Limiting Concurrent TCP Clients

5.18.1 Problem

You want to limit the number of concurrent TCP clients a name server handles.

5.18.2 Solution

Use the BIND 9 tcp-clients options substatement. For example:

options {
 directory "/var/named";
 tcp-clients 500;
};

The default limit is 100 TCP clients.

5.18.3 Discussion

The limit on TCP clients applies to both discrete TCP queries and TCP zone transfers. A name server probably won't receive many TCP-based queries from resolvers, since nearly all resolvers send UDP-based queries by default. Most zone transfer requests, however, are TCP-based so don't set the limit lower than transfers-out.

Remember that the operating system places a limit on the number of file descriptors available to the named process, and each TCP connection to the name server uses one of these. If you make the tcp-clients limit higher than the OS-imposed limit, it's possible the name server will run out of file descriptors, which it needs for reading and writing zone data files and listening for control messages.

If a name server reaches the limit on TCP clients, it will refuse those TCP-based queries and you'll see messages like this one in its syslog output:

named[579]: client 192.168.0.11#1567: no more TCP clients: quota reached

Check whether the TCP queries the name server is serving are legitimate (e.g., not part of some distributed denial of service attack). If they are, raise the limit to accommodate them.

There's no corresponding substatement in BIND 8.

5.18.4 See Also

Section 5.17, for limiting concurrent zone transfers.

Getting Started

Zone Data

BIND Name Server Configuration

Electronic Mail

BIND Name Server Operations

Delegation and Registration

Security

Interoperability and Upgrading

Resolvers and Programming

Logging and Troubleshooting

IPv6



DNS & BIND Cookbook
DNS & BIND Cookbook
ISBN: 0596004109
EAN: 2147483647
Year: 2005
Pages: 220
Authors: Cricket Liu

Flylib.com © 2008-2020.
If you may any questions please contact us: flylib@qtcs.net