On 08/11/2024 11.20, Pedro García Segura wrote:
I'm having a hard time understanding the default recursive max quota being set at 100 by default, since most modern servers now have RAM to spare, and it's a bit scary to think that another Internet outage may happen again and internal critical services may not be able to resolve internal authoritative zones.Can anyone give some insight into this issue? Can I just configure a huge number of maximum recursive clientes (say 50k) to "absorb" the intetnet-bound queries that are timing out and be able to respond to client requests for internal authoritative zones?
Hi Pedro, in general, limits like this help to protect the server against various kinds of attacks and abuse. That's the reason why tend to be more conservative with our defaults. As an example, large recursive-clients and max-clients-per-query limits could be abused for DNSBomb attack (see https://gitlab.isc.org/isc-projects/bind9/-/issues/4398#note_441860 for details). With that said, if your server is used by trusted clients and/or you have other means of deflecting and handling abuse/attacks, it should be fine to raise these default limits significantly, depending on the number of clients you serve and the resources you have available. -- Nicki Křížek (they/them)
OpenPGP_0x01623B9B652A20A7.asc
Description: OpenPGP public key
OpenPGP_signature.asc
Description: OpenPGP digital signature
-- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
