no more recursive clients: quota reached
Chris Thompson
cet1 at cam.ac.uk
Wed Mar 24 17:08:01 UTC 2010
On Mar 24 2010, Oliver Henriot wrote:
>Dear list users,
>
>I'd like to understand a point about quotas on recursive clients quotas
>and reading books, manuals and this list's archives hasn't made it
>entirely clear to me.
>
>I have the classical error logs :
>
>17-Mar-2010 12:14:44.026 client: warning: client 129.88.30.5#57960: no
>more recursive clients: quota reached
>
>I have a lot of these... (two thousand unique clients blocked over the
>last two weeks on my main resolver)
>
>Is this quota global for all clients? I.e. one rogue client sending
>massive amounts of recursive requests would blow the quota for everyone.
>Or is it per client? It seems unlikely to me but I'm not clear on that
>point.
It is the length of the queue of all outstanding recursive queries.
This depends not just on the RATE of queries coming in, but also the
time it takes to resolve them. (If the queue fills up, BIND gives up
on the ones that have been outstanding longest.)
Monitor the count with "rndc stats" to find out whether the outstanding
query queue is often close to the limit, or is spiking. In any case,
when the queue is large, take a look at it by using "rndc recursing"
(dumps the queue to "named.recursing" in BIND's current directory). You
may find that you have a lot of queries for some domain that is failing
to resolve in a timely fashion (we've had problems like that with people
trying to use RBLs from which we are blocked, for example).
You should also bear in mind the possibility of network problems, as
others have suggested. And firewall software might be mangling certain
outgoing queries, or the responses to them, making them appear to time
out.
--
Chris Thompson
Email: cet1 at cam.ac.uk
More information about the bind-users
mailing list