,8 +113,7 @@ Limitations
   [no way to specify a custom value](https://github.com/kubernetes/kubernetes/issues/33554)
   for the SkyDNS ``ndots`` param via an
   [option for KubeDNS](https://github.com/kubernetes/kubernetes/blob/master/cmd/kube-dns/app/options/options.go)
-  add-on, while SkyDNS supports it though. Thus, DNS SRV records may not work
-  as expected as they require the ``ndots:7``.
+  add-on, while SkyDNS supports it though.
 
 * the ``searchdomains`` have a limitation of a 6 names and 256 chars
   length. Due to default ``svc, default.svc`` subdomains, the actual
diff --git a/roles/dnsmasq/templates/01-kube-dns.conf.j2 b/roles/dnsmasq/templates/01-kube-dns.conf.j2
index 562b4bbcc485e17bb8c78105a1d72f71f6db00c8..9f25d96e7b7f115c5883038b27a0ea492bd18631 100644
--- a/roles/dnsmasq/templates/01-kube-dns.conf.j2
+++ b/roles/dnsmasq/templates/01-kube-dns.conf.j2
@@ -7,6 +7,8 @@ addn-hosts=/etc/hosts
 strict-order
 # Forward k8s domain to kube-dns
 server=/{{ dns_domain }}/{{ skydns_server }}
+# Reply NXDOMAIN to bogus domains requests like com.cluster.local.cluster.local
+local=/{{ bogus_domains }}
 
 #Set upstream dns servers
 {% if upstream_dns_servers is defined %}
@@ -17,7 +19,7 @@ server={{ srv }}
 server={{ default_resolver }}
 {% endif %}
 
-{% if kube_log_level == 4 %}
+{% if kube_log_level == '4' %}
 log-queries
 {% endif %}
 bogus-priv
diff --git a/roles/kubernetes-apps/ansible/templates/kubedns-rc.yml b/roles/kubernetes-apps/ansible/templates/kubedns-rc.yml
index a7392cc87f76550a1a94870b3a08e6138d2472f7..13607c70579bdbcc032265e0950d9b5b36d4d164 100644
--- a/roles/kubernetes-apps/ansible/templates/kubedns-rc.yml
+++ b/roles/kubernetes-apps/ansible/templates/kubedns-rc.yml
@@ -79,7 +79,7 @@ spec:
         - --cache-size=1000
         - --no-resolv
         - --server=127.0.0.1#10053
-{% if kube_log_level == 4 %}
+{% if kube_log_level == '4' %}
         - --log-queries
 {% endif %}
         ports:
diff --git a/roles/kubernetes/preinstall/tasks/set_resolv_facts.yml b/roles/kubernetes/preinstall/tasks/set_resolv_facts.yml
index 4c50854159e42033517bd2137f621a29adc17ee8..4d0e5fa3212aadc0ee36fde5fee455308f81d125 100644
--- a/roles/kubernetes/preinstall/tasks/set_resolv_facts.yml
+++ b/roles/kubernetes/preinstall/tasks/set_resolv_facts.yml
@@ -10,7 +10,7 @@
       {%- if resolvconf.rc == 0 -%}true{%- else -%}false{%- endif -%}
 
 - set_fact:
-    private_domains: |-
+    bogus_domains: |-
       {% for d in [ 'default.svc.' + dns_domain, 'svc.' + dns_domain ] + searchdomains|default([]) -%}
       {{dns_domain}}.{{d}}./{{d}}.{{d}}./com.{{d}}./
       {%- endfor %}