I recently installed Bind on a CentOS box. Everything appears to be working with only port 53 open. However, I noticed in the config file that there is a line in rndc.conf that says "default-port 953;" I don't have port 953 open and Bind appears to be working. Can I keep 953 closed? What is the point of RNDC listening on 953?
Centos – Bind and Open Ports
bindcentos
Best Answer
What does this print?
It should print something like:
or this if you have IPv6 enabled:
Because it uses only the loopback address, the port is only accessible to users logged on to the server itself, not from elsewhere on the network.
rndc is used to manage the name server, for example "rndc reload" is the preferred way to tell BIND that you changed a zone file and it should re-load them.
On my Debian server (not sure about CentOS) it is also required by /etc/init.d/bind9 to start and stop the service. I think CentOS calls that file /etc/init.d/named. I wouldn't disable it or block it without checking how that script works first.
The full list of commands you can run is in the BIND 9 Administrator's Reference Manual - Administrative Tools.
As to why it uses a TCP port, run "man rndc" for the details:
So if you're looking to secure it, look into details of the key and the key file. For example, /etc/bind/rndc.key (or /etc/named/rndc.key) should have restricted permissions.