Centos – Bind and Open Ports

bindcentos

I recently installed Bind on a CentOS box. Everything appears to be working with only port 53 open. However, I noticed in the config file that there is a line in rndc.conf that says "default-port 953;" I don't have port 953 open and Bind appears to be working. Can I keep 953 closed? What is the point of RNDC listening on 953?

Best Answer

What does this print?

$ sudo netstat -ntlp | grep ':953\>'

It should print something like:

tcp        0      0 127.0.0.1:953           0.0.0.0:*               LISTEN      1234/named

or this if you have IPv6 enabled:

tcp        0      0 127.0.0.1:953           0.0.0.0:*               LISTEN      1234/named
tcp        0      0 ::1:953                 :::*                    LISTEN      1234/named

Because it uses only the loopback address, the port is only accessible to users logged on to the server itself, not from elsewhere on the network.

rndc is used to manage the name server, for example "rndc reload" is the preferred way to tell BIND that you changed a zone file and it should re-load them.

On my Debian server (not sure about CentOS) it is also required by /etc/init.d/bind9 to start and stop the service. I think CentOS calls that file /etc/init.d/named. I wouldn't disable it or block it without checking how that script works first.

The full list of commands you can run is in the BIND 9 Administrator's Reference Manual - Administrative Tools.

As to why it uses a TCP port, run "man rndc" for the details:

   rndc communicates with the name server over a TCP connection, sending
   commands authenticated with digital signatures. In the current versions
   of rndc and named, the only supported authentication algorithm is
   HMAC-MD5, which uses a shared secret on each end of the connection.
   This provides TSIG-style authentication for the command request and the
   name server’s response. All commands sent over the channel must be
   signed by a key_id known to the server.

   rndc reads a configuration file to determine how to contact the name
   server and decide what algorithm and key it should use.

So if you're looking to secure it, look into details of the key and the key file. For example, /etc/bind/rndc.key (or /etc/named/rndc.key) should have restricted permissions.

Related Solutions

Linux – Cannot get official CentOS 5.4 BIND package to start

In Redhat based systems (quite possibly others) /etc/sysconfig/named can define ROOTDIR=/var/named/chroot which does what you think it does. The bind-chroot package only sets up the directory structure under /var/named/chroot. If ROOTDIR is defined there AND bind-chroot isn't installed I'd expect to see that error.

-Dave

How to force BIND9 to bind to a specific IP

After a bit of testing... Bind doesn't appear to work the way you have observed other daemons working. I have noted 2 workarounds the first is add an additional address to lo to allow bind to bind to it

ip addr add 10.0.2.15/32 dev lo

The second is to change the address bind listens on to 10.0.2.0

Best Answer

Related Solutions

Linux – Cannot get official CentOS 5.4 BIND package to start

How to force BIND9 to bind to a specific IP

Related Topic