no more recursive clients: quota reached

Rich Goodson rgoodson at gronkulator.com
Wed Mar 24 16:22:41 UTC 2010 

I have 6 resolvers doing recursion for just under a million residential users, and I rarely see the "recursive clients" value go above 1500.  We had issues a few months back with firewalls getting overloaded, and one of the symptoms was that recursive clients would climb in to the thousands (it hit around 13,000 once), due to packet loss (I assume failed lookups that caused queries to be repeated).  

Right now, I have one server that's resolving somewhere in the 15kqps range and it's hovering between 600-800 recursive clients.  That box is recently upgraded hardware (4 hex-core opterons), and is directly connected to a cisco 7609 that's on an OC-192.  It is running at about 5% cpu utilization. I have another box that is older hardware (8-core T1000 processor), that is resolving 10-12kqps and it hovers around 1000 recursive queries on the wire. It is running at about 60% CPU utilization.

Are your servers behind a firewall?  
If so, what's the CPU utilization look like on your packet filtering device? 
What is your link saturation like?  How about the link between any clients and your servers?
How about CPU utilization on your servers?  

Those are the items I'd look at, but it could be that I'm biased by recently being burned by networking :-)

--
Rich Goodson

On Mar 24, 2010, at 9:41 AM, Oliver Henriot wrote:

> Dear list users,
> 
> I'd like to understand a point about quotas on recursive clients quotas and reading books, manuals and this list's archives hasn't made it entirely clear to me.
> 
> I have the classical error logs :
> 
> 17-Mar-2010 12:14:44.026 client: warning: client 129.88.30.5#57960: no more recursive clients: quota reached
> 
> I have a lot of these... (two thousand unique clients blocked over the last two weeks on my main resolver)
> 
> Is this quota global for all clients? I.e. one rogue client sending massive amounts of recursive requests would blow the quota for everyone. Or is it per client? It seems unlikely to me but I'm not clear on that point.
> 
> Is increasing the quota limit the only solution?
> 
> It seems odd to me to hit the default bind limit on my servers when they are not open recursive servers and only clients on my networks (a few thousand clients for three recursive resolvers) can interrogate them.
> 
> The problem is particularly crucial because one of the clients is a router behind which many of my clients are nated and each time the quota is reached on the servers they use all the clients behind the router address are blocked and get network timeouts.
> 
> I'm going to increase the quota, but if you can tell me if this the right thing to do or if I should be looking for something else that would be great.
> 
> Best regards,
> 
> Oliver Henriot
> 
> _______________________________________________
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

More information about the bind-users mailing list