Link to home
Start Free TrialLog in
Avatar of marchopkins
marchopkinsFlag for United States of America

asked on

DNS Quota

We had a customer call and tell us that they could not reach certain websites.  We noticed that they were using a Local Cache server as their primary and our DNS server as the secondary and Authoritative.  

We also discovered that we could not reach these websites.  We then added 8.8.8.8 as the primary DNS server.  Everything worked fine.  We then re-established the normal working condition with the primary as our local and secondary as our core DNS server.  Everything worked fine once again.  We then looked to the Core DNS server to do an "nslookup"  
The nslookup came back with a serverfail.  So it looks like our local DNS server learned the website address in question from 8.8.8.8, which makes sense to me.  When checking the logfiles in the Redhat Core DNS server I found this in the messages file:


Nov 13 16:49:46 ns1 named[6499]: client 76.x.x.x#1673: no more TCP clients: quota reached


Any ideas on what this means and the actions items to clear this.  I'm assuming that the client coming from that address has reached their allowed quota of some sort but have no idea what to do about it.  

thanks
Avatar of arnold
arnold
Flag of United States of America image

This means that you have a wrong system on the network that pounds your internal server such that it exhausts the available child process.
Use tcpdump -n dport 53 on the cache server to see where the majority of the requests are coming from. Then look at the system with the IP responsible,

Post your named.conf configuration file.
check dns_cache limit.
Avatar of marchopkins

ASKER

Sandeep, is that a command that i need to run or??  I tried running it and command not found.
Where do I look to see/change/edit my dns_cache.??
It is in the named.conf configuration.
Are you using forwarders?
This might be what causes your issue I.e. you forward requests and at times there are more requests.  With forwarders the caching mechanism might be reduced. Make sure you have a hints file configured
dig @a.root-servers.ney . NS > hints.root
That reference this file in the zone "." Definition.
Removing/commenting out the forwarders.
You should also consider defining private IP space to exclude their lookups being sent out.
10.0.0.0/8
172.16.0.0/12
192.168.0.0/24

You can use rndc USR1 to raise the debug level of named so that you can see what is going on
//
// named.conf for Red Hat caching-nameserver
//

options {
        directory "/var/named";
        dump-file "/var/named/data/cache_dump.db";
        statistics-file "/var/named/data/named_stats.txt";
        /*
         * If there is a firewall between you and nameservers you want
         * to talk to, you might need to uncomment the query-source
         * directive below.  Previous versions of BIND always asked
         * questions using port 53, but BIND 8.1 uses an unprivileged
         * port by default.
         */
         // query-source address * port 53;
};
no results for the dig on the hints file
wait, here is the content of my hints.root file.  is there something i need to adjust in here?


 <<>> DiG 9.2.4 <<>> @a.root-servers.net . NS
; (1 server found)
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 34521
;; flags: qr aa rd; QUERY: 1, ANSWER: 13, AUTHORITY: 0, ADDITIONAL: 13

;; QUESTION SECTION:
;.                              IN      NS

;; ANSWER SECTION:
.                       518400  IN      NS      l.root-servers.net.
.                       518400  IN      NS      f.root-servers.net.
.                       518400  IN      NS      d.root-servers.net.
.                       518400  IN      NS      k.root-servers.net.
.                       518400  IN      NS      h.root-servers.net.
.                       518400  IN      NS      g.root-servers.net.
.                       518400  IN      NS      a.root-servers.net.
.                       518400  IN      NS      c.root-servers.net.
.                       518400  IN      NS      m.root-servers.net.
.                       518400  IN      NS      e.root-servers.net.
.                       518400  IN      NS      j.root-servers.net.
.                       518400  IN      NS      b.root-servers.net.
.                       518400  IN      NS      i.root-servers.net.

;; ADDITIONAL SECTION:
l.root-servers.net.     3600000 IN      A       199.7.83.42
l.root-servers.net.     3600000 IN      AAAA    2001:500:3::42
f.root-servers.net.     3600000 IN      A       192.5.5.241
f.root-servers.net.     3600000 IN      AAAA    2001:500:2f::f
d.root-servers.net.     3600000 IN      A       128.8.10.90
d.root-servers.net.     3600000 IN      AAAA    2001:500:2d::d
k.root-servers.net.     3600000 IN      A       193.0.14.129
k.root-servers.net.     3600000 IN      AAAA    2001:7fd::1
h.root-servers.net.     3600000 IN      A       128.63.2.53
h.root-servers.net.     3600000 IN      AAAA    2001:500:1::803f:235
g.root-servers.net.     3600000 IN      A       192.112.36.4
a.root-servers.net.     3600000 IN      A       198.41.0.4
a.root-servers.net.     3600000 IN      AAAA    2001:503:ba3e::2:30

;; Query time: 224 msec
;; SERVER: 198.41.0.4#53(198.41.0.4)
;; WHEN: Fri Nov 16 15:35:06 2012
;; MSG SIZE  rcvd: 508
Your named file has no configuration entries.
Nothing here has the hints zone

zone "." {
      type hints;
      file "root.hints";
};

You named file then uses /etc/resolv.conf data to which it sends the requests.
Add the above to your named.conf file and see if you can lookup stuff
Restart/reload named

dig -trace @licalhost https://www.experts-exchange.com. A

And see where requests are being sent to get the answer
Here is the very top portion of my named.conf file.  For hints it looks like it looks to named.ca, which is where all of my nameservers in the past have looked to get to the Authoritative servers.

//
// named.conf for Red Hat caching-nameserver
//

options {
        directory "/var/named";
        dump-file "/var/named/data/cache_dump.db";
        statistics-file "/var/named/data/named_stats.txt";
        /*
         * If there is a firewall between you and nameservers you want
         * to talk to, you might need to uncomment the query-source
         * directive below.  Previous versions of BIND always asked
         * questions using port 53, but BIND 8.1 uses an unprivileged
         * port by default.
         */
         // query-source address * port 53;
        allow-transfer {none;};
};

//
// a caching only nameserver config
//
controls {
        inet 127.0.0.1 allow { localhost; } keys { rndckey; };
};

zone "." IN {
        type hint;
        file "named.ca";
};

zone "localdomain" IN {
        type master;
        file "localdomain.zone";
        allow-update { none; };
};

zone "localhost" IN {
        type master;
        file "localhost.zone";
        allow-update { none; };
};

zone "0.0.127.in-addr.arpa" IN {
        type master;
        file "named.local";
        allow-update { none; };
};

zone "0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa" IN {
        type master;
        file "named.ip6.local";
        allow-update { none; };
};

zone "255.in-addr.arpa" IN {
        type master;
        file "named.broadcast";
        allow-update { none; };
};

zone "0.in-addr.arpa" IN {
        type master;
        file "named.zero";
        allow-update { none; };
};
ASKER CERTIFIED SOLUTION
Avatar of arnold
arnold
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
I'm unsure as to how to execute on some of these postings, but overall, its good information.