请教：messages文件中出现clients-per-query日志的问题

binzi

BIND 9.4.2   
在messages文件中出现大量的以下日志信息：
Jun 13 14:24:50 dns named[5370]: [ID 873579 daemon.warning] client 219.XX.XX.XX#33049: RFC 1918 response from Internet for 32.15.16.172.in-addr.arpa
Jun 13 14:26:46 dns named[5370]: [ID 873579 daemon.warning] client  219.XX.XX.XX#65334: RFC 1918 response from Internet for 11.16.16.172.in-addr.arpa
Jun 13 14:31:02 dns named[5370]: [ID 873579 daemon.warning] client  219.XX.XX.XX#8950: RFC 1918 response from Internet for 41.12.16.172.in-addr.arpa
Jun 13 14:33:46 dns named[5370]: [ID 873579 daemon.warning] client  219.XX.XX.XX#8316: RFC 1918 response from Internet for 40.13.16.172.in-addr.arpa
Jun 13 14:35:02 dns named[5370]: [ID 873579 daemon.warning] client  219.XX.XX.XX#43511: RFC 1918 response from Internet for 2.1.168.192.in-addr.arpa
Jun 14 10:28:29 dns named[5370]: [ID 873579 daemon.notice] clients-per-query decreased to 13
Jun 14 10:48:29 dns named[5370]: [ID 873579 daemon.notice] clients-per-query decreased to 12
Jun 14 11:08:29 dns named[5370]: [ID 873579 daemon.notice] clients-per-query decreased to 11
Jun 14 11:14:03 dns named[5370]: [ID 873579 daemon.warning] client  219.XX.XX.XX#49587: RFC 1918 response from Internet for 200.0.168.192.in-addr.arpa
Jun 14 11:28:29 dns named[5370]: [ID 873579 daemon.notice] clients-per-query decreased to 10
Jun 14 11:34:14 dns named[5370]: [ID 873579 daemon.notice] clients-per-query increased to 11

DNS服务器大部分时间解析正常，偶尔出现超时现象，估计有用户中毒或攻击，对于RFC 1918 response from Internet for 2.1.168.192.in-addr.arpa信息，我的理解是有用户大量反向查询192、10、172等私有IP网段的域名，clients-per-query decreased、clients-per-query increased又是何意呢？

forx86

“Jun 14 10:28:29 dns named[5370]: [ID 873579 daemon.notice] clients-per-query decreased to 13
Jun 14 10:48:29 dns named[5370]: [ID 873579 daemon.notice] clients-per-query decreased to 12
Jun 14 11:08:29 dns named[5370]: [ID 873579 daemon.notice] clients-per-query decreased to 11
”
DNS服务器大部分时间解析正常，偶尔出现超时现象。

我的也有这个提示，是什么意思呢？不好的意思？存在问题？与“DNS服务器大部分时间解析正常，偶尔出现超时现象”有关系吗？

forx86

"clients-per-query, max-clients-per-query These set the initial value (minimum) and maximum number
of recursive simultanious clients for any given query (<qname,qtype,qclass>) that the server will
accept before dropping additional clients. named will attempt to self tune this value and changes
will be logged. The default values are 10 and 100.
This value should reflect how many queries come in for a given name in the time it takes to resolve
that name. If the number of queries exceed this value, named will assume that it is dealing with a
non-responsive zone and will drop additional queries. If it gets a response after dropping queries,
it will raise the estimate. The estimate will then be lowered in 20 minutes if it has remained
unchanged.
If clients-per-query is set to zero, then there is no limit on the number of clients per query and no
queries will be dropped.
62
CHAPTER 6. BIND 9 CONFIGURATION REFERENCE 6.2. CONFIGURATION FILE GRAMMAR
If max-clients-per-query is set to zero, then there is no upper bound other than imposed by
recursive-clients."

请教：clients-per-query, max-clients-per-query 一般设置吗？一般设置为多少合适？

llzqq

一般默认即可无需改动，从现象看好像是网络中有机器中毒导致。

forx86

谢谢版主。看来一般用默认值啊。上网浏览时，比如打开hao123.com，然后随意点击其中的7、8个网站，有的解析超时，导致打不开。需反复刷新。搞不明白是bind设置问题还是网中有中毒机器还是带宽不够啊？呵呵。
尤其上网用户多的时候。晚上没人上网的时候据观察应该不存在这个问题。
如果是中毒机器造成，如何定位中毒机器呢？协议分析？

[ 本帖最后由 forx86 于 2009-2-27 09:53 编辑 ]