Advance preparation

  • Prepare an Azure private DNS and link it to the virtual network (this time it was a zeus.examplezone.)
  • Set up a VM to be a DNS cache server

Introduce unbound

sudo apt update && sudo apt install unbound

Create unbound settings

access-control: allow
verbosity: 1
rrset-roundrobin: yes
minimal-responses: yes
cache-max-ttl: 86400

###### Tuning
num-threads: 1
msg-cache-slabs: 2
rrset-cache-slabs: 2
infra-cache-slabs: 2
key-cache-slabs: 2
rrset-cache-size: 100m
msg-cache-size: 50m
so-rcvbuf: 4m
so-sndbuf: 4m
infra-cache-numhosts: 1000

###### use libevent
outgoing-range: 4096
num-queries-per-thread: 4096

###### security consideration
hide-version: yes

domain-insecure: "zeus.example"

# Throw all to Azure internal DNS (
name: "."
forward-addr: ""

Kernel parameter adjustment

sudo tee /etc/sysctl.conf << EOF 

# Secure 4M receive buffer
net.core.rmem_max = 4194304
# Secure 4M send buffer
net.core.wmem_max = 4194304

# Reload settings
sudo sysctl -p
warning: so-rcvbuf 4194304 was not granted. Got 425984. To fix: start with root permissions(linux) or sysctl bigger net.core.rmem_max(linux) or kern.ipc.maxsockbuf(bsd) values.

Stop existing DNS service and start unbound

# Rewrite /etc/reslov.conf 
sudo sed -i's /127\.0\.0\.53/' /etc/resolv.conf

Disable Systemd-resolved sudo systemctl disable systemd-resolved
sudo systemctl stop systemd-resolved

start unbound sudo systemctl start unbound

 by the author.




DevOps Consultant. I’m strongly focused on automation, security, and reliability.

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Bulletproof Communication with Postel’s Law

GTM — Another piece in the puzzle of CX

AWS CLI Introduction

July 2018: Failure Premortems, Humility and Continuous Learning

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store


DevOps Consultant. I’m strongly focused on automation, security, and reliability.

More from Medium

Integrate Azure Key Vault with AKS

Advance storage capabilities with Azure CSI driver & Azure Kubernetes Service — Volume Snapshot

Up and Running with Azure Kubernetes Service (AKS) and DevOps Pipelines — Deployment

Photo of a metal pipe against a wall

ExternalDNS and Host-Based TLS Ingress in AKS Cluster