DNS cache server that uses Azure private DNS on Azure

Since the previous construction of the DNS proxy server (DNS cache server) was too rough, I tried it after studying Unbound. The OS is Ubuntu 18.0.4.
In addition, I also checked how to specify this DNS cache server for DNS when P2S connection using Azure virtual network gateway.

References

Unbound - Howto Setup and Install

Unbound - Howto Optimise

Unbound - unbound.conf.5

About Azure Point-to-Site VPN connections

Advance preparation

• Prepare an Azure private DNS and link it to the virtual network (this time it was a zeus.examplezone.)
• Set up a VM to be a DNS cache server

Introduce unbound

sudo apt update && sudo apt install unbound

It fails to start, Systemd-resolvedbut is because is running. You can ignore it once.

Create unbound settings

The unbound version of libevent was distributed to the Ubuntu 18.04.4 LTS repository, so the setting is for libevent. The memory is assumed to run only unbound on a 512MB environment.

server:
        interface: 0.0.0.0
        access-control: 10.0.0.0/8 allow
        verbosity: 1
        rrset-roundrobin: yes
        minimal-responses: yes
        cache-max-ttl: 86400

        ###### Tuning
        num-threads: 1
        msg-cache-slabs: 2
        rrset-cache-slabs: 2
        infra-cache-slabs: 2
        key-cache-slabs: 2
        rrset-cache-size: 100m
        msg-cache-size: 50m
        so-rcvbuf: 4m
        so-sndbuf: 4m
        infra-cache-numhosts: 1000

        ###### use libevent
        outgoing-range: 4096
        num-queries-per-thread: 4096

        ###### security consideration
        hide-version: yes

        domain-insecure: "zeus.example"

# Throw all to Azure internal DNS (178.23.159.16)
forward-zone:
        name: "."
        forward-addr: "178.23.159.16"

Although I put it in the title “Use Azure Private DNS”, if I link Azure Private DNS to the virtual network, Azure internal DNS will do a good job, so I’m just throwing it.

rrset-roundrobinI think it is good to enable it so that it is properly distributed.

access-controlIs localhostexplicitly allowed, as it is only allowed if omitted . You can specify more than one, so write multiple if you span the range. I do not intend to make the security stupid, but because it is controlled by Azure's Network Security Group.

Kernel parameter adjustment

sudo tee /etc/sysctl.conf << EOF 

# Secure 4M receive buffer
net.core.rmem_max = 4194304
# Secure 4M send buffer
net.core.wmem_max = 4194304
EOF 

# Reload settings
sudo sysctl -p

If you do not adjust it, a log like this will appear.

warning: so-rcvbuf 4194304 was not granted. Got 425984. To fix: start with root permissions(linux) or sysctl bigger net.core.rmem_max(linux) or kern.ipc.maxsockbuf(bsd) values.

Stop existing DNS service and start unbound

# Rewrite /etc/reslov.conf 
sudo sed  -i's  /127\.0\.0\.53/127.0.0.1/g' /etc/resolv.conf

#
 Disable Systemd-resolved sudo systemctl disable systemd-resolved
 sudo systemctl stop systemd-resolved

#
 start unbound sudo systemctl start unbound

Now it becomes a DNS cache server that queries Unbound → Azure internal DNS. Check by doing nslookup locally.