rndc tools:
TCP / UDP 53 port for dns Service
TCP 953 port for rndc management dns Service
Main functions: check cache status, clear cache, query operation status details, restart service,
Only HMAC-MD5 authentication algorithm is supported, and shared key is used at both ends of communication. rndc in connection channel
When sending commands in, you must use a server approved key to encrypt.
Installation service
yum install bind ##The bind package contains rndc tools. yum -ql bind | grep rndc ###Check whether the bind package has rndc tool
Primary profile
/etc/rndc.conf #Client key file /etc/named.conf #The dns configuration file on the server side is also the configuration file on the managed side of rndc
Configure rndc tool steps
#Generate key profile [root@Server10 ~]# rndc-confgen -r /dev/urandom
#The contents of the document are as follows
# Start of rndc.conf
key "rndc-key" {
algorithm hmac-md5;
secret "Fc5bZH4Rt7LFw7mB2T4eTw=="; #Client secret key
};
options {
default-key "rndc-key"; #Secret key name
default-server 127.0.0.1; #Target IP address of the managed server
default-port 953; #Target port to connect to dns server
};
# End of rndc.conf
#--------------The above key file is stored in the management side / etc/rndc.conf
#--------------The following is the lock file, which is stored in the managed side / etc/named.conf
# Use with the following in named.conf, adjusting the allow list as needed:
key "rndc-key" {
algorithm hmac-md5;
secret "Fc5bZH4Rt7LFw7mB2T4eTw=="; #Server secret key
};
controls {
inet 127.0.0.1 port 953 #ip and port monitored by server
allow { 127.0.0.1; } keys { "rndc-key"; }; #Which ip connections are allowed to manage this machine
};
# End of named.conf
Local rndc management method
- – configure the local / etc/rndc.conf (ාාාා
key "rndc-key" {
algorithm hmac-md5;
secret "Fc5bZH4Rt7LFw7mB2T4eTw=="; #Client secret key
};
options {
default-key "rndc-key"; #Secret key name
default-server 127.0.0.1; #Target IP address of the managed server
default-port 953; #Target port to connect to dns server
};
- configure / etc/named.conf of the local server to add the following information
key "rndc-key" {
algorithm hmac-md5;
secret "Fc5bZH4Rt7LFw7mB2T4eTw=="; #Server secret key
};
controls {
inet 127.0.0.1 port 953 #ip and port monitored by server
allow { 127.0.0.1; } keys { "rndc-key"; }; #Which ip connections are allowed to manage this machine
};
rndc local management + Remote Management
——dns server ip: 192.168.109.134
——Client ip: 192.168.109.136
Add the following information to the server configuration / etc/named.conf
key "rndc-key" {
algorithm hmac-md5;
secret "Fc5bZH4Rt7LFw7mB2T4eTw=="; #Server secret key
};
controls {
inet 192.168.109.134 port 953 #ip and port monitored by server
allow { 192.168.109.134; 192.168.109.136; } keys { "rndc-key"; }; #Allow local and remote clients 192.168.109.136 remote administration
};
Local client configuration / etc/rndc.conf
key "rndc-key" {
algorithm hmac-md5;
secret "Fc5bZH4Rt7LFw7mB2T4eTw=="; #Client secret key
};
options {
default-key "rndc-key"; #Secret key name
default-server 192.168.109.134; #Target IP address of the managed server
default-port 953; #Target port to connect to dns server
};
Remote client configuration / etc/rndc.conf
key "rndc-key" {
algorithm hmac-md5;
secret "Fc5bZH4Rt7LFw7mB2T4eTw=="; #Client secret key
};
options {
default-key "rndc-key"; #Secret key name
default-server 192.168.109.134; #Target IP address of the managed server
default-port 953; #Target port to connect to dns server
};
rndc common options and commands
option
-b source-address binding rndc The source address used by the client, because a network card can have multiple addresses.
-c config-file Specifies the profile to use when connecting, rather than the default/etc/rndc.conf.
-s server Specifies theIPAddress.
-p port Specifies the port of the server to connect to.
-k key-file Specifies the key file to use when connecting, rather than the default/etc/rndc.key.
-y key-id Specifies the key ID to use, which must be consistent with the server.
-v Output detailed log information.
//Command function
reload #Reload named.conf and the new domain, but the saved domain file will not be reloaded.
reload zone_name #Reload specified area
[root@server-11 ~]# rndc -s 192.168.10.11 reload base07.com
reconfig #Reread the configuration file and load the new zone
querylog #Turn the query log off or on. The query log will be output to / var/log/message. When it is busy, the message may increase momentarily
dumpdb #Dump cache to dump file (named_dump.db)
freeze #Pause updating all dynamic zone s
freeze zone [class [view]] #Pause updating a dynamic zone
flush [view] #Refresh all caches on the server
flushname name #Refresh the server's cache for a view
stats #Write server statistics to the statistics file / var/named/data/named_stats.txt
status #Displays the server status.
stop #Save pending updates to the master file and stop the server
halt #Stop the server without saving pending updates
trace #Open debug. Debug has the concept of level. Every time you execute it, upgrade the level
trace LEVEL #Specify the level of debug, trace 0 means turn off debug
notrace #Set debug level to 0
restart #Restart server (not implemented)
addzone zone [class [view]] { zone-options } #Add a zone
delzone zone [class [view]] #Delete a zone