請教:messages文件中出現clients-per-query日誌的問題
BIND 9.4.2
在messages文件中出現大量的以下日誌信息:
Jun 13 14:24:50 dns named: client 219.XX.XX.XX#33049: RFC 1918 response from Internet for 32.15.16.172.in-addr.arpa
Jun 13 14:26:46 dns named: client 219.XX.XX.XX#65334: RFC 1918 response from Internet for 11.16.16.172.in-addr.arpa
Jun 13 14:31:02 dns named: client 219.XX.XX.XX#8950: RFC 1918 response from Internet for 41.12.16.172.in-addr.arpa
Jun 13 14:33:46 dns named: client 219.XX.XX.XX#8316: RFC 1918 response from Internet for 40.13.16.172.in-addr.arpa
Jun 13 14:35:02 dns named: client 219.XX.XX.XX#43511: RFC 1918 response from Internet for 2.1.168.192.in-addr.arpa
Jun 14 10:28:29 dns named: clients-per-query decreased to 13
Jun 14 10:48:29 dns named: clients-per-query decreased to 12
Jun 14 11:08:29 dns named: clients-per-query decreased to 11
Jun 14 11:14:03 dns named: client 219.XX.XX.XX#49587: RFC 1918 response from Internet for 200.0.168.192.in-addr.arpa
Jun 14 11:28:29 dns named: clients-per-query decreased to 10
Jun 14 11:34:14 dns named: clients-per-query increased to 11
DNS伺服器大部分時間解析正常,偶爾出現超時現象,估計有用戶中毒或攻擊,對於RFC 1918 response from Internet for 2.1.168.192.in-addr.arpa信息,我的理解是有用戶大量反向查詢192、10、172等私有IP網段的域名,clients-per-query decreased、clients-per-query increased又是何意呢?
《解決方案》
「Jun 14 10:28:29 dns named: clients-per-query decreased to 13
Jun 14 10:48:29 dns named: clients-per-query decreased to 12
Jun 14 11:08:29 dns named: clients-per-query decreased to 11
」
DNS伺服器大部分時間解析正常,偶爾出現超時現象。
我的也有這個提示,是什麼意思呢?不好的意思?存在問題?與「DNS伺服器大部分時間解析正常,偶爾出現超時現象」有關係嗎?
《解決方案》
"clients-per-query, max-clients-per-query These set the initial value (minimum) and maximum number
of recursive simultanious clients for any given query (<qname,qtype,qclass>) that the server will
accept before dropping additional clients. named will attempt to self tune this value and changes
will be logged. The default values are 10 and 100.
This value should reflect how many queries come in for a given name in the time it takes to resolve
that name. If the number of queries exceed this value, named will assume that it is dealing with a
non-responsive zone and will drop additional queries. If it gets a response after dropping queries,
it will raise the estimate. The estimate will then be lowered in 20 minutes if it has remained
unchanged.
If clients-per-query is set to zero, then there is no limit on the number of clients per query and no
queries will be dropped.
62
CHAPTER 6. BIND 9 CONFIGURATION REFERENCE 6.2. CONFIGURATION FILE GRAMMAR
If max-clients-per-query is set to zero, then there is no upper bound other than imposed by
recursive-clients."
請教:clients-per-query, max-clients-per-query 一般設置嗎?一般設置為多少合適?
《解決方案》
一般默認即可無需改動,從現象看好像是網路中有機器中毒導致。
《解決方案》
謝謝版主。看來一般用默認值啊。上網瀏覽時,比如打開hao123.com,然後隨意點擊其中的7、8個網站,有的解析超時,導致打不開。需反覆刷新。搞不明白是bind設置問題還是網中有中毒機器還是帶寬不夠啊?呵呵。
尤其上網用戶多的時候。晚上沒人上網的時候據觀察應該不存在這個問題。
如果是中毒機器造成,如何定位中毒機器呢?協議分析?
[ 本帖最後由 forx86 於 2009-2-27 09:53 編輯 ]
