rndc: connect failed: 127.0.0.1#953: connection refused

dc: connect failed: connection refused
rndc: connect failed: connection refused

解決辦法：
默認安裝BIND9以後，是無法直接使用 ndc 或 rndc 命令的。

先重新生成 rndc.conf
rndc-confgen > /etc/rndc.conf

將 rndc.conf 下面註釋部分 Copy 到 /etc/rndc.key 文件中(必須將前面的#去掉)。

如：
# key "rndc-key" {
# algorithm hmac-md5;
# secret "xbPNyGOcwJp8pEJDLo26cQ==";
# };
#
# controls {
# inet 127.0.0.1 port 953
# allow { 127.0.0.1; } keys { "rndc-key"; };
# };

如果 /etc/named.conf 中包含有 controls 這一Section，先註釋掉。

然後在後面添加一行 include "/etc/rndc.key";

這樣做是爲了安全考慮，否則可以直接copy到 named.conf 文件中。

inet / port 的意思是，在 本機運行一個 rndc 監聽端口 ，允許本機執行 ndc 或 rndc 命令。

[root@example etc]# named -g
12-May-2010 11:15:03.197 starting BIND 9.3.6-P1-RedHat-9.3.6-4.P1.el5 -g
12-May-2010 11:15:03.211 adjusted limit on open files from 4096 to 1048576
12-May-2010 11:15:03.211 found 1 CPU, using 1 worker thread
12-May-2010 11:15:03.212 using up to 4096 sockets
12-May-2010 11:15:03.266 loading configuration from '/etc/named.conf'
12-May-2010 11:15:03.270 using default UDP/IPv4 port range: [1024, 65535]
12-May-2010 11:15:03.271 using default UDP/IPv6 port range: [1024, 65535]
12-May-2010 11:15:03.288 listening on IPv4 interface lo, 127.0.0.1#53
12-May-2010 11:15:03.311 listening on IPv4 interface eth1, 192.168.1.108#53
12-May-2010 11:15:03.312 listening on IPv4 interface vmnet1, 192.168.157.1#53
12-May-2010 11:15:03.313 listening on IPv4 interface vmnet8, 172.16.237.1#53
12-May-2010 11:15:03.336 listening on IPv4 interface virbr0, 192.168.122.1#53
12-May-2010 11:15:03.337 binding TCP socket: address in use
12-May-2010 11:15:03.395 command channel listening on 127.0.0.1#953
12-May-2010 11:15:03.396 ignoring config file logging statement due to -g option
12-May-2010 11:15:03.396 couldn't open pid file '/var/run/named/named.pid': Permission denied

[root@example etc]# chmod 777 /var/run/named/
[root@example etc]# named -g
12-May-2010 11:24:08.058 starting BIND 9.3.6-P1-RedHat-9.3.6-4.P1.el5 -g
12-May-2010 11:24:08.059 adjusted limit on open files from 4096 to 1048576
12-May-2010 11:24:08.059 found 1 CPU, using 1 worker thread
12-May-2010 11:24:08.060 using up to 4096 sockets
12-May-2010 11:24:08.119 loading configuration from '/etc/named.conf'
12-May-2010 11:24:08.146 using default UDP/IPv4 port range: [1024, 65535]
12-May-2010 11:24:08.189 using default UDP/IPv6 port range: [1024, 65535]
12-May-2010 11:24:08.196 listening on IPv4 interface lo, 127.0.0.1#53
12-May-2010 11:24:08.198 listening on IPv4 interface eth1, 192.168.1.108#53
12-May-2010 11:24:08.198 listening on IPv4 interface vmnet1, 192.168.157.1#53
12-May-2010 11:24:08.223 listening on IPv4 interface vmnet8, 172.16.237.1#53
12-May-2010 11:24:08.224 listening on IPv4 interface virbr0, 192.168.122.1#53
12-May-2010 11:24:08.224 binding TCP socket: address in use
12-May-2010 11:24:08.273 command channel listening on 127.0.0.1#953
12-May-2010 11:24:08.273 ignoring config file logging statement due to -g option
12-May-2010 11:24:08.277 running




~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
本節將詳細介紹DNS服務器的rndc配置，實現使用rndc開啓DNS的解析日誌和刷 新緩存，重載配置文件和關閉DNS服務器，一旦配置好了rndc，這些操作都可以在本地和遠程服務器上進行。DNS服務目前算是比較安全的服務，不但進程 的屬主改成named用戶，而且還運行在一個chroot環境中，將來關閉DNS服務還可能需要使用rndc來控制，這也可能是將來的服務器設計潮流。 rndc是遠程DNS服務器進程控制的英文簡寫，rndc的工作機制使用了/etc/rndc.key和/etc/rndc.conf兩個配置文 件，rndc.key文件爲鎖頭，儘管它的名字爲key; rndc.conf則是打開rndc.key鎖頭的對應鑰匙；這兩個文件可以使用rndc-confgen命令來生成，該命令採用的是對稱加密算法；下面 來演示下配置，演示中將使用server來控制client端的DNS服務器，rndc的控制端也可以不是dns服務器…

一：配置client端127.0.0.1上的rndc

[root@client ~]# rndc-confgen |grep -v '^#' //使用rndc-confgen命令生成rndc.key和rndc.conf
key "rndckey" {
algorithm hmac-md5;
secret "q2yvOY2JiyUU2aV4qahzAw==";
};

options {
default-key "rndckey";
default-client 127.0.0.1;
default-port 953;
};

[root@client ~]# rm -rf /etc/rndc.key         //刪除默認的rndc.key文件
[root@client ~]# cd /var/named/chroot/etc/
[root@client etc]# cat rndc.key         //將前面rndc-confgen命令生成的“key”一節中的內容寫到rndc.key文件中
key "rndckey" {
algorithm hmac-md5;
secret "q2yvOY2JiyUU2aV4qahzAw==";
};

[root@client etc]# chown named.named rndc.key                   //修改文件屬主屬組主爲named
[root@client etc]# ln -s /var/named/chroot/etc/rndc.key /etc/   //符號鏈接至/etc目錄下
[root@client etc]# cat /etc/rndc.conf     //將前面rndc-confgen命令生成的全部內容寫到rndc.key文件中
key "rndckey" {
algorithm hmac-md5;
secret "q2yvOY2JiyUU2aV4qahzAw==";
};

options {
default-key "rndckey";
default-client 127.0.0.1;
default-port 953;
};

[root@client etc]# chown named.named /etc/rndc.conf   //修改文件屬主屬組主爲named
[root@client etc]# cat /etc/named.conf 
options {
listen-on port 53 { 192.168.100.20; };
directory       "/var/named";

allow-query     { any; };
allow-transfer {192.168.100.254;};
};

};
include "/etc/named.rfc1912.zones";
include "/etc/rndc.key";    //包含前面定義好的鎖頭文件

controls {
inet 127.0.0.1 port 953 allow { 127.0.0.1; } keys { "rndckey"; }; //允許本機的環回接口使用/etc/rndc.conf文件中rndckey

這把鑰匙控制953端口
};
…………………………輸出省略…………………………

[root@client etc]# service named restart     //重啓服務
Stopping named: [ OK ]
Starting named: [ OK ]
[root@client etc]# netstat -ntpl |grep 953
tcp        0      0 127.0.0.1:953               0.0.0.0:*                   LISTEN      3243/named          
[root@client etc]# service named status 
number of zones: 8
debug level: 0
xfers running: 0
xfers deferred: 0
soa queries in progress: 0
query logging is OFF
recursive clients: 0/1000
tcp clients: 0/100
client is up and running
named (pid 3243) is running...
[root@client etc]# rndc stop            //測試
[root@client etc]# service named status
rndc: connect failed: 127.0.0.1#953: connection refused
named dead but subsys locked

二：配置server端使用rndc控制client

root@client etc]# rndc-confgen |grep -v '^#'   //和前面一樣生成新的rndc.key和rndc.conf
key "rndckey" {
algorithm hmac-md5;
secret "p3DukvXgufSpbZdavZy1YA==";
};

options {
default-key "rndckey";
default-client 127.0.0.1;
default-port 953;
};


[root@client etc]# cat /etc/rndc.key //將新生成的文件的“key”節寫到/etc/rndc.key文件末尾，並將其改名爲rndckey-254
key "rndckey" {
algorithm hmac-md5;
secret "q2yvOY2JiyUU2aV4qahzAw==";
};

key "rndckey-254" {
algorithm hmac-md5;
secret "p3DukvXgufSpbZdavZy1YA==";
};

[root@client etc]# grep 'rndckey-254' /etc/named.conf   //在主配置文件添加下面內容
inet 192.168.100.20 port 953 allow { 192.168.100.254; } keys { "rndckey-254"; };

//允許192.168.100.254這臺服務器通過192.168.100.20這個接口，使用rndckey-254這把鑰匙來控制953端口

[root@client etc]# service named restart //重啓服務
Stopping named: [ OK ]
Starting named: [ OK ]
[root@client etc]# netstat -ntpl |grep 953
tcp        0      0 192.168.100.20:953          0.0.0.0:*                   LISTEN      3869/named          
tcp        0      0 127.0.0.1:953               0.0.0.0:*                   LISTEN      3869/named       


[root@server ~]# cat /etc/rndc.conf //將前面生成的文件的全部內容寫到server的/etc/rndc.conf文件中，需要修改key的名稱和default-server的IP
key "rndckeyi-254" {
algorithm hmac-md5;
secret "p3DukvXgufSpbZdavZy1YA==";
};

options {
default-key "rndckey-254";
default-server 192.168.100.20;
default-port 953;
};
[root@server ~]# chown named.named /etc/rndc.conf   //修改文件屬主屬組主爲named
[root@server ~]# rndc -h       //查看rndc命令幫助
rndc: illegal option -- h
Usage: rndc [-c config] [-s server] [-p port]
[-k key-file ] [-y key] [-V] command

command is one of the following:

reload        Reload configuration file and zones.
reload zone [class [view]]
Reload a single zone.
refresh zone [class [view]]
Schedule immediate maintenance for a zone.
retransfer zone [class [view]]
Retransfer a single zone without checking serial number.
freeze zone [class [view]]
Suspend updates to a dynamic zone.
thaw zone [class [view]]
Enable updates to a frozen dynamic zone and reload it.
reconfig      Reload configuration file and new zones only.
stats         Write server statistics to the statistics file.
querylog      Toggle query logging.
dumpdb [-all|-cache|-zones] [view ...]
Dump cache(s) to the dump file (named_dump.db).
stop          Save pending updates to master files and stop the server.
stop -p       Save pending updates to master files and stop the server
reporting process id.
halt          Stop the server without saving pending updates.
halt -p       Stop the server without saving pending updates reporting
process id.
trace         Increment debugging level by one.
trace level   Change the debugging level.
notrace       Set debugging level to 0.
flush         Flushes all of the server's caches.
flush [view] Flushes the server's cache for a view.
flushname name [view]
Flush the given name from the server's cache(s)
status        Display status of the server.
recursing     Dump the queries that are currently recursing (named.recursing)
*restart      Restart the server.

* == not yet implemented
Version: 9.3.6-P1-RedHat-9.3.6-4.P1.el5

測試：
[root@server ~]# rndc reload    //重載client端DNS配置文件
server reload successful
[root@server ~]# rndc querylog on   //開啓解析日誌記錄功能，開啓後默認解析日誌保存在client服務器的/var/log/messages文件中，開啓此項功能會降低服務器性能
[root@server ~]# dig www.dodo.666.com @192.168.100.20      //測試解析
; <<>> DiG 9.3.6-P1-RedHat-9.3.6-4.P1.el5 <<>> www.dodo.666.com @192.168.100.20
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 59157

[root@server ~]# rndc stop //遠程關閉client上的DNS服務

[root@client ~]# tail -f /var/log/messages   //客戶端上查看日誌
Mar 23 23:13:45 client named[3792]: loading configuration from '/etc/named.conf'
Mar 23 23:13:45 client named[3792]: using default UDP/IPv4 port range: [1024, 65535]
Mar 23 23:13:45 client named[3792]: using default UDP/IPv6 port range: [1024, 65535]
Mar 23 23:13:45 client named[3792]: the working directory is not writable
Mar 23 23:14:07 client named[3792]: query logging is now on         //開啓解析日誌記錄功能
Mar 23 23:14:52 client named[3792]: client 192.168.100.254#45815: query: www.dodo.666.com IN A +    //記錄的解析日誌
Mar 23 23:15:49 client named[3792]: shutting down: flushing changes 
Mar 23 23:15:49 client named[3792]: stopping command channel on 127.0.0.1#953
Mar 23 23:15:49 client named[3792]: stopping command channel on 192.168.100.20#953
Mar 23 23:15:49 client named[3792]: no longer listening on 192.168.100.20#53
Mar 23 23:15:50 client named[3792]: exiting     //成功關閉DNS服務
提示：配置rndc，需要注意服務器時間問題，如果兩臺服務器的系統時間存在很大出入，那必定rndc命令執行會失敗