Limiting Concurrent TCP Clients
5.18.1 Problem
You want to limit the number of concurrent TCP clients a name server handles.
5.18.2 Solution
Use the BIND 9 tcp-clients options substatement. For example:
options { directory "/var/named"; tcp-clients 500; };
The default limit is 100 TCP clients.
5.18.3 Discussion
The limit on TCP clients applies to both discrete TCP queries and TCP zone transfers. A name server probably won't receive many TCP-based queries from resolvers, since nearly all resolvers send UDP-based queries by default. Most zone transfer requests, however, are TCP-based so don't set the limit lower than transfers-out.
Remember that the operating system places a limit on the number of file descriptors available to the named process, and each TCP connection to the name server uses one of these. If you make the tcp-clients limit higher than the OS-imposed limit, it's possible the name server will run out of file descriptors, which it needs for reading and writing zone data files and listening for control messages.
If a name server reaches the limit on TCP clients, it will refuse those TCP-based queries and you'll see messages like this one in its syslog output:
named[579]: client 192.168.0.11#1567: no more TCP clients: quota reached
Check whether the TCP queries the name server is serving are legitimate (e.g., not part of some distributed denial of service attack). If they are, raise the limit to accommodate them.
There's no corresponding substatement in BIND 8.
5.18.4 See Also
Section 5.17, for limiting concurrent zone transfers.