diff --git a/plugin/backend.go b/plugin/backend.go
index 7b5b2f467..fad61d418 100644
--- a/plugin/backend.go
+++ b/plugin/backend.go
@@ -9,8 +9,8 @@ import (
 
 // ServiceBackend defines a (dynamic) backend that returns a slice of service definitions.
 type ServiceBackend interface {
-	// Services communicates with the backend to retrieve the service definition. Exact indicates
-	// on exact much are that we are allowed to recurs.
+	// Services communicates with the backend to retrieve the service definitions. Exact indicates
+	// on exact match should be returned.
 	Services(state request.Request, exact bool, opt Options) ([]msg.Service, error)
 
 	// Reverse communicates with the backend to retrieve service definition based on a IP address
diff --git a/plugin/kubernetes/handler_pod_insecure_test.go b/plugin/kubernetes/handler_pod_insecure_test.go
index 6dcfd5629..b086f3fe6 100644
--- a/plugin/kubernetes/handler_pod_insecure_test.go
+++ b/plugin/kubernetes/handler_pod_insecure_test.go
@@ -25,6 +25,27 @@ var podModeInsecureCases = []test.Case{
 			test.A("172-0-0-2.podns.pod.cluster.local.	5	IN	A	172.0.0.2"),
 		},
 	},
+	{
+		Qname: "blah.podns.pod.cluster.local.", Qtype: dns.TypeA,
+		Rcode: dns.RcodeNameError,
+		Ns: []dns.RR{
+			test.SOA("cluster.local.	300	IN	SOA	ns.dns.cluster.local. hostmaster.cluster.local. 1515173576 7200 1800 86400 30"),
+		},
+	},
+	{
+		Qname: "blah.podns.pod.cluster.local.", Qtype: dns.TypeAAAA,
+		Rcode: dns.RcodeNameError,
+		Ns: []dns.RR{
+			test.SOA("cluster.local.	300	IN	SOA	ns.dns.cluster.local. hostmaster.cluster.local. 1515173576 7200 1800 86400 30"),
+		},
+	},
+	{
+		Qname: "blah.podns.pod.cluster.local.", Qtype: dns.TypeHINFO,
+		Rcode: dns.RcodeNameError,
+		Ns: []dns.RR{
+			test.SOA("cluster.local.	300	IN	SOA	ns.dns.cluster.local. hostmaster.cluster.local. 1515173576 7200 1800 86400 30"),
+		},
+	},
 	{
 		Qname: "blah.pod-nons.pod.cluster.local.", Qtype: dns.TypeA,
 		Rcode: dns.RcodeNameError,
@@ -32,6 +53,13 @@ var podModeInsecureCases = []test.Case{
 			test.SOA("cluster.local.	300	IN	SOA	ns.dns.cluster.local. hostmaster.cluster.local. 1515173576 7200 1800 86400 30"),
 		},
 	},
+	{
+		Qname: "podns.pod.cluster.local.", Qtype: dns.TypeA,
+		Rcode: dns.RcodeNameError,
+		Ns: []dns.RR{
+			test.SOA("cluster.local.	300	IN	SOA	ns.dns.cluster.local. hostmaster.cluster.local. 1515173576 7200 1800 86400 30"),
+		},
+	},
 }
 
 func TestServeDNSModeInsecure(t *testing.T) {
diff --git a/plugin/kubernetes/kubernetes.go b/plugin/kubernetes/kubernetes.go
index 4e79738e7..785a16ae3 100644
--- a/plugin/kubernetes/kubernetes.go
+++ b/plugin/kubernetes/kubernetes.go
@@ -321,6 +321,12 @@ func (k *Kubernetes) findPods(r recordRequest, zone string) (pods []msg.Service,
 		if !wildcard(namespace) && !k.namespace(namespace) { // no wildcard, but namespace does not exist
 			return nil, errNoItems
 		}
+
+		// If ip does not parse as an IP address, we return an error, otherwise we assume a CNAME and will try to resolve it in backend_lookup.go
+		if net.ParseIP(ip) == nil {
+			return nil, errNoItems
+		}
+
 		return []msg.Service{{Key: strings.Join([]string{zonePath, Pod, namespace, podname}, "/"), Host: ip, TTL: k.ttl}}, err
 	}