diff --git a/roles/apps/k8s-kubedns b/roles/apps/k8s-kubedns
index b5015aed8..d6df09a89 160000
--- a/roles/apps/k8s-kubedns
+++ b/roles/apps/k8s-kubedns
@@ -1 +1 @@
-Subproject commit b5015aed8ff5eed9c325911205cfbb23ad0e57be
+Subproject commit d6df09a89721d98e2969a8abf29b4eb5e787fca6
diff --git a/roles/dnsmasq/tasks/main.yml b/roles/dnsmasq/tasks/main.yml
index f8b9fa197..ccff170f9 100644
--- a/roles/dnsmasq/tasks/main.yml
+++ b/roles/dnsmasq/tasks/main.yml
@@ -32,7 +32,6 @@
   file:
     path: /etc/dnsmasq.d
     state: directory
-  when: inventory_hostname in groups['kube-master']
 
 - name: Write dnsmasq configuration
   template:
@@ -40,17 +39,14 @@
     dest: /etc/dnsmasq.d/01-kube-dns.conf
     mode: 755
     backup: yes
-  when: inventory_hostname in groups['kube-master']
 
 - name: Create dnsmasq pod manifest
   template: src=dnsmasq-pod.yml dest=/etc/kubernetes/manifests/dnsmasq-pod.manifest
-  when: inventory_hostname in groups['kube-master']
 
 - name: Check for dnsmasq port (pulling image and running container)
   wait_for:
     port: 53
     delay: 5
-  when: inventory_hostname in groups['kube-master']
 
 - name: check resolvconf
   stat: path=/etc/resolvconf/resolv.conf.d/head
@@ -63,22 +59,34 @@
 
 - name: Add search resolv.conf
   lineinfile:
-    line: search {{ [ 'default.svc.' + dns_domain, 'svc.' + dns_domain, dns_domain ] | join(' ') }}
+    line: "search {{ [ 'default.svc.' + dns_domain, 'svc.' + dns_domain, dns_domain ] | join(' ') }}"
     dest: "{{resolvconffile}}"
     state: present
     insertbefore: BOF
     backup: yes
     follow: yes
 
-- name: Add all masters as nameserver
+- name: Add local dnsmasq to resolv.conf
   lineinfile:
-    line: nameserver {{ hostvars[item]['ansible_default_ipv4']['address'] }}
+    line: "nameserver 127.0.0.1"
     dest: "{{resolvconffile}}"
     state: present
     insertafter: "^search.*$"
     backup: yes
     follow: yes
-  with_items: groups['kube-master']
+
+- name: Add options to resolv.conf
+  lineinfile:
+    line: options {{ item }}
+    dest: "{{resolvconffile}}"
+    state: present
+    regexp: "^options.*{{ item }}$"
+    insertafter: EOF
+    backup: yes
+    follow: yes
+  with_items:
+    - timeout:2
+    - attempts:2
 
 - name: disable resolv.conf modification by dhclient
   copy: src=dhclient_nodnsupdate dest=/etc/dhcp/dhclient-enter-hooks.d/nodnsupdate mode=u+x backup=yes
diff --git a/roles/dnsmasq/templates/01-kube-dns.conf.j2 b/roles/dnsmasq/templates/01-kube-dns.conf.j2
index e9e8d62e0..7a46bee82 100644
--- a/roles/dnsmasq/templates/01-kube-dns.conf.j2
+++ b/roles/dnsmasq/templates/01-kube-dns.conf.j2
@@ -1,5 +1,6 @@
-#Listen on all interfaces
-interface=*
+#Listen on localhost
+bind-interfaces
+listen-address=127.0.0.1
 
 addn-hosts=/etc/hosts
 
diff --git a/roles/network_plugin/handlers/main.yml b/roles/network_plugin/handlers/main.yml
index a62817981..4a6e9e360 100644
--- a/roles/network_plugin/handlers/main.yml
+++ b/roles/network_plugin/handlers/main.yml
@@ -10,6 +10,7 @@
   notify:
     - reload systemd
     - restart docker
+    - restart kubelet
 
 - name: delete default docker bridge
   command: ip link delete docker0
@@ -28,3 +29,8 @@
   service:
     name: docker
     state: restarted
+
+- name: restart kubelet
+  service:
+    name: kubelet
+    state: restarted