Configuring a Name Server to Work with ndc

3.2.1 Problem

You want to use ndc, the name daemon controller, to control a BIND 8 name server.

3.2.2 Solution

Add a controls statement to the name server's named.conf file. The controls statement tells the name server to create a control channel and to listen on that channel for control messages from ndc. BIND 8 supports two kinds of control channels:

unix

A Unix domain socket that the name server creates on the local filesystem. ndc sends messages to the name server by writing to the Unix domain socket.

inet

A TCP socket that the name server listens on. ndc sends messages to the name server by connecting to the TCP socket.

By default, BIND 8 name servers use a unix control channel, creating a Unix domain socket with a path compiled into the named code. Normally, ndc is compiled with the same path.

To specify an alternate pathname, use the unix substatement of the controls statement:

controls { unix "/var/run/ndc" owner 0 group 0 perm 0660; };

The first argument to the unix substatement is the path to use when creating the Unix domain socket. Successive arguments may appear in any order, and specify the user ID and group ID to use when creating the socket, as well as the permissions to use. (You must use numeric IDs, not user or group names.) Make sure the socket isn't writeable by anyone who shouldn't be able to control the name server.

To tell ndc to write to a Unix domain socket other than its default, use the -l command-line option, which takes the path to the socket as an option argument. For example:

# ndc -l /var/run/ndc

To use an inet control channel, use the inet substatement:

controls { inet * port 953 allow { localhost; }; };

The first argument is the IP address of the network interface the name server should listen on for control messages; "*" means all of them. Successive arguments specify the port to listen on and an access control list that determines who can connect to the port.

To tell ndc to connect to a particular address and port, use the -c command-line option, which takes an IP address and a port number, separated by a slash, as an option argument. For example:

# ndc -c 127.0.0.1/953

3.2.3 Discussion

The Solaris operating system doesn't properly check the permissions on Unix domain sockets. Consequently, the name server will create a separate directory for the socket by default, and will set the permissions on that directory to allow access only to authorized users.

BIND 8's inet control channels, because they use source IP addresses to identify and authorize control messages, aren't secure. Use unix control channels if you can.

BIND 8 doesn't have a default port for control messages, so you must specify one. BIND 9, however, uses port 953 by default, so I usually use port 953 on BIND 8 name servers, too.

unix and inet control channels aren't an either-or proposition: You can use both at once if you want to. As I've said, though, inet control channels are fairly dangerous.

Note that BIND 9 uses a different program, rndc, to control the name server.

3.2.4 See Also

Section 3.3 for configuring rndc, ndc's BIND 9 counterpart, and "ndc and controls (BIND 8)" in Chapter 7 of DNS and BIND.

Категории