rndc(Remote Name Domain Controllerr)是一个远程管理bind的工具,通过这个工具可以在本地或者远程了解当前服务器的运行状况,也可以对服务器进行关闭、重载、刷新缓存、增加删除zone等操作。
使用rndc可以在不停止DNS服务器工作的情况进行数据的更新,使修改后的配置文件生效。在实际情况下,DNS服务器是非常繁忙的,任何短时间的停顿都会给用户的使用带来影响。因此,使用rndc工具可以使DNS服务器更好地为用户提供服务。在使用rndc管理bind前需要使用rndc生成一对密钥文件,一半保存于rndc的配置文件中,另一半保存于bind主配置文件中。rndc的配置文件为/etc/rndc.conf,在CentOS或者RHEL中,rndc的密钥保存在/etc/rndc.key文件中。rndc默认监听在953号端口(TCP),其实在bind9中rndc默认就是可以使用,不需要配置密钥文件。rndc与DNS服务器实行连接时,需要通过数字证书进行认证,而不是传统的用户名/密码方式。在当前版本下,rndc和named都只支持HMAC-MD5认证算法,在通信两端使用预共享密钥。在当前版本的rndc 和 named中,唯一支持的认证算法是HMAC-MD5,在连接的两端使用共享密钥。它为命令请求和名字服务器的响应提供 TSIG类型的认证。所有经由通道发送的命令都必须被一个服务器所知道的 key_id 签名。为了生成双方都认可的密钥,可以使用rndc-confgen命令产生密钥和相应的配置,再把这些配置分别放入named.conf和rndc的配置文件rndc.conf中。
一、语法
- # /home/slim/bind/sbin/rndc -h
- Usage: rndc [-b address] [-c config] [-s server] [-p port]
- [-k key-file ] [-y key] [-V] command
- command is one of the following:
- addzone zone [class [view]] { zone-options }
- Add zone to given view. Requires new-zone-file option.
- delzone zone [class [view]]
- Removes zone from given view. Requires new-zone-file option.
- dumpdb [-all|-cache|-zones] [view ...]
- Dump cache(s) to the dump file (named_dump.db).
- flush Flushes all of the server's caches.
- flush [view] Flushes the server's cache for a view.
- flushname name [view]
- Flush the given name from the server's cache(s)
- flushtree name [view]
- Flush all names under the given name from the server's cache(s)
- freeze Suspend updates to all dynamic zones.
- freeze zone [class [view]]
- Suspend updates to a dynamic zone.
- halt Stop the server without saving pending updates.
- halt -p Stop the server without saving pending updates reporting
- process id.
- loadkeys zone [class [view]]
- Update keys without signing immediately.
- notify zone [class [view]]
- Resend NOTIFY messages for the zone.
- notrace Set debugging level to 0.
- querylog newstate
- Enable / disable query logging.
- reconfig Reload configuration file and new zones only.
- recursing Dump the queries that are currently recursing (named.recursing)
- refresh zone [class [view]]
- Schedule immediate maintenance for a zone.
- reload Reload configuration file and zones.
- reload zone [class [view]]
- Reload a single zone.
- retransfer zone [class [view]]
- Retransfer a single zone without checking serial number.
- secroots [view ...]
- Write security roots to the secroots file.
- sign zone [class [view]]
- Update zone keys, and sign as needed.
- signing -clear all zone [class [view]]
- Remove the private records for all keys that have
- finished signing the given zone.
- signing -clear <keyid>/<algorithm> zone [class [view]]
- Remove the private record that indicating the given key
- has finished signing the given zone.
- signing -list zone [class [view]]
- List the private records showing the state of DNSSEC
- signing in the given zone.
- signing -nsec3param hash flags iterations salt zone [class [view]]
- Add NSEC3 chain to zone if already signed.
- Prime zone with NSEC3 chain if not yet signed.
- signing -nsec3param none zone [class [view]]
- Remove NSEC3 chains from zone.
- stats Write server statistics to the statistics file.
- status Display status of the server.
- stop Save pending updates to master files and stop the server.
- stop -p Save pending updates to master files and stop the server
- reporting process id.
- sync [-clean] Dump changes to all dynamic zones to disk, and optionally
- remove their journal files.
- sync [-clean] zone [class [view]]
- Dump a single zone's changes to disk, and optionally
- remove its journal file.
- thaw Enable updates to all dynamic zones and reload them.
- thaw zone [class [view]]
- Enable updates to a frozen dynamic zone and reload it.
- trace Increment debugging level by one.
- trace level Change the debugging level.
- tsig-delete keyname [view]
- Delete a TKEY-negotiated TSIG key.
- tsig-list List all currently active TSIG keys, including both statically
- configured and TKEY-negotiated keys.
- validation newstate [view]
- Enable / disable DNSSEC validation.
rndc常用命令:
status #显示bind服务器的工作状态reload #重新加载配置文件和区域文件reload zone_name #重新加载指定区域reconfig #重读配置文件并加载新增的区域querylog #关闭或开启查询日志dumpdb #将高速缓存转储到转储文件 (named_dump.db)freeze #暂停更新所有动态zone
freeze zone [class [view]]#暂停更新一个动态zone
flush [view] #刷新服务器的所有高速缓存flushname name #为某一视图刷新服务器的高速缓存stats #将服务器统计信息写入统计文件中stop #将暂挂更新保存到主文件并停止服务器halt #停止服务器,但不保存暂挂更新trace #打开debug, debug有级别的概念,每执行一次提升一次级别trace LEVEL #指定 debug 的级别, trace 0 表示关闭debugnotrace #将调试级别设置为 0restart #重新启动服务器(尚未实现)addzone zone [class [view]] { zone-options }
#增加一个zone
delzone zone [class [view]]#删除一个zone
tsig-delete keyname [view]#删除一个TSIG key
tsig-list#查询当前有效的TSIG列表
validation newstate [view]#开启/关闭dnssec
说明:rndc命令后面可以跟"-s"和"-p"选项连接到远程DNS服务器,以便对远程DNS服务器进行管理,但此时双方的密钥要一致才能正常连接。在设置rndc.conf时一定要注意key的名称和预共享密钥一定要和named.conf相同,否则rndc工具无法正常工作。
1.rndc的调试和日志
调试:显示程序运行中的详细信息(会产生I/O,正常情况下建议关闭)调试级别:0,1,2,3...提升调试级别: rndc trace rndc trace LEVEL rndc notrace打开查询日志:记录查询动作(会增加磁盘I/O)rndc querylog2.查看DNS Cache
在 bind 9 中,可以使用 rndc -dumpdb 命令来查看DNS Cache,要点如下
1 首先要配置好rndc.conf named.conf,保证named服务能成功开启,用netstat -an 能看到53和953端口开启了。2 其次知道要rndc所在目录,若不用直接路径有可能提示无此命令,我安装在/home/slim/bind/sbin/rndc,用ln -s/home/slim/bind/sbin/rndc /usr/local/sbin/rndc软链接后就可以在任意目录下运行rndc -dumpdb命令,同时需要注意防火墙的设置,不打开953端口,该命令也无法运行。3 需要设置cache文档输入目录,在named.conf里面设置dump-file "/var/named/data/cache_dump.db"即为dns cache输入文档。注意了这些设置,运行rndc -dumpdb命令后就会在/var/named/data/目录下导出DNS cache内容,用more cache_dump.db进行查看。实例:/home/slim/bind/sbin/rndc -c /home/slim/chroot/etc/rndc.conf -s 127.0.0.1 -p 953 dumpdb二、使用
前面我们已经尝试过reload、status等命令的使用。
- $ /home/slim/bind/sbin/rndc -c /home/slim/chroot/etc/rndc.conf -s 127.0.0.1 -p 953 status
- version: 9.9.7 (vdns3.0) <id:e87fa9ae>
- CPUs found: 1
- worker threads: 1
- UDP listeners per interface: 1
- number of zones: 101
- debug level: 0
- xfers running: 0
- xfers deferred: 0
- soa queries in progress: 0
- query logging is ON
- recursive clients: 0/0/1000
- tcp clients: 0/100
- server is up and running
下面我们说一下如何使用rndc动态添加一个zone,并在主配置文件named.conf全局配置options下添加 allow-new-zones yes;
1.创建zone文件
vi /var/named/zone/abc.com.zone
- $TTL 86400
- @ IN SOA abc.com. admin.abc.com. (
- 60 ; serial (d. adams)
- 3H ; refresh
- 15M ; retry
- 1W ; expiry
- 1D ) ; minimum
- IN NS dns.abc.com.
- dns IN A 192.168.36.54
- www IN A 1.1.1.1
2.添加zone
/home/slim/bind/sbin/rndc -c /home/slim/chroot/etc/rndc.conf -s 127.0.0.1 -p 953 addzone abc.com '{ type master; file "zone/abc.com.zone";};'
可以使用如下指定view:
addzone abc.com IN view_name '{type master; file "zone/abc.com.zone";keys{key;};};'
3.检查
-
- # dig @192.168.36.54 www.abc.com A
- ; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.10.rc1.el6 <<>> @192.168.36.54 www.abc.com A
- ; (1 server found)
- ;; global options: +cmd
- ;; Got answer:
- ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 2952
- ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1
- ;; QUESTION SECTION:
- ;www.abc.com. IN A
- ;; ANSWER SECTION:
- www.abc.com. 86400 IN A 1.1.1.1
- ;; AUTHORITY SECTION:
- abc.com. 86400 IN NS dns.abc.com.
- ;; ADDITIONAL SECTION:
- dns.abc.com. 86400 IN A 192.168.36.54
- ;; Query time: 1 msec
- ;; SERVER: 192.168.36.54#53(192.168.36.54)
- ;; WHEN: Sat Apr 18 21:12:44 2015
- ;; MSG SIZE rcvd: 79