diff --git a/nodeup/pkg/model/kube_apiserver.go b/nodeup/pkg/model/kube_apiserver.go
index 3f9ddff374..52ee7fdc3d 100644
--- a/nodeup/pkg/model/kube_apiserver.go
+++ b/nodeup/pkg/model/kube_apiserver.go
@@ -394,7 +394,7 @@ func (b *KubeAPIServerBuilder) writeServerCertificate(c *fi.NodeupModelBuilderCo
 			"kubernetes",
 			"kubernetes.default",
 			"kubernetes.default.svc",
-			"kubernetes.default.svc." + b.Cluster.Spec.ClusterDNSDomain,
+			"kubernetes.default.svc." + b.NodeupConfig.APIServerConfig.ClusterDNSDomain,
 		}
 
 		// Names specified in the cluster spec
@@ -741,7 +741,7 @@ func (b *KubeAPIServerBuilder) buildAnnotations() map[string]string {
 	annotations := make(map[string]string)
 	annotations["kubectl.kubernetes.io/default-container"] = "kube-apiserver"
 
-	if b.Cluster.UsesNoneDNS() {
+	if b.NodeupConfig.UsesNoneDNS {
 		return annotations
 	}
 
diff --git a/nodeup/pkg/model/kube_controller_manager.go b/nodeup/pkg/model/kube_controller_manager.go
index cef4ebccf6..d40995dcdb 100644
--- a/nodeup/pkg/model/kube_controller_manager.go
+++ b/nodeup/pkg/model/kube_controller_manager.go
@@ -117,7 +117,7 @@ func (b *KubeControllerManagerBuilder) writeServerCertificate(c *fi.NodeupModelB
 
 	if kcm.TLSCertFile == nil {
 		alternateNames := []string{
-			"kube-controller-manager.kube-system.svc." + b.Cluster.Spec.ClusterDNSDomain,
+			"kube-controller-manager.kube-system.svc." + b.NodeupConfig.APIServerConfig.ClusterDNSDomain,
 		}
 
 		issueCert := &nodetasks.IssueCert{
diff --git a/nodeup/pkg/model/kube_scheduler.go b/nodeup/pkg/model/kube_scheduler.go
index c6b5b237fc..b033268240 100644
--- a/nodeup/pkg/model/kube_scheduler.go
+++ b/nodeup/pkg/model/kube_scheduler.go
@@ -155,7 +155,7 @@ func (b *KubeSchedulerBuilder) writeServerCertificate(c *fi.NodeupModelBuilderCo
 
 	if kubeScheduler.TLSCertFile == nil {
 		alternateNames := []string{
-			"kube-scheduler.kube-system.svc." + b.Cluster.Spec.ClusterDNSDomain,
+			"kube-scheduler.kube-system.svc." + b.NodeupConfig.APIServerConfig.ClusterDNSDomain,
 		}
 
 		issueCert := &nodetasks.IssueCert{
diff --git a/pkg/apis/nodeup/config.go b/pkg/apis/nodeup/config.go
index ff1e6b9de3..30617139c3 100644
--- a/pkg/apis/nodeup/config.go
+++ b/pkg/apis/nodeup/config.go
@@ -168,6 +168,8 @@ type StaticManifest struct {
 
 // APIServerConfig is additional configuration for nodes running an APIServer.
 type APIServerConfig struct {
+	// ClusterDNSDomain is the suffix we use for internal DNS names (normally cluster.local).
+	ClusterDNSDomain string
 	// KubeAPIServer is a copy of the KubeAPIServerConfig from the cluster spec.
 	KubeAPIServer *kops.KubeAPIServerConfig
 	// API controls how the Kubernetes API is exposed.
@@ -299,7 +301,8 @@ func NewConfig(cluster *kops.Cluster, instanceGroup *kops.InstanceGroup) (*Confi
 
 	if instanceGroup.HasAPIServer() {
 		config.APIServerConfig = &APIServerConfig{
-			KubeAPIServer: cluster.Spec.KubeAPIServer,
+			ClusterDNSDomain: cluster.Spec.ClusterDNSDomain,
+			KubeAPIServer:    cluster.Spec.KubeAPIServer,
 			API: kops.APISpec{
 				PublicName:     cluster.Spec.API.PublicName,
 				AdditionalSANs: cluster.Spec.API.AdditionalSANs,