no more recursive clients: quota reached
Barry Finkel
b19141 at achilles.ctd.anl.gov
Wed Feb 5 15:24:21 UTC 2003
Greg Robinson wrote:
>> Hi,
>>
>> Our internet link is down at the moment (but it won't be if you can read
>> this). We are seeing these error messages on or internal DNS server:
>>
>> Feb 3 14:33:07 hostname syslog: client 172.16.2.42#25930: no more recursive clients: quota reached
>>
>> For a whole bunch of IP addresses. A few are DNS servers, most are
>> mail or proxy servers.
>>
>> I can't find any reference to this in the BIND book, but my guess
>> is that the DNS server has given up (quota reached) on trying to resolve
>> domains for this IP address. And I can safely ignore the message.
>>
>> Does this sound about right?
Kevin Darcy replied:
>No, the message means that the nameserver has reached its maximum number of
>*simultaneous* recursive-query requests. Any more recursive queries will have to wait to be processed.
>You should only ignore the message if you care nothing about performance or the service levels you're
>providing to your clients. If you care about such things, either bump up the quota, or find a way to
>reduce the load, e.g. spread the query load across more servers, eliminate searchlists, or whatever.
Another cause - a denial-of-service attack against your nameserver.
I had one recently. Using tcpdump or snoop or whatever packet sniffer
is handy, get a trace of the packets to see how many are incoming,
from where, and for what are they querying.
Look at the archives of this list and bind9-users for the past four
weeks; this topic has been discussed recently.
----------------------------------------------------------------------
Barry S. Finkel
Electronics and Computing Technologies Division
Argonne National Laboratory Phone: +1 (630) 252-7277
9700 South Cass Avenue Facsimile:+1 (630) 252-4601
Building 222, Room D209 Internet: BSFinkel at anl.gov
Argonne, IL 60439-4828 IBMMAIL: I1004994
More information about the bind-users
mailing list