How-To Remote NDC

How-To Remote NDC

This is one of those things i learned from the 1-week DNS Training in Cebu. 🙂

1. From the primary DNS,
$ rndc-confgen

2. Cut the first part the of statement to rndc.conf and the second part which has a comment (hash) to named.conf. Make sure to remove the comment starting from the “key” statement before using it.


# Start of rndc.conf
key "rndc-key" {
algorithm hmac-md5;
secret "Va09oAxfsx45hgo4Q=="; (sample only)

options {
default-key "rndc-key";
default-port 953;
# End of rndc.conf


# Use with the following in named.conf, adjusting the allow list as needed:
key "rndc-key" {
algorithm hmac-md5;
secret "0zXjzZt0y9ofd6GPH7go4Q==";

controls {
inet port 953;
allow {; } keys { "rndc-key"; };
# End of named.conf

You could also place the second part to a file then use “include” statement in your named.conf to specify that file.
include "/var/named/master/myrndc-key.txt";

3. Test your setup in the primary server, using either of these commands. (You cannot use this in another terminal YET!)
$ rndc -s localhost -c rndc.conf status
$ rndc -s -c rndc.conf status

Note: these other commands may be used as well but for test purposes, just use the status parameter to prevent any unwanted changes to your name server.
rndc -s -c rndc.conf reload | stop | trace | flush

The output should be similar below:
number of zones: 7
debug level: 0
xfers running: 0
xfers deferred: 0
soa queries in progress: 0
query logging is OFF
recursive clients: 26/1000
tcp clients: 0/100
server is up and running

4. The ff. steps allow Remote NDC. Edit your named.conf and (1) change to your primary nameserver’s IP address, (2) add your secondary DNS to the allow statement.

controls {
inet port 953
allow {;;; } keys { "rndc-key"; };

5. Copy rndc.conf to your secondary DNS.
$ scp rndc.conf :/path/to/var/named/

6. Edit rndc.conf and change the default-server IP to that of your primary nameserver’s.

7. Test your setup using
$ rndc -s -c rndc.conf status

8. Debugging. Assuming you have the correct key and ip addresses in the config files but still get the ff. error
rndc: connect failed: connection refused
make sure your time is synchronized.
If you have a time server, do the ff. commands and see if the time on both servers are synchronized.
$ ntpdate
$ date

  • nomadameisele

    wow! you learned a lot. i can’t tell what i’ve learned in there. haha. 🙂

  • haha. some parts are not in the lab exercises.. so i made my own how-to (for personal use) 😀

Comments are closed.