Bind : named stops serving recursive queries

Solution Unverified - Updated -

Environment

  • Red Hat Enterprise Linux 9
  • Red Hat Enterprise Linux 8
  • Red Hat Enterprise Linux 7
  • Red Hat Enterprise Linux 6
  • Red Hat Enterprise Linux 5

Issue

named stops serving recursing queries.
After a while, the following appears in the logs :

recursive-clients soft limit exceeded, aborting oldest query

Resolution

There are several possible causes for this log to appear:

  1. When the limit is reached due to a DoS attack.

    Please check how frequently queries requiring recursive resolution are arriving, and also verify whether the destination is a trusted source.

    If issues like a DoS attack are occurring, logs like the following may appear depending on the environment, and it may be possible to confirm from such cases that numerous queries are arriving from a specific sender within a second.

    10-Oct-2024 10:06:39.211 security: warning: client @0x123g456ab789 xx.12.34.111#34766 (xxx.11.100.in-addr.arpa): RFC 1918 response from Internet for xxx.11.100.in-addr.arpa
10-Oct-2024 10:06:39.215 security: warning: client @0x123g456ab789 xx.12.34.111#34766 (xxx.12.24.101.in-addr.arpa): RFC 1918 response from Internet for xxx.12.24.101.in-addr.arpa
10-Oct-2024 10:06:39.215 security: warning: client @0x123g456ab789 xx.12.34.111#34766 (xxx.13.24.102.in-addr.arpa): RFC 1918 response from Internet for xxx.13.24.102.in-addr.arpa
10-Oct-2024 10:06:39.234 security: warning: client @0x123g456ab7890 xx.12.34.111#34766 (xxx.14.26.103.in-addr.arpa): RFC 1918 response from Internet for xxx.14.26.103.in-addr.arpa
10-Oct-2024 10:06:39.257 security: warning: client @0x123g456ab789 xx.12.34.111#34766 (xxx.15.24.104.in-addr.arpa): RFC 1918 response from Internet for xxx.15.24.104.in-addr.arpa
10-Oct-2024 10:06:39.266 security: warning: client @0x123g456ab789 xx.12.34.111#34766 (xxx.16.24.105.in-addr.arpa): RFC 1918 response from Internet for xxx.16.24.105.in-addr.arpa
10-Oct-2024 10:06:39.271 security: warning: client @0x123g456ab789 xx.12.34.111#34766 (xxx.17.26.106.in-addr.arpa): RFC 1918 response from Internet for xxx.17.26.106.in-addr.arpa
10-Oct-2024 10:06:39.308 security: warning: client @0x123g456ab789 xx.12.34.111#34766 (xxx.18.24.107.in-addr.arpa): RFC 1918 response from Internet for xxx.18.24.107.in-addr.arpa
10-Oct-2024 10:06:39.409 security: warning: client @0x123g456ab789 xx.12.34.111#34766 (xx.19.26.108.in-addr.arpa): RFC 1918 response from Internet for xx.19.26.108.in-addr.arpa

  2. The need for tuning the limit values for normal load.

    If the limit is being reached due to normal load, it is necessary to adjust recursive-clients in /etc/named.conf e.g.

    options {
<existing lines>
recursive-clients 2000;
};

  3. There is a bug in bind package.

    If this log appears due to a temporary load, and the logging stops but named itself remains unresponsive and requires a restart, a bug may be suspected.

    For example, when using RHEL5.8 with version 9.3.6-20.P1.el5_8.1, it was necessary to update to bind97-9.7.0-10.P2.el5_8.5 or later due to a bug.

Root Cause

About a bug in RHEL5.8

* When authoritative servers did not return a Start of Authority (SOA) record,
the "named" daemon failed to cache and return answers. A patch has been
provided to address this issue and "named" is now able to handle such
under-performing servers correctly. (BZ#883402)

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.

Comments