tracking source of dns queries
Ladislav Vobr
lvobr at ies.etisalat.ae
Sat Jun 26 04:39:03 UTC 2004
dnstop is useful, also you can try to enable the logging and make a
report out of it, top talkers, top domains, and look at the sources of
these high numbers. U can script it, and put it in crontab if you have
cpu for it.
usually bind has a very bad habit of retrying pointlessly to all name
servers when *all* name servers for that particular domain are down.
(amplifying every request and flooding all unreachable servers forever
with the same frequency till they come up, or somebody human tells the
bind that this is nonsense logic and bogus these). Which might in the
virus/flood case be very very annoying, maybe we will see one day query
throttling in bind:-) 'how many binds have to get overloaded by it's own
retry traffic to make isc realize this'?
Ladislav
Mikael wrote:
> Hello,
>
> I've posted earlier about a problem with recursive-clients. I got this sort
> of logs :
>
> Jun 14 09:23:30 hostname named[1045]: client: client 127.0.0.1#34559: no
> more recursive clients: quota reached
>
> After doubling the "recursive-clients" option to 2000, I got this problem
> again. It is really worrying because the dns server seems to stop accepting
> requests and thus making the whole system unreachable, which is not really
> appreciated as it's a mail server :(
>
> Not knowing why this happens, I wonder if there's a way to track which
> process sends dns queries on this host (many requests come from the host
> itself).
>
> Any idea ?
>
More information about the bind-users
mailing list