In order to administer DNS server (bind) from a command line, the RNDC utility needs to be correctly configured. The control statement in the /etc/named.conf limits the interaction between the running named process and rndc, the program a sysadmin can use to signal and control it. rndc can start and stop named, dump its state, put it in debug mode, etc. rndc operates over the network, and with improper configuration it might let anyone on the Internet mess with your name server. rndc talks to named on port 953 if you don’t specify a different port. The general syntax is of the control statement is this:
controls {
inet addr port port allow { address-match-list } keys { key_list };
}
Allowing your name server to be controlled remotely is both handy and dangerous. Strong authentication through a key entry in the allow clause is required; keys in the address match list are ignored and must be explicitly stated in the keys clause of the controls statement.
How To Generate A New Authentication Key?
You can use the rndc-confgen command to generate an authentication key for use between rndc and named. There are essentially two ways to set up use of the key:
1- You can have both named and rndc consult the same configuration file to learn the key (e.g., /etc/rndc.key). Here is how this is done. You first run the rndc-confgen command:
rndc-confgen
# Start of rndc.conf
key "rndc-key" {
algorithm hmac-md5;
secret "BKMvaZzPs7T1jPMBbdjdVTq77JA==";
};
options {
default-key "rndc-key";
default-server 127.0.0.1;
default-port 953;
};
# End of rndc.conf
# Use with the following in named.conf, adjusting the allow list as needed:
# key "rndc-key" {
# algorithm hmac-md5;
# secret "BKMvaZzPs7T1jPMVTq77JA==";
# };
#
# controls {
# inet 127.0.0.1 port 953
# allow { 127.0.0.1; } keys { "rndc-key"; };
# };
# End of named.conf
You can request a different key with a different bit number if you wish. You just need to specify the number after the -b option like this:
rndc-confgen -b 256
Then you need to insert the previously generated RNDC configuration stanza into the file /etc/rndc.key
. (Your code will be different). Confirm the file and ownership of the /etc/rndc.key
file. The correct permissions will be:
ls -alhtr /etc/rndc.key
-rw-r----- 1 root named 100 Sep 17 20:28 /etc/rndc.key
Next, insert the following lines to the existing /etc/named.conf
file:
include "/etc/rndc.key";
controls {
inet 127.0.0.1 port 953 allow { 127.0.0.1; } keys { "rndc-key"; };
};
And finally, restart the BIND server using this command:
/scripts/restartsrv_named --restart
2- Alternatively, you can include the key in both the rndc’s and named’s configuration files (/etc/rndc.conf for rndc and /etc/named.conf for named).
This latter option is more complicated, but it’s necessary when named and rndc will be running on different computers. rndc-confgen -a sets up keys for localhost access. We will not go into this configuration here in this article.
Comments
0 comments
Article is closed for comments.