求助：日志老报no more recursive clients : quota reached

titan1120

各位大哥，最近我的DNS服务器的日志内老报“(具体IP地址）no more recursive clients: quota reached"
不知作何解释！

titan1120

操作系统是solaris8
bind9.2

阿骁

Limitting the Number of clients

Bind 9 gives you the ability to restrict the number of clients your
nameserver will serve concurrently.  You can apply a limit to the number of
recursive clients ( resolvers plus name servers using your name server as a
forwarder) with the recurvsive-clients substatement:

options {
        recursive-clients 10;
};

The default limit is 1000.  If u find your nameserver refusing recursive
queries and logging as shown by the error you've posted, you may want to
increase the limit. Conversely, if you find your nameserver struggling to
keep up with the deluge of recursive queries, you could lower the limit.

You can also apply a limit to the number of TCP connections your name server
will process with the tcp-clients substatement. But TCP connections consume
considererable more resources than UDP because the host needs to track the
state of the TCP connection.

So just increase the recursive-clients substatement.

Is your nameserver a caching-nameserver?....if it is, maybe it is being used
by others as their DNS, thus making your nameserver reached it's maximum
limit. And is it for your local DNS only?

阿骁

上面的这段话是 《DNS and BIND》第四版中的一段话，希望对你有帮助！  ^_^     别告诉我看不懂 e 文啊！！！

fmccterry

都是同一个IP地址发起的，估计是攻击吧？如果是攻击的话，如何抵御呢？

阿骁

如果发现是攻击，可以将这个IP地址加入blackhole这个选项，那么 dns 就会拒绝对这个IP地址解析域名。

这个选项在 named.conf 文件中设置。

fmccterry

现在的黑客都是采用分布式的攻击方法，不可能每次都针对某个地址进行封堵吧。是否可以只开放DNS设备的某个端口呢？

阿骁

那你可以设置你的 dns 服务器只对自己的网内的用户服务，例如你的网内用户的IP网段是10.0.0.0的话，你可以用 allow-query { 10.0.0.0;} 来限制只有 10.0.0.0 网段的用户可以使用 dns 啊。

fmccterry

我的DNS是公网的，^_^！

yfhe

[quote]原帖由 "titan1120"]各位大哥，最近我的DNS服务器的日志内老报“(具体IP地址）no more recursive clients: quota reached" 不知作何解释！[/quote 发表：


偶今天也碰到了这个问题，差点要了偶的小命

你的DNS服务器是建在专网上的吧，有Internet出口吗？