Hello,
"07-Sep-2008 19:47:14.187 resolver: clients-per-query increased to 70"
70 clients per query seems pretty high to me.
I think slow, and bogus, lookups can contribute to this.
In our environment, we use:
clients-per-query 10 ;
max-clients-per-query 20 ;
I would also check that the network is clean: no interface errors on server or
switch, etc.
There may also be bots, and such, driving up DNS traffic in attempts to
propagate abuse.
Typically, hundreds of MX lookups from DHCP workstations indicate such malware
infections.
Once upon a time, someone pointed me to a Surf net document on using DNS as IDS
-- which has some other great ideas.
Anyway, the goal is innoculating infected hosts to stop bogus traffic.
I hope this helps.
----- Original Message ----
From: Jan Arild Lindstrøm <[EMAIL PROTECTED]>
To: bind-users@isc.org
Sent: Monday, September 8, 2008 6:38:58 AM
Subject: BIND 9.4.x and max-clients-per-query
Hi,
we got serveral recursive BIND 9.4.x servers running with the following option
set
in named.conf:
recursive-clients 50000;
>From named.log yesterday @ 19:44 ->
--CUT--
07-Sep-2008 19:44:01.250 resolver: clients-per-query increased to 70
07-Sep-2008 19:44:03.124 resolver: clients-per-query increased to 75
07-Sep-2008 19:44:49.700 general: dispatch.c:2999: INSIST(n == 1) failed
07-Sep-2008 19:44:49.700 general: exiting (due to assertion failure)
07-Sep-2008 19:44:53.939 general: zone 0.0.127.in-addr.arpa/IN/internal: loaded
serial 1
07-Sep-2008 19:44:53.948 general: zone localhost/IN/internal: loaded serial 1
07-Sep-2008 19:44:55.109 general: zone 0.0.127.in-addr.arpa/IN/external: loaded
serial 1
07-Sep-2008 19:44:55.113 general: zone localhost/IN/external: loaded serial 1
07-Sep-2008 19:44:56.282 general: running
07-Sep-2008 19:44:56.961 resolver: clients-per-query increased to 15
07-Sep-2008 19:44:58.127 resolver: clients-per-query increased to 20
07-Sep-2008 19:45:00.168 resolver: clients-per-query increased to 25
07-Sep-2008 19:45:01.602 resolver: clients-per-query increased to 30
07-Sep-2008 19:45:04.079 resolver: clients-per-query increased to 35
07-Sep-2008 19:45:09.490 resolver: clients-per-query increased to 40
07-Sep-2008 19:45:11.826 resolver: clients-per-query increased to 45
07-Sep-2008 19:45:14.200 resolver: clients-per-query increased to 50
07-Sep-2008 19:45:21.336 resolver: clients-per-query increased to 55
07-Sep-2008 19:45:29.406 resolver: clients-per-query increased to 60
07-Sep-2008 19:46:05.896 resolver: clients-per-query increased to 65
07-Sep-2008 19:47:14.187 resolver: clients-per-query increased to 70
07-Sep-2008 19:49:28.621 client: client xx.xx.xx.xx#59739: view external:
recursive-clients soft limit exceeded, aborting oldest query
07-Sep-2008 19:49:29.258 client: client xx.xx.xx.xx#1025: view external:
recursive-clients soft limit exceeded, aborting oldest query
07-Sep-2008 19:49:30.043 client: client xx.xx.xx.xx#64760: view external:
recursive-clients soft limit exceeded, aborting oldest query
07-Sep-2008 19:49:31.012 client: client xx.xx.xx.xx#38850: view external:
recursive-clients soft limit exceeded, aborting oldest query
--CUT--
clients-per-query, max-clients-per-query
These set the initial value (minimum) and maximum number of recursive
simultanious clients for
any given query (<qname,qtype,qclass>) that the server will accept before
dropping additional
clients. named will attempt to self tune this value and changes will be
logged. The default values
are 10 and 100.
This value should reflect how many queries come in for a given name in the
time it takes to resolve
that name. If the number of queries exceed this value, named will assume
that it is dealing with a
non-responsive zone and will drop additional queries. If it gets a response
after dropping queries, it
will raise the estimate. The estimate will then be lowered in 20 minutes if
it has remained unchanged.
If clients-per-query is set to zero, then there is no limit on the number
of clients per query and no
queries will be dropped.
If max-clients-per-query is set to zero, then there is no upper bound other
than imposed by recursive-clients.
While the recursive queue was filling, I checked the recursive queries:
ns(root) named 536# rndc recursing ; cat named.recursing | awk '{print $6}'
| sort | uniq -c | sort -n | tail -5
809 'crl.verisign.net'
826 'apps.facebook.com'
2503 'ocsp.verisign.net'
12850 'www.facebook.com'
20064 'statistik-gallup.net'
rndc status:
recursive clients: 49662/49900/50000
Clients-per-query and max-clients-per-query are not set, so they are at default
10 and 100.
How is it that these queries have so many simultanious clients? Should not
max-clients-per-query keep
it to max 100 simultanious clients for each query? All these numbers are way
bigger than 100.
Or have I not understood the purpose of clients-per-query and
max-clients-per-query correctly?
Thanks
Jan Arild Lindstrom
