Board index Linux DNS

Moderator: chandranjoy

RNDC

Postby chandranjoy » Fri Jul 02, 2010 11:24 am

What is RNDC?
BIND includes a utility called rndc that allows you to administer the named daemon, locally or remotely, with command line statements. The rndc program uses the /etc/rndc.conf file for its configuration options, which can be overridden with command line options.

In order to prevent unauthorized users on other systems from controlling BIND on your server, a shared secret key method is used to explicitly grant privileges to particular hosts. In order for rndc to issue commands to any named, even on a local machine, the keys used in /etc/named.conf and /etc/rndc.conf must match.

We will explore rndc, which is a new tool with BIND 9 that takes the place of ndc in BIND 8.

First we need to create a key using dnssec-keygen:

[root@srv-3 /root]# dnssec-keygen -a hmac-md5 -b 256 -n user rndc
Krndc.+157+34404
[root@srv-3 /root]# ls
Krndc.+157+34404.key Krndc.+157+34404.private
[root@srv-3 /root]# cat *.private
Private-key-format: v1.2
Algorithm: 157 (HMAC_MD5)
Key: I+sFqdOXbs4nUYHAuGqsuKa7VpXLdC6O1XxjGD+LmiM=
[root@srv-3 /root]#


We need to copy the stuff after KEY:. Here are our /etc/named.conf and /etc/rndc.conf w/ appropriate sections snipped out:

[root@srv-3 /root]# cat /etc/named.conf
---- cut ----
key rndc {
algorithm hmac-md5 ;
secret "I+sFqdOXbs4nUYHAuGqsuKa7VpXLdC6O1XxjGD+LmiM=";
};
controls {
inet 127.0.0.1 allow { localhost; } keys { rndc; };
};
---- cut ----
[root@srv-3 /root]# cat /etc/rndc.conf
key rndc {
algorithm "hmac-md5";
secret "I+sFqdOXbs4nUYHAuGqsuKa7VpXLdC6O1XxjGD+LmiM=";
};
options {
default-server localhost;
default-key rndc;
};
[root@srv-3 /root]#


Be careful about who can read these files. You can use an include directive in named.conf so that the secret is actually listed in some other file for more control over who can view this.

The above is a simple configuration that just allows you to control rndc from a console on the host (127.0.0.1). We could also tweak this so that particular workstations can remotely control named by adding IP addresses to the allow section and changing the IP address that control listens on. Here is a modified control section that will allow 10.50.100.1 to control named, assuming that 10.50.100.1 has the correct key defined in /etc/rndc.conf:

controls {
inet 10.50.100.52 allow { 10.50.100.52; 10.50.100.1; } keys { rndc; };
};


The first thing that this command is useful for is restarting named. Note that you do not have to be logged in as root, you just have to have the right key. Pretty cool. :) Here we go:

[root@srv-3 /etc]# rndc -s srv-3 reload
rndc: reload command successful
[root@srv-3 /etc]# tail /var/log/messages
May 10 14:59:23 srv-3 /usr/local/sbin/named[1019]: loading configuration from '/etc/named.conf'
May 10 14:59:24 srv-3 /usr/local/sbin/named[1019]: the default for the 'auth-nxdomain' option is now 'no'
May 10 14:59:24 srv-3 /usr/local/sbin/named[1019]: no IPv6 interfaces found
[root@srv-3 /etc]#


We use the -s option so that we resolve to 10.50.100.52, not 127.0.0.1. Now let's do something a little more interesting. Let's turn on query logging, do a couple queries, verify the queries in the logs, and turn logging back off and verify it is:

[root@srv-3 /etc]# rndc -s srv-3 querylog
rndc: querylog command successful
[root@srv-3 /etc]# ping http://www.yahoo.com
PING http://www.yahoo.akadns.net (64.58.76.176) from 10.50.100.52 : 56(84) bytes of data.
[root@srv-3 /etc]# tail /var/log/messages
May 10 15:06:07 srv-3 /usr/local/sbin/named[1019]: query logging is now on
May 10 15:07:02 srv-3 /usr/local/sbin/named[1019]: client 10.50.100.52#1027: query: http://www.yahoo.com IN A
May 10 15:07:02 srv-3 /usr/local/sbin/named[1019]: client 10.50.100.52#1027: query: 176.76.58.64.in-addr.arpa IN PTR

[root@srv-3 /etc]# rndc -s srv-3 querylog
rndc: querylog command successful

[root@srv-3 /etc]# ping http://www.yahoo.com
PING http://www.yahoo.akadns.net (64.58.76.179) from 10.50.100.52 : 56(84) bytes of data.

[root@srv-3 /etc]# tail /var/log/messages
May 10 14:59:11 srv-3 /usr/local/sbin/named[1019]: the default for the 'auth-nxdomain' option is now 'no'
May 10 14:59:11 srv-3 /usr/local/sbin/named[1019]: no IPv6 interfaces found
May 10 14:59:23 srv-3 /usr/local/sbin/named[1019]: loading configuration from '/etc/named.conf'
May 10 14:59:24 srv-3 /usr/local/sbin/named[1019]: the default for the 'auth-nxdomain' option is now 'no'
May 10 14:59:24 srv-3 /usr/local/sbin/named[1019]: no IPv6 interfaces found
May 10 15:06:07 srv-3 /usr/local/sbin/named[1019]: query logging is now on
May 10 15:07:02 srv-3 /usr/local/sbin/named[1019]: client 10.50.100.52#1027: query: http://www.yahoo.com IN A
May 10 15:07:02 srv-3 /usr/local/sbin/named[1019]: client 10.50.100.52#1027: query: 176.76.58.64.in-addr.arpa IN PTR
May 10 15:07:03 srv-3 /usr/local/sbin/named[1019]: client 10.50.100.52#1027: query: 176.76.58.64.in-addr.arpa IN PTR
May 10 15:07:37 srv-3 /usr/local/sbin/named[1019]: query logging is now off
[root@srv-3 /etc]#


Rock!! Pretty cool tool.

Reference:

http://centos.org/docs/2/rhl-rg-en-7.2/ ... -rndc.html
chandranjoy
Site Admin
 
Posts: 283
Joined: Fri Oct 23, 2009 11:19 pm

Return to DNS

Who is online

Users browsing this forum: No registered users and 1 guest


cron