Hi Greg, Thanks so much, your last paragraph makes sense.
I guess what I would expect, and excuse me if this reasoning is flawed, is that BIND could use different queues/priorities for external/internal domains. E.g. if after parsing the necessary query fields I see that I'm authoritative for the requested zone, and I have its data stored locally, I can reply straight away without a timeout/SERVFAIL and keep my internal ".local" domains running OK, while other queries that have to go to the root servers would go straight to the recursive-clients quota. Anyway, thanks a lot for your reply and for running the Internet for so many years :D Thanks! Pedro El vie, 8 nov 2024 a las 11:43, Greg Choules (<g...@isc.org>) escribió: > Hello Pedro. > Firstly, which version of BIND are you running? > Generally, though, increasing `recursive-clients` on a box with a decent > amount of power and RAM is not an issue: 50k, or even bigger, should be > fine. But please test it first. We have discussed raising the default but > we’re not quite ready to make that change in a major release just yet. > > Be aware, though, that if the resolver can’t get answers, it will probably > SERVFAIL clients and the larger the backlog of clients the longer it will > take to get around to responding to them, by which time they are likely to > have timed out and be retrying anyway. > > I hope that helps. > Greg > > > On 8 Nov 2024, at 10:20, Pedro García Segura <pedr...@gmail.com> wrote: > > > > Hello, > > > > Recently we had a Internet outage that lasted for a few hours and > quickly filled the recursive clients quota (set at 1000) since most > internet-bound recursive queries timed out, and our network is huge. > > > > This also affected recursive queries to internal authoritative domains, > thus interrupting access to critical internal resources which don't have > any Internet/SaaS dependencies. > > > > I'm having a hard time understanding the default recursive max quota > being set at 100 by default, since most modern servers now have RAM to > spare, and it's a bit scary to think that another Internet outage may > happen again and internal critical services may not be able to resolve > internal authoritative zones. > > > > Can anyone give some insight into this issue? Can I just configure a > huge number of maximum recursive clientes (say 50k) to "absorb" the > intetnet-bound queries that are timing out and be able to respond to client > requests for internal authoritative zones? > > > > I'm probably missing something, so thanks a lot for your understanding! > > > > Cheers! > > Pedro > > -- > > Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe > from this list > > > > ISC funds the development of this software with paid support > subscriptions. Contact us at https://www.isc.org/contact/ for more > information. > > > > > > bind-users mailing list > > bind-users@lists.isc.org > > https://lists.isc.org/mailman/listinfo/bind-users > >
-- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users