>>>After a recent upgrade to our BIND server, Im seeing this in the logs:
>>>
>>>Sep 5 15:11:29 nico named[32448]: client 216.220.96.18#40672: no more
>>>recursive clients: quota reached
>>>Sep 5 15:11:29 nico named[32449]: client 216.220.96.18#40672: no more
>>>recursive clients: quota reached
>>>
>>>And no more queries are done.
>>>

>>
>>bind doesn't really tell you why it's full, or what to do to clean it,

>
>
> Turn on query logging to see what queries you're receiving and where
> from. If they look legitimate, then you should just increase the quota.
> If it looks excessive, try to figure out where the excess queries are
> coming from and stop them.


the problem is that query might be legitimate, but unfortunatelly the
domains are unreachable, and nobody knows which domains, which servers,
it's not most of the time problem of clients that the recursive query is
full, if google.com become unreachable, all recursive clients queue will
get full, and by looking at query log you don't see anything wrong.

What's worse, even if you discover the domain miraculously, bind9
refuses even to +norec requests to show you the A RR's for the
nameservers it is flooding. So the next step is miraculously discover
the A RR's. You can definitely forget about scripting this, you need to
call your magician to sort manually these things out for you. Shouldn't
this be little bit straightforward:-).

Ladislav