RNDC error resolution and remote configuration

Dc:connect Failed:connection refused
Rndc:connect Failed:connection refused

Workaround:
It is not possible to use the NDC or RNDC commands directly after the default installation of BIND9.

Regenerate rndc.conf First
Rndc-confgen >/etc/rndc.conf

Willrndc.confThe following comment sectionCopyTo/etc/rndc.keyFile (the previous # must be removed).

Such as:
# key "Rndc-key" {
# algorithm HMAC-MD5;
# secret "xbpnygocwjp8pejdlo26cq==";
# };
#
# controls {
# inet 127.0.0.1 Port 953
# allow {127.0.0.1;} keys {"Rndc-key";};
# };

If the/etc/named.conf contains controls, this section is commented out first.

Then add a line of include "/etc/rndc.key" at the back;

This is done for security reasons, or you can copy directly into the named.conf file.

Inet/port means that a RNDC listening port is running on the machine, allowing the native to perform NDC or RNDC commands.

[Email protected] etc]#named-g
12-may-2010 11:15:03.197 starting BIND 9.3.6-p1-redhat-9.3.6-4.p1.el5-g
12-may-2010 11:15:03.211 adjusted limit on open files from 4096 to 1048576
12-may-2010 11:15:03.211 found 1 CPU, using 1 worker thread
12-may-2010 11:15:03.212 using up to 4096 sockets
12-may-2010 11:15:03.266 loading configuration from '/etc/named.conf '
12-may-2010 11:15:03.270 Using default Udp/ipv4 port range: [1024, 65535]
12-may-2010 11:15:03.271 Using default Udp/ipv6 port range: [1024, 65535]
12-may-2010 11:15:03.288 listening on IPv4 interface lo, 127.0.0.1#53
12-may-2010 11:15:03.311 listening on IPv4 interface eth1, 192.168.1.108#53
12-may-2010 11:15:03.312 listening on IPv4 interface Vmnet1, 192.168.157.1#53
12-may-2010 11:15:03.313 listening on IPv4 interface Vmnet8, 172.16.237.1#53
12-may-2010 11:15:03.336 listening on IPv4 interface virbr0, 192.168.122.1#53
12-may-2010 11:15:03.337 binding TCP socket:address in use
12-may-2010 11:15:03.395 command channel listening on 127.0.0.1#953
12-may-2010 11:15:03.396 ignoring config file logging statement due to-g option
12-may-2010 11:15:03.396 couldn ' t open pid file '/var/run/named/named.pid ': Permission denied

[Email protected] etc]#chmod 777/var/run/named/
[Email protected] etc]# named-g
12-may-2010 11:24:08.058 starting BIND 9.3.6-p1-redhat-9.3.6-4.p1.el5-g
12-may-2010 11:24:08.059 adjusted limit on open files from 4096 to 1048576
12-may-2010 11:24:08.059 found 1 CPU, using 1 worker thread
12-may-2010 11:24:08.060 using up to 4096 sockets
12-may-2010 11:24:08.119 loading configuration from '/etc/named.conf '
12-may-2010 11:24:08.146 Using default Udp/ipv4 port range: [1024, 65535]
12-may-2010 11:24:08.189 Using default Udp/ipv6 port range: [1024, 65535]
12-may-2010 11:24:08.196 listening on IPv4 interface lo, 127.0.0.1#53
12-may-2010 11:24:08.198 listening on IPv4 interface eth1, 192.168.1.108#53
12-may-2010 11:24:08.198 listening on IPv4 interface Vmnet1, 192.168.157.1#53
12-may-2010 11:24:08.223 listening on IPv4 interface Vmnet8, 172.16.237.1#53
12-may-2010 11:24:08.224 listening on IPv4 interface virbr0, 192.168.122.1#53
12-may-2010 11:24:08.224 binding TCP socket:address in use
12-may-2010 11:24:08.273 command channel listening on 127.0.0.1#953
12-may-2010 11:24:08.273 ignoring config file logging statement due to-g option
12-may-2010 11:24:08.277 Running




~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
This section details the RNDC configuration of the DNS server, enables parsing logs and refreshes the cache with RNDC on DNS, overloads the configuration file, and shuts down the DNS server, which can be done on both local and remote servers once the RNDC is configured. DNS service is now a more secure service, not only the process of the owner to named users, but also run in a chroot environment, the future shutdown of the DNS service may also need to use RNDC to control, which may be the future server design trend. RNDC is the remote DNS server process Control in English shorthand, RNDC working mechanism using/etc/rndc.key and/etc/rndc.conf two configuration files, Rndc.key file for the lock, although its name is key; The rndc.conf is the corresponding key to open the Rndc.key lock; These two files can be generated using the Rndc-confgen command, which uses a symmetric encryption algorithm, and the following is a demonstration of the configuration that will use server to control the client's DNS server. The control side of the RNDC can also be not a DNS server ...

One: Configure RNDC on client side 127.0.0.1

[[email protected] ~]# rndc-confgen |grep-v ' ^# '//Use Rndc-confgen command to generate Rndc.key and rndc.conf
Key "Rndckey" {
Algorithm HMAC-MD5;
Secret "q2yvoy2jiyuu2av4qahzaw==";
};

Options {
Default-key "Rndckey";
Default-client 127.0.0.1;
Default-port 953;
};

[[email protected] ~]# Rm-rf/etc/rndc.key//Delete the default Rndc.key file
[Email protected] ~]# cd/var/named/chroot/etc/
[[email protected] etc]# cat Rndc.key//writes the contents of the "Key" section of the preceding Rndc-confgen command to the Rndc.key file
Key "Rndckey" {
Algorithm HMAC-MD5;
Secret "q2yvoy2jiyuu2av4qahzaw==";
};

[[email protected] etc]# chown named.named rndc.key//modified file belongs to the main group of named
[[email protected] etc]# ln-s/var/named/chroot/etc/rndc.key/etc///symbolic link to/etc directory
[[email protected] etc]# cat/etc/rndc.conf//write the entire contents of the previous Rndc-confgen command to the Rndc.key file
Key "Rndckey" {
Algorithm HMAC-MD5;
Secret "q2yvoy2jiyuu2av4qahzaw==";
};

Options {
Default-key "Rndckey";
Default-client 127.0.0.1;
Default-port 953;
};

[[email protected] etc]# chown named.named/etc/rndc.conf//modified file belongs to the main group owner is named
[Email protected] etc]# cat/etc/named.conf
Options {
Listen-on Port 53 {192.168.100.20;};
Directory "/var/named";

allow-query {any;};
Allow-transfer {192.168.100.254;};
};

};
Include "/etc/named.rfc1912.zones";
Include "/etc/rndc.key"; Contains the previously defined lock file

Controls {
inet 127.0.0.1 Port 953 allow {127.0.0.1;} keys {"Rndckey";}; Allows the native loopback interface to use the/etc/rndc.conf file in the Rndckey

This key controls Port 953.
};
.............................. The output is omitted ......... ............

[[Email protected] etc]# service named restart//restart services
Stopping named: [OK]
Starting named: [OK]
[Email protected] etc]# NETSTAT-NTPL |grep 953
TCP 0 0 127.0.0.1:953 0.0.0.0:* LISTEN 3243/named
[[Email protected] etc]# service named status
Number of Zones:8
Debug level:0
Xfers running:0
Xfers deferred:0
SOA queries in progress:0
Query logging is OFF
Recursive clients:0/1000
TCP clients:0/100
Client is up and running
Named (PID 3243) is running ...
[[email protected] etc]# RNDC stop//test
[[Email protected] etc]# service named status
Rndc:connect Failed:127.0.0.1#953:connection refused
Named dead but Subsys locked

Two: Configure server side to use RNDC control client

[Email protected] etc]# rndc-confgen |grep-v ' ^# '//as before to generate new Rndc.key and rndc.conf
Key "Rndckey" {
Algorithm HMAC-MD5;
Secret "p3dukvxgufspbzdavzy1ya==";
};

Options {
Default-key "Rndckey";
Default-client 127.0.0.1;
Default-port 953;
};


[[email protected] etc]# Cat/etc/rndc.key//write the "key" section of the newly generated file to the end of the/etc/rndc.key file and rename it to rndckey-254
Key "Rndckey" {
Algorithm HMAC-MD5;
Secret "q2yvoy2jiyuu2av4qahzaw==";
};

Key "rndckey-254" {
Algorithm HMAC-MD5;
Secret "p3dukvxgufspbzdavzy1ya==";
};

[[email protected] etc]# grep ' rndckey-254 '/etc/named.conf//Add the following in the main configuration file
inet 192.168.100.20 Port 953 allow {192.168.100.254;} keys {"rndckey-254";};

Allow 192.168.100.254 this server through 192.168.100.20 this interface, using rndckey-254 this key to control 953 port

[[Email protected] etc]# service named restart//restart services
Stopping named: [OK]
Starting named: [OK]
[Email protected] etc]# NETSTAT-NTPL |grep 953
TCP 0 0 192.168.100.20:953 0.0.0.0:* LISTEN 3869/named
TCP 0 0 127.0.0.1:953 0.0.0.0:* LISTEN 3869/named


[[email protected] ~]# cat/etc/rndc.conf//write the entire contents of the previously generated file to the/etc/rndc.conf file of the server and need to modify the key name and Default-server IP
Key "rndckeyi-254" {
Algorithm HMAC-MD5;
Secret "p3dukvxgufspbzdavzy1ya==";
};

Options {
Default-key "rndckey-254";
Default-server 192.168.100.20;
Default-port 953;
};
[[email protected] ~]# chown named.named/etc/rndc.conf//modified file belongs to the main group owner is named
[[email protected] ~]# rndc-h//view RNDC command Help
Rndc:illegal option--H
USAGE:RNDC [-c config] [-s server] [-p port]
[-K Key-file] [-y key] [-v] Command

command is one of the following:

Reload reload configuration file and zones.
Reload zone [class [view]]
Reload a single zone.
Refresh zone [class [view]]
Schedule Immediate Maintenance for a zone.
Retransfer zone [class [view]]
Retransfer a single zone without checking serial number.
Freeze zone [class [view]]
Suspend updates to a dynamic zone.
Thaw zone [class [view]]
Enable updates to a frozen dynamic zone and reload it.
Reconfig Reload configuration file and new zones only.
Stats Write Server statistics to the statistics file.
QueryLog Toggle query logging.
dumpdb [-all|-cache|-zones] [view ...]
Dump cache (s) to the dump file (named_dump.db).
Stop Save pending updates to master files and stop the server.
Stop-p Save pending updates to master files and stop the server
Reporting process ID.
Halt Stop the server without saving pending updates.
Halt-p Stop the server without saving pending updates reporting
Process ID.
Trace Increment debugging level by one.
Trace level change the debugging level.
Notrace Set debugging level to 0.
Flush flushes all of the server ' s caches.
Flush [view] Flushes the server ' s cache for a view.
Flushname name [view]
Flush the given name from the server ' s cache (s)
Status Display status of the server.
Recursing Dump The queries that is currently recursing (named.recursing)
*restart Restart the server.

* = = Not yet implemented
Version:9.3.6-p1-redhat-9.3.6-4.p1.el5

Test:
[[email protected] ~]# RNDC Reload//Heavy client DNS configuration file
Server Reload Successful
[[email protected] ~]# RNDC querylog on//Turn on the parsing logging function, the default parsing log is saved in the client server's/var/log/messages file, enabling this feature can degrade server performance
[Email protected] ~]# dig www.dodo.666.com @192.168.100.20//test parsing
; <<>> DiG 9.3.6-p1-redhat-9.3.6-4.p1.el5 <<>> www.dodo.666.com @192.168.100.20
;; Global Options:printcmd
;; Got Answer:
;; ->>header<<-opcode:query, Status:noerror, id:59157

[[email protected] ~]# RNDC stop//Remote shut down the DNS service on the client

[[email protected] ~]# tail-f/var/log/messages//Client View Log
Mar 23:13:45 Client named[3792]: Loading configuration from '/etc/named.conf '
Mar 23:13:45 Client named[3792]: Using default Udp/ipv4 port range: [1024, 65535]
Mar 23:13:45 Client named[3792]: Using default Udp/ipv6 port range: [1024, 65535]
Mar 23:13:45 Client named[3792]: The working directory is not writable
Mar 23:14:07 client named[3792]: query logging is now on//Open parse logging function
Mar 23:14:52 Client named[3792]: client 192.168.100.254#45815:query:www.dodo.666.com in A +//Record parsing log
Mar 23:15:49 client named[3792]: shutting down:flushing changes
Mar 23:15:49 client named[3792]: Stopping command channel on 127.0.0.1#953
Mar 23:15:49 client named[3792]: Stopping command channel on 192.168.100.20#953
Mar 23:15:49 Client named[3792]: no longer listening on 192.168.100.20#53
Mar 23:15:50 Client named[3792]: Exiting//Successfully shut down the DNS service
Tip: To configure RNDC, you need to pay attention to the server time problem, if the system time of the two servers there is a large discrepancy, it must RNDC command execution will fail

RNDC error resolution and remote configuration