Home / server / Questions / 214295
Accepted
smusumeche
Asked: 2010-12-20 20:33:38 +0800 CST

Bind and Open Ports

  • 772

I recently installed Bind on a CentOS box. Everything appears to be working with only port 53 open. However, I noticed in the config file that there is a line in rndc.conf that says "default-port 953;" I don't have port 953 open and Bind appears to be working. Can I keep 953 closed? What is the point of RNDC listening on 953?

centos bind

5 Answers

  1. RNDC is the remote administration port. Do not open it to the outside world. Unless you use the rndc utility, it's not necessary for this port to be open at all, you can safely firewall it off.

    Bind needs UDP 53 to service normal requests. You should also open TCP 53 if (and only if) this server is the master for a zone and a secondary server needs to transfer from it.

    • 4
  2. Best Answer

    What does this print?

    $ sudo netstat -ntlp | grep ':953\>'

    It should print something like:

    tcp        0      0 127.0.0.1:953           0.0.0.0:*               LISTEN      1234/named

    or this if you have IPv6 enabled:

    tcp        0      0 127.0.0.1:953           0.0.0.0:*               LISTEN      1234/named
tcp        0      0 ::1:953                 :::*                    LISTEN      1234/named

    Because it uses only the loopback address, the port is only accessible to users logged on to the server itself, not from elsewhere on the network.

    rndc is used to manage the name server, for example "rndc reload" is the preferred way to tell BIND that you changed a zone file and it should re-load them.

    On my Debian server (not sure about CentOS) it is also required by /etc/init.d/bind9 to start and stop the service. I think CentOS calls that file /etc/init.d/named. I wouldn't disable it or block it without checking how that script works first.

    The full list of commands you can run is in the BIND 9 Administrator's Reference Manual - Administrative Tools.

    As to why it uses a TCP port, run "man rndc" for the details:

       rndc communicates with the name server over a TCP connection, sending
   commands authenticated with digital signatures. In the current versions
   of rndc and named, the only supported authentication algorithm is
   HMAC-MD5, which uses a shared secret on each end of the connection.
   This provides TSIG-style authentication for the command request and the
   name server’s response. All commands sent over the channel must be
   signed by a key_id known to the server.

   rndc reads a configuration file to determine how to contact the name
   server and decide what algorithm and key it should use.

    So if you're looking to secure it, look into details of the key and the key file. For example, /etc/bind/rndc.key (or /etc/named/rndc.key) should have restricted permissions.

    • 4

  3. Usually there is no need to forward requests for 953 port on your border firewalls, but it is fruitful to keep it open on DNS server as a local service (of course if you have ssh access to this server). Properly configured rndc is a great tool to manage named.

    • 0

  4. Actually it's BIND that listens on TCP port 953 of the loopback interface. RNDC is a client utility that can be used to control BIND. RNDC talks to BIND over TCP port 953. It's totally safe to leave it open.

    • 0

  5. Add the following at the end of /etc/named.conf (RedHat compatible, Debian??)

    controls { };

    to disable it. I see no point having this open on a slave DNS server.

    Source: https://www.linuxquestions.org/questions/linux-server-73/bind-and-rndc-problems-how-do-i-remove-rndc-597478/#post2949852

    • 0