diff --git a/pkg/kubelet/dockershim/docker_sandbox.go b/pkg/kubelet/dockershim/docker_sandbox.go
index e34b7ce3081..76a2057148b 100644
--- a/pkg/kubelet/dockershim/docker_sandbox.go
+++ b/pkg/kubelet/dockershim/docker_sandbox.go
@@ -92,6 +92,25 @@ func (ds *dockerService) RunPodSandbox(config *runtimeapi.PodSandboxConfig) (str
 	if err != nil {
 		return createResp.ID, fmt.Errorf("failed to start sandbox container for pod %q: %v", config.Metadata.Name, err)
 	}
+
+	// Rewrite resolv.conf file generated by docker.
+	// NOTE: cluster dns settings aren't passed anymore to docker api in all cases,
+	// not only for pods with host network: the resolver conf will be overwritten
+	// after sandbox creation to override docker's behaviour. This resolv.conf
+	// file is shared by all containers of the same pod, and needs to be modified
+	// only once per pod.
+	if dnsConfig := config.GetDnsConfig(); dnsConfig != nil {
+		containerInfo, err := ds.client.InspectContainer(createResp.ID)
+		if err != nil {
+			return createResp.ID, fmt.Errorf("failed to inspect sandbox container for pod %q: %v", config.Metadata.Name, err)
+		}
+
+		if err := dockertools.RewriteResolvFile(containerInfo.ResolvConfPath, dnsConfig.Servers, dnsConfig.Searches, len(dnsConfig.Options) > 0); err != nil {
+			return createResp.ID, fmt.Errorf("rewrite resolf.conf faield for pod %q: %v", config.Metadata.Name, err)
+		}
+	}
+
+	// Do not invoke network plugins if in hostNetwork mode.
 	if nsOptions := config.GetLinux().GetSecurityContext().GetNamespaceOptions(); nsOptions != nil && nsOptions.HostNetwork {
 		return createResp.ID, nil
 	}
@@ -486,13 +505,6 @@ func (ds *dockerService) makeSandboxDockerConfig(c *runtimeapi.PodSandboxConfig,
 	createConfig.Config.ExposedPorts = exposedPorts
 	hc.PortBindings = portBindings
 
-	// Set DNS options.
-	if dnsConfig := c.GetDnsConfig(); dnsConfig != nil {
-		hc.DNS = dnsConfig.Servers
-		hc.DNSSearch = dnsConfig.Searches
-		hc.DNSOptions = dnsConfig.Options
-	}
-
 	// Apply resource options.
 	setSandboxResources(hc)
 
diff --git a/pkg/kubelet/dockertools/docker_manager.go b/pkg/kubelet/dockertools/docker_manager.go
index 3fa826b7c04..d89e14c12bc 100644
--- a/pkg/kubelet/dockertools/docker_manager.go
+++ b/pkg/kubelet/dockertools/docker_manager.go
@@ -1834,7 +1834,7 @@ func (dm *DockerManager) runContainerInPod(pod *v1.Pod, container *v1.Container,
 	// we modify it when the pause container is created since it is the first container created in the pod since it holds
 	// the networking namespace.
 	if container.Name == PodInfraContainerName {
-		if err := rewriteResolvFile(containerInfo.ResolvConfPath, opts.DNS, opts.DNSSearch, useClusterFirstPolicy); err != nil {
+		if err := RewriteResolvFile(containerInfo.ResolvConfPath, opts.DNS, opts.DNSSearch, useClusterFirstPolicy); err != nil {
 			return kubecontainer.ContainerID{}, err
 		}
 	}
@@ -1900,7 +1900,9 @@ func (dm *DockerManager) checkDockerAPIVersion(expectedVersion string) (int, err
 	return result, nil
 }
 
-func rewriteResolvFile(resolvFilePath string, dns []string, dnsSearch []string, useClusterFirstPolicy bool) error {
+// RewriteResolvFile rewrites resolv.conf file generated by docker.
+// Exported for reusing in dockershim.
+func RewriteResolvFile(resolvFilePath string, dns []string, dnsSearch []string, useClusterFirstPolicy bool) error {
 	if len(resolvFilePath) == 0 {
 		glog.Errorf("ResolvConfPath is empty.")
 		return nil