Using rndc to Administer BIND

We will explore rndc, which is a new tool with BIND 9 that takes the place of ndc in BIND 8.

First we need to create a key using dnssec-keygen:

[root@srv-3 /root]# dnssec-keygen -a hmac-md5 -b 256 -n user rndc
Krndc.+157+34404
[root@srv-3 /root]# ls
Krndc.+157+34404.key  Krndc.+157+34404.private
[root@srv-3 /root]# cat *.private
Private-key-format: v1.2
Algorithm: 157 (HMAC_MD5)
Key: I+sFqdOXbs4nUYHAuGqsuKa7VpXLdC6O1XxjGD+LmiM=
[root@srv-3 /root]#

We need to copy the stuff after KEY:. Here are our /etc/named.conf and /etc/rndc.conf w/ appropriate sections snipped out:

[root@srv-3 /root]# cat /etc/named.conf
----  cut ----
key rndc {
algorithm hmac-md5 ;
secret "I+sFqdOXbs4nUYHAuGqsuKa7VpXLdC6O1XxjGD+LmiM=";
};
controls {
inet 127.0.0.1 allow { localhost; } keys { rndc; };
};
----  cut ----
[root@srv-3 /root]# cat /etc/rndc.conf
key rndc {
algorithm "hmac-md5";
secret "I+sFqdOXbs4nUYHAuGqsuKa7VpXLdC6O1XxjGD+LmiM=";
};
options {
default-server localhost;
default-key    rndc;
};
[root@srv-3 /root]#  

Be careful about who can read these files. You can use an include directive in named.conf so that the secret is actually listed in some other file for more control over who can view this.

The above is a simple configuration that just allows you to control rndc from a console on the host (127.0.0.1). We could also tweak this so that particular workstations can remotely control named by adding IP addresses to the allow section and changing the IP address that control listens on. Here is a modified control section that will allow 10.50.100.1 to control named, assuming that 10.50.100.1 has the correct key defined in /etc/rndc.conf:

controls {
inet 10.50.100.52 allow {  10.50.100.52; 10.50.100.1; } keys { rndc; };
};

The first thing that this command is useful for is restarting named. Note that you do not have to be logged in as root, you just have to have the right key. Pretty cool. 🙂 Here we go:

[root@srv-3 /etc]# rndc -s srv-3 reload
rndc: reload command successful
[root@srv-3 /etc]# tail /var/log/messages
May 10 14:59:23 srv-3 /usr/local/sbin/named[1019]: loading configuration from '/etc/named.conf'
May 10 14:59:24 srv-3 /usr/local/sbin/named[1019]: the default for the 'auth-nxdomain' option is now 'no'
May 10 14:59:24 srv-3 /usr/local/sbin/named[1019]: no IPv6 interfaces found
[root@srv-3 /etc]#

We use the -s option so that we resolve to 10.50.100.52, not 127.0.0.1. Now let’s do something a little more interesting. Let’s turn on query logging, do a couple queries, verify the queries in the logs, and turn logging back off and verify it is:

[root@srv-3 /etc]# rndc -s srv-3 querylog
rndc: querylog command successful
[root@srv-3 /etc]# ping www.yahoo.com
PING www.yahoo.akadns.net (64.58.76.176) from 10.50.100.52 : 56(84) bytes of data.
[root@srv-3 /etc]# tail /var/log/messages
May 10 15:06:07 srv-3 /usr/local/sbin/named[1019]: query logging is now on
May 10 15:07:02 srv-3 /usr/local/sbin/named[1019]: client 10.50.100.52#1027: query: www.yahoo.com IN A
May 10 15:07:02 srv-3 /usr/local/sbin/named[1019]: client 10.50.100.52#1027: query: 176.76.58.64.in-addr.arpa IN PTR
[root@srv-3 /etc]# rndc -s srv-3 querylog
rndc: querylog command successful
[root@srv-3 /etc]# ping www.yahoo.com
PING www.yahoo.akadns.net (64.58.76.179) from 10.50.100.52 : 56(84) bytes of data.
[root@srv-3 /etc]# tail /var/log/messages
May 10 14:59:11 srv-3 /usr/local/sbin/named[1019]: the default for the 'auth-nxdomain' option is now 'no'
May 10 14:59:11 srv-3 /usr/local/sbin/named[1019]: no IPv6 interfaces found
May 10 14:59:23 srv-3 /usr/local/sbin/named[1019]: loading configuration from '/etc/named.conf'
May 10 14:59:24 srv-3 /usr/local/sbin/named[1019]: the default for the 'auth-nxdomain' option is now 'no'
May 10 14:59:24 srv-3 /usr/local/sbin/named[1019]: no IPv6 interfaces found
May 10 15:06:07 srv-3 /usr/local/sbin/named[1019]: query logging is now on
May 10 15:07:02 srv-3 /usr/local/sbin/named[1019]: client 10.50.100.52#1027: query: www.yahoo.com IN A
May 10 15:07:02 srv-3 /usr/local/sbin/named[1019]: client 10.50.100.52#1027: query: 176.76.58.64.in-addr.arpa IN PTR
May 10 15:07:03 srv-3 /usr/local/sbin/named[1019]: client 10.50.100.52#1027: query: 176.76.58.64.in-addr.arpa IN PTR
May 10 15:07:37 srv-3 /usr/local/sbin/named[1019]: query logging is now off
[root@srv-3 /etc]#

Rock!! Pretty cool tool.