This section describes in detail the DNS server's rndc configuration, enabling DNS resolution logs and refreshing cache using rndc, reload the configuration file, and disabling the DNS server. Once rndc is configured, these operations can be performed on both local and remote servers. The DNS Service is currently a relatively secure service. It not only changes the owner of the process to the named user, but also runs in a chroot environment. In the future, you may need to use rndc to disable the DNS service, this may also be the trend of server design in the future. Rndc is a remote DNS server process
This section describes in detail the DNS server's rndc configuration, enabling DNS resolution logs and refreshing cache using rndc, reload the configuration file, and disabling the DNS server. Once rndc is configured, these operations can be performed on both local and remote servers. The DNS Service is currently a relatively secure service. It not only changes the owner of the process to the named user, but also runs in a chroot environment. In the future, you may need to use rndc to disable the DNS service, this may also be the trend of server design in the future. Rndc is short for remote DNS server process control. The working mechanism of rndc uses/etc/rndc. key and/etc/rndc. two configuration files, rndc. the key file is the lock header, although its name is key; rndc. conf is to enable rndc. the corresponding key of the key lock header. These two files can be generated using the rndc-confgen command, which uses the symmetric encryption algorithm. The following shows the configuration, in the demo, server is used to control the DNS server on the client side. the control side of rndc can also be not a dns server...
1. Configure rndc on client 127.0.0.1
[Root @ client ~] # Rndc-confgen | grep-v '^ #' // use the rndc-confgen command to generate rndc. key and rndc. conf
Key "rndckey "{
Algorithm hmac-md5;
Secret "q2yvOY2JiyUU2aV4qahzAw = ";
};
Options {
Default-key "rndckey ";
Default-client 127.0.0.1;
Default-port 953;
};
[Root @ client ~] # Rm-rf/etc/rndc. key // Delete the default rndc. key File
[Root @ client ~] # Cd/var/named/chroot/etc/
[Root @ client etc] # cat rndc. key // write the content in the previous "key" section generated by the rndc-confgen command to the rndc. key File.
Key "rndckey "{
Algorithm hmac-md5;
Secret "q2yvOY2JiyUU2aV4qahzAw = ";
};
[Root @ client etc] # chown named. named rndc. key // modify the file owner to named
[Root @ client etc] # ln-s/var/named/chroot/etc/rndc. key/etc // link to the/etc directory
[Root @ client etc] # cat/etc/rndc. conf // write all the content generated by the previous rndc-confgen command to the rndc. key File.
Key "rndckey "{
Algorithm hmac-md5;
Secret "q2yvOY2JiyUU2aV4qahzAw = ";
};
Options {
Default-key "rndckey ";
Default-client 127.0.0.1;
Default-port 953;
};
[Root @ client etc] # chown named. named/etc/rndc. conf // modify the file owner to named
[Root @ client etc] # cat/etc/named. conf
Options {
Listen-on port 53 {192.168.100.20 ;};
Directory "/var/named ";
Allow-query {any ;};
Allow-transfer {192.168.100.254 ;};
};
};
Include "/etc/named. rfc1912.zones ";
Include "/etc/rndc. key"; // contains the previously defined lock header file
Controls {
Inet 127.0.0.1 port 953 allow {127.0.0.1;} keys {"rndckey" ;}; // allow the local loopback interface to use the rndckey in the/etc/rndc. conf file