diff --git a/middleware/kubernetes/kubernetes.go b/middleware/kubernetes/kubernetes.go
index 85e4940ac..b93358863 100644
--- a/middleware/kubernetes/kubernetes.go
+++ b/middleware/kubernetes/kubernetes.go
@@ -341,7 +341,7 @@ func ipFromPodName(podname string) string {
 
 func (k *Kubernetes) findPods(namespace, podname string) (pods []pod, err error) {
 	if k.PodMode == PodModeDisabled {
-		return pods, nil
+		return pods, errors.New("pod records disabled")
 	}
 
 	var ip string
diff --git a/test/kubernetes_test.go b/test/kubernetes_test.go
index 49d3834d8..824f8eadc 100644
--- a/test/kubernetes_test.go
+++ b/test/kubernetes_test.go
@@ -196,14 +196,7 @@ var dnsTestCases = []test.Case{
 	},
 	{
 		Qname: "10-20-0-101.test-1.pod.cluster.local.", Qtype: dns.TypeA,
-		Rcode: dns.RcodeSuccess,
-		Answer: []dns.RR{
-			test.A("10-20-0-101.test-1.pod.cluster.local. 0 IN A    10.20.0.101"),
-		},
-	},
-	{
-		Qname: "10-20-0-101.test-X.pod.cluster.local.", Qtype: dns.TypeA,
-		Rcode:  dns.RcodeNameError,
+		Rcode:  dns.RcodeServerFailure,
 		Answer: []dns.RR{},
 	},
 	{
@@ -227,6 +220,21 @@ var dnsTestCases = []test.Case{
 	},
 }
 
+var dnsTestCasesPodsInsecure = []test.Case{
+	{
+		Qname: "10-20-0-101.test-1.pod.cluster.local.", Qtype: dns.TypeA,
+		Rcode: dns.RcodeSuccess,
+		Answer: []dns.RR{
+			test.A("10-20-0-101.test-1.pod.cluster.local. 0 IN A    10.20.0.101"),
+		},
+	},
+	{
+		Qname: "10-20-0-101.test-X.pod.cluster.local.", Qtype: dns.TypeA,
+		Rcode:  dns.RcodeNameError,
+		Answer: []dns.RR{},
+	},
+}
+
 func createTestServer(t *testing.T, corefile string) (*caddy.Instance, string) {
 	server, err := CoreDNSServer(corefile)
 	if err != nil {
@@ -241,19 +249,7 @@ func createTestServer(t *testing.T, corefile string) (*caddy.Instance, string) {
 	return server, udp
 }
 
-func TestKubernetesIntegration(t *testing.T) {
-	t.Parallel()
-	corefile :=
-		`.:0 {
-    kubernetes cluster.local 0.0.10.in-addr.arpa {
-                endpoint http://localhost:8080
-		#endpoint https://kubernetes/ 
-		#tls admin.pem admin-key.pem ca.pem
-		#tls k8s_auth/client2.crt k8s_auth/client2.key k8s_auth/ca2.crt
-		namespaces test-1
-		pods insecure
-    }
-`
+func doIntegrationTests(t *testing.T, corefile string, testCases []test.Case) {
 	server, udp := createTestServer(t, corefile)
 	defer server.Stop()
 
@@ -261,7 +257,7 @@ func TestKubernetesIntegration(t *testing.T) {
 	// test environment.
 	time.Sleep(5 * time.Second)
 
-	for _, tc := range dnsTestCases {
+	for _, tc := range testCases {
 
 		dnsClient := new(dns.Client)
 		dnsMessage := new(dns.Msg)
@@ -285,3 +281,30 @@ func TestKubernetesIntegration(t *testing.T) {
 		//TODO: Check the actual RR values
 	}
 }
+
+func TestKubernetesIntegration(t *testing.T) {
+	corefile :=
+		`.:0 {
+    kubernetes cluster.local 0.0.10.in-addr.arpa {
+                endpoint http://localhost:8080
+		#endpoint https://kubernetes/ 
+		#tls admin.pem admin-key.pem ca.pem
+		#tls k8s_auth/client2.crt k8s_auth/client2.key k8s_auth/ca2.crt
+		namespaces test-1
+		pods disabled
+    }
+`
+	doIntegrationTests(t, corefile, dnsTestCases)
+}
+
+func TestKubernetesIntegrationPodsInsecure(t *testing.T) {
+	corefile :=
+		`.:0 {
+    kubernetes cluster.local 0.0.10.in-addr.arpa {
+                endpoint http://localhost:8080
+		namespaces test-1
+		pods insecure
+    }
+`
+	doIntegrationTests(t, corefile, dnsTestCasesPodsInsecure)
+}