본문 바로가기

리눅스

bind rndc 명령어

728x90

bind rndc 명령어

rndc는 BIND (Berkeley Internet Name Domain) 서비스에서 제공하는 도구로, 네임서버 구성을 관리하는 데 사용됩니다. rndc를 사용하면 네임서버에서 동적인 구성 변경을 할 수 있습니다. rndc 명령어를 사용하면 명령줄에서 named 서비스에 대한 관리 작업을 수행할 수 있습니다.

 

rndc 명령어는 다양한 작업을 수행할 수 있지만, 주요 작업은 네임서버에 새로운 구성 파일을 적용하는 것입니다. rndc 명령어를 사용하여 네임서버를 다시 시작하거나 새로운 구성 파일을 로드할 수 있습니다. 이를 위해서는 rndc reload 명령어를 사용합니다.

 

rndc 명령어는 인증키 파일을 사용하여 인증을 수행하며, 이를 통해 보안을 강화할 수 있습니다. 인증키는 rndc-confgen 명령어를 사용하여 생성할 수 있습니다.

자주 사용하는 명령

  • 서버의 상태를 표시(서비스 상태 확인)
rndc status
$ rndc status
version: BIND 9.11.4-P2-RedHat-9.11.4-26.P2.el7_9.10 (Extended Support Version) <id:7107deb> (UNKNOWN)
running on node2: Linux x86_64 3.10.0-1160.80.1.el7.x86_64 #1 SMP Tue Nov 8 15:48:59 UTC 2022
boot time: Mon, 16 Jan 2023 03:39:06 GMT
last configured: Mon, 16 Jan 2023 03:39:06 GMT
configuration file: /etc/named.conf
CPUs found: 1
worker threads: 1
UDP listeners per interface: 1
number of zones: 104 (99 automatic)
debug level: 0
xfers running: 0
xfers deferred: 0
soa queries in progress: 0
query logging is ON
recursive clients: 0/900/1000
tcp clients: 3/150
server is up and running
  • 구성 파일 및 영역을 다시 로드
rndc reload
$ rndc reload
server reload successful
  • 구성 파일과 새 영역만 다시 로드
rndc reconfig
  • 서버의 모든 캐시를 비우기(캐시 플러시)
rndc flush
  • 현재 재귀 중인 쿼리를 덤프
rndc recursing
cat /var/named/data/named.recursing
$ cat /var/named/data/named.recursing 
;
; Recursing Queries
;
;
; Active fetch domains [view: _default]
;
;
; Active fetch domains [view: _bind]
;
; Dump complete
  • 통계 파일에 서버 통계 쓰기
rndc stats
$ ls -l /var/named/data/named_stats.txt 
-rw-r--r-- 1 named named 4200 Jan 16 13:19 /var/named/data/named_stats.txt
  • 쿼리 로깅을 활성화/비활성화
rndc querylog
$ rndc status | grep "query logging"
query logging is ON
  • 캐시를 덤프 파일로 덤프하기
rndc dumpdb -all
$ ls -l /var/named/data/cache_dump.db 
-rw-r--r-- 1 named named 10327 Jan 16 13:20 /var/named/data/cache_dump.db

rndc 사용법

더보기

---

$ rndc
Usage: rndc [-b address] [-c config] [-s server] [-p port]
        [-k key-file ] [-y key] [-r] [-V] command

command is one of the following:

  addzone zone [class [view]] { zone-options }
                Add zone to given view. Requires allow-new-zones option.
  delzone [-clean] zone [class [view]]
                Removes zone from given view.
  dnstap -reopen
                Close, truncate and re-open the DNSTAP output file.
  dnstap -roll count
                Close, rename and re-open the DNSTAP output file(s).
  dumpdb [-all|-cache|-zones|-adb|-bad|-fail] [view ...]
                Dump cache(s) to the dump file (named_dump.db).
  flush         Flushes all of the server's caches.
  flush [view]  Flushes the server's cache for a view.
  flushname name [view]
                Flush the given name from the server's cache(s)
  flushtree name [view]
                Flush all names under the given name from the server's cache(s)
  freeze        Suspend updates to all dynamic zones.
  freeze zone [class [view]]
                Suspend updates to a dynamic zone.
  halt          Stop the server without saving pending updates.
  halt -p       Stop the server without saving pending updates reporting
                process id.
  loadkeys zone [class [view]]
                Update keys without signing immediately.
  managed-keys refresh [class [view]]
                Check trust anchor for RFC 5011 key changes
  managed-keys status [class [view]]
                Display RFC 5011 managed keys information
  managed-keys sync [class [view]]
                Write RFC 5011 managed keys to disk
  modzone zone [class [view]] { zone-options }
                Modify a zone's configuration.
                Requires allow-new-zones option.
  notify zone [class [view]]
                Resend NOTIFY messages for the zone.
  notrace       Set debugging level to 0.
  nta -dump
                List all negative trust anchors.
  nta [-lifetime duration] [-force] domain [view]
                Set a negative trust anchor, disabling DNSSEC validation
                for the given domain.
                Using -lifetime specifies the duration of the NTA, up
                to one week.
                Using -force prevents the NTA from expiring before its
                full lifetime, even if the domain can validate sooner.
  nta -remove domain [view]
                Remove a negative trust anchor, re-enabling validation
                for the given domain.
  querylog [ on | off ]
                Enable / disable query logging.
  reconfig      Reload configuration file and new zones only.
  recursing     Dump the queries that are currently recursing (named.recursing)
  refresh zone [class [view]]
                Schedule immediate maintenance for a zone.
  reload        Reload configuration file and zones.
  reload zone [class [view]]
                Reload a single zone.
  retransfer zone [class [view]]
                Retransfer a single zone without checking serial number.
  scan          Scan available network interfaces for changes.
  secroots [view ...]
                Write security roots to the secroots file.
  showzone zone [class [view]]
                Print a zone's configuration.
  sign zone [class [view]]
                Update zone keys, and sign as needed.
  signing -clear all zone [class [view]]
                Remove the private records for all keys that have
                finished signing the given zone.
  signing -clear <keyid>/<algorithm> zone [class [view]]
                Remove the private record that indicating the given key
                has finished signing the given zone.
  signing -list zone [class [view]]
                List the private records showing the state of DNSSEC
                signing in the given zone.
  signing -nsec3param hash flags iterations salt zone [class [view]]
                Add NSEC3 chain to zone if already signed.
                Prime zone with NSEC3 chain if not yet signed.
  signing -nsec3param none zone [class [view]]
                Remove NSEC3 chains from zone.
  signing -serial <value> zone [class [view]]
                Set the zones's serial to <value>.
  stats         Write server statistics to the statistics file.
  status        Display status of the server.
  stop          Save pending updates to master files and stop the server.
  stop -p       Save pending updates to master files and stop the server
                reporting process id.
  sync [-clean] Dump changes to all dynamic zones to disk, and optionally
                remove their journal files.
  sync [-clean] zone [class [view]]
                Dump a single zone's changes to disk, and optionally
                remove its journal file.
  thaw          Enable updates to all dynamic zones and reload them.
  thaw zone [class [view]]
                Enable updates to a frozen dynamic zone and reload it.
  trace         Increment debugging level by one.
  trace level   Change the debugging level.
  tsig-delete keyname [view]
                Delete a TKEY-negotiated TSIG key.
  tsig-list     List all currently active TSIG keys, including both statically
                configured and TKEY-negotiated keys.
  validation [ yes | no | status ] [view]
                Enable / disable DNSSEC validation.
  zonestatus zone [class [view]]
                Display the current status of a zone.

Version: 9.11.4-P2-RedHat-9.11.4-26.P2.el7_9.10

---

 

참고URL

- bind view 설정 시 rndc 명령어 : https://scbyun.com/87

- BIND 관리를 위한 RNDC 설정 : https://scbyun.com/140

- BIND 관리를 위한 RNDC 설정 : https://scbyun.com/7

 

728x90