DNS BIND之rndc介绍及使用

rndc(Remote Name Domain Controllerr)是一个远程管理bind的工具,通过这个工具可以在本地或者远程了解当前服务器的运行状况,也可以对服务器进行关闭、重载、刷新缓存、增加删除zone等操作。  

rndc与DNS服务器实行连接时,需要通过数字证书进行认证,而不是传统的用户名/密码方式。在当前版本下,rndc和named都只支持HMAC-MD5认证算法,在通信两端使用预共享密钥。在当前版本的rndc 和 named中,唯一支持的认证算法是HMAC-MD5,在连接的两端使用共享密钥。它为命令请求和名字服务器的响应提供 TSIG类型的认证。所有经由通道发送的命令都必须被一个服务器所知道的 key_id 签名。为了生成双方都认可的密钥,可以使用rndc-confgen命令产生密钥和相应的配置,再把这些配置分别放入named.conf和rndc的配置文件rndc.conf中。


# /home/slim/bind/sbin/rndc -h
Usage: rndc [-b address] [-c config] [-s server] [-p port]
        [-k key-file ] [-y key] [-V] command

command is one of the following:

  addzone zone [class [view]] { zone-options }
                Add zone to given view. Requires new-zone-file option.
  delzone zone [class [view]]
                Removes zone from given view. Requires new-zone-file option.
  dumpdb [-all|-cache|-zones] [view ...]
                Dump cache(s) to the dump file (named_dump.db).
  flush         Flushes all of the server's caches.
  flush [view]  Flushes the server's cache for a view.
  flushname name [view]
                Flush the given name from the server's cache(s)
  flushtree name [view]
                Flush all names under the given name from the server's cache(s)
  freeze        Suspend updates to all dynamic zones.
  freeze zone [class [view]]
                Suspend updates to a dynamic zone.
  halt          Stop the server without saving pending updates.
  halt -p       Stop the server without saving pending updates reporting
                process id.
  loadkeys zone [class [view]]
                Update keys without signing immediately.
  notify zone [class [view]]
                Resend NOTIFY messages for the zone.
  notrace       Set debugging level to 0.
  querylog newstate
                Enable / disable query logging.
  reconfig      Reload configuration file and new zones only.
  recursing     Dump the queries that are currently recursing (named.recursing)
  refresh zone [class [view]]
                Schedule immediate maintenance for a zone.
  reload        Reload configuration file and zones.
  reload zone [class [view]]
                Reload a single zone.
  retransfer zone [class [view]]
                Retransfer a single zone without checking serial number.
  secroots [view ...]
                Write security roots to the secroots file.
  sign zone [class [view]]
                Update zone keys, and sign as needed.
  signing -clear all zone [class [view]]
                Remove the private records for all keys that have
                finished signing the given zone.
  signing -clear <keyid>/<algorithm> zone [class [view]]
                Remove the private record that indicating the given key
                has finished signing the given zone.
  signing -list zone [class [view]]
                List the private records showing the state of DNSSEC
                signing in the given zone.
  signing -nsec3param hash flags iterations salt zone [class [view]]
                Add NSEC3 chain to zone if already signed.
                Prime zone with NSEC3 chain if not yet signed.
  signing -nsec3param none zone [class [view]]
                Remove NSEC3 chains from zone.
  stats         Write server statistics to the statistics file.
  status        Display status of the server.
  stop          Save pending updates to master files and stop the server.
  stop -p       Save pending updates to master files and stop the server
                reporting process id.
  sync [-clean] Dump changes to all dynamic zones to disk, and optionally
                remove their journal files.
  sync [-clean] zone [class [view]]
                Dump a single zone's changes to disk, and optionally
                remove its journal file.
  thaw          Enable updates to all dynamic zones and reload them.
  thaw zone [class [view]]
                Enable updates to a frozen dynamic zone and reload it.
  trace         Increment debugging level by one.
  trace level   Change the debugging level.
  tsig-delete keyname [view]
                Delete a TKEY-negotiated TSIG key.
  tsig-list     List all currently active TSIG keys, including both statically
                configured and TKEY-negotiated keys.
  validation newstate [view]
                Enable / disable DNSSEC validation.
status #显示bind服务器的工作状态
reload #重新加载配置文件和区域文件
reload zone_name #重新加载指定区域
reconfig   #重读配置文件并加载新增的区域
querylog   #关闭或开启查询日志
dumpdb #将高速缓存转储到转储文件 (named_dump.db)
freeze     #暂停更新所有动态zone

freeze zone [class [view]]#暂停更新一个动态zone
flush [view]  #刷新服务器的所有高速缓存
flushname name   #为某一视图刷新服务器的高速缓存
stats   #将服务器统计信息写入统计文件中
stop   #将暂挂更新保存到主文件并停止服务器
halt   #停止服务器,但不保存暂挂更新
trace   #打开debug, debug有级别的概念,每执行一次提升一次级别
trace LEVEL   #指定 debug 的级别, trace 0 表示关闭debug
notrace #将调试级别设置为 0
restart #重新启动服务器(尚未实现)

addzone zone [class [view]] { zone-options }


delzone zone [class [view]]#删除一个zone

tsig-delete keyname [view]#删除一个TSIG key


validation newstate [view]#开启/关闭dnssec


  rndc trace
  rndc trace LEVEL
  rndc notrace
rndc querylog

2.查看DNS Cache

在 bind 9 中,可以使用 rndc -dumpdb 命令来查看DNS Cache,要点如下
1 首先要配置好rndc.conf named.conf,保证named服务能成功开启,用netstat -an 能看到53和953端口开启了。
2 其次知道要rndc所在目录,若不用直接路径有可能提示无此命令,我安装在/home/slim/bind/sbin/rndc,用ln -s/home/slim/bind/sbin/rndc /usr/local/sbin/rndc软链接后就可以在任意目录下运行rndc -dumpdb命令,同时需要注意防火墙的设置,不打开953端口,该命令也无法运行。
3 需要设置cache文档输入目录,在named.conf里面设置dump-file "/var/named/data/cache_dump.db"即为dns cache输入文档。注意了这些设置,运行rndc -dumpdb命令后就会在/var/named/data/目录下导出DNS cache内容,用more cache_dump.db进行查看。
实例:/home/slim/bind/sbin/rndc -c /home/slim/chroot/etc/rndc.conf -s -p 953 dumpdb



$ /home/slim/bind/sbin/rndc -c /home/slim/chroot/etc/rndc.conf -s -p 953 status
version: 9.9.7 (vdns3.0) <id:e87fa9ae>
CPUs found: 1
worker threads: 1
UDP listeners per interface: 1
number of zones: 101
debug level: 0
xfers running: 0
xfers deferred: 0
soa queries in progress: 0
query logging is ON
recursive clients: 0/0/1000
tcp clients: 0/100
server is up and running
下面我们说一下如何使用rndc动态添加一个zone,并在主配置文件named.conf全局配置options下添加 allow-new-zones yes;


vi /var/named/zone/abc.com.zone

$TTL      86400
@            IN SOA  abc.com.  admin.abc.com. (
                                          60                ; serial (d. adams)
                                          3H                ; refresh
                                          15M                ; retry
                                          1W                ; expiry
                                          1D )              ; minimum
                IN              NS     dns.abc.com.
dns     IN      A
www     IN      A

/home/slim/bind/sbin/rndc -c /home/slim/chroot/etc/rndc.conf -s -p 953  addzone abc.com '{ type master; file  "zone/abc.com.zone";};'


addzone abc.com IN view_name '{type master; file "zone/abc.com.zone";keys{key;};};'


# dig @ www.abc.com A

; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.10.rc1.el6 <<>> @ www.abc.com A
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 2952
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1

;www.abc.com.                   IN      A

www.abc.com.            86400   IN      A

abc.com.                86400   IN      NS      dns.abc.com.

dns.abc.com.            86400   IN      A

;; Query time: 1 msec
;; WHEN: Sat Apr 18 21:12:44 2015
;; MSG SIZE  rcvd: 79
