4，rndc安装配置

rndc远程管理DNS
生成rndc-key

#rndc-confgen -r /dev/urandom
# Start of rndc.conf
key "rndc-key" {
    algorithm hmac-md5;
    secret "MFM4AocpN0lcoL4fN2lA6Q==";
};

options {
    default-key "rndc-key";
    default-server 127.0.0.1;
    default-port 953;
};
# End of rndc.conf

# Use with the following in named.conf, adjusting the allow list as needed:
# key "rndc-key" {
#     algorithm hmac-md5;
#     secret "MFM4AocpN0lcoL4fN2lA6Q==";
# };
# 
# controls {
#     inet 127.0.0.1 port 953
#         allow { 127.0.0.1; } keys { "rndc-key"; };
# };
# End of named.conf


把rndc-key和controls配置到bind的主配置文件的options段里
/etc/named.conf

key "rndc-key" {
    algorithm hmac-md5;
    secret "MFM4AocpN0lcoL4fN2lA6Q==";
};

controls {
      inet 10.4.7.11 port 953
               allow { 10.4.7.11;10.4.7.12; } keys { "rndc-key"; };
};

注意：这里要配置一下controls段的acl，限定好哪些主机可以使用rndc管理DNS服务

重启bind9服务
# systemctl restart named
rndc的服务端监听在953端口，检查一下端口是否起来

# netstat -luntp|grep 953
tcp        0      0 10.4.7.11:953           0.0.0.0:*               LISTEN      11136/named











在远程管理主机上安装bindyum install -y bind bind-chroot bind-utils
rndc命令在bind包里，所以远程管理主机需要安装bind（不需要启动named）

在远程管理主机上做rndc.conf
使用rndc进行远程管理的主机上，都需要配置rndc.conf，且rndc-key要和DNS服务器上的key一致
/etc/rndc.conf

key "rndc-key" {
    algorithm hmac-md5;
    secret "MFM4AocpN0lcoL4fN2lA6Q==";
};

options {
    default-key "rndc-key";   
    default-server 10.4.7.11;
    default-port 953;   
};

使用rndc命令远程管理DNS
查询DNS服务状态（可以取值做监控）

#rndc status 
version: 9.9.4-RedHat-9.9.4-73.el7_6 <id:8f9657aa>
CPUs found: 2
worker threads: 2
UDP listeners per interface: 2
number of zones: 105
debug level: 0
xfers running: 0
xfers deferred: 0
soa queries in progress: 0
query logging is OFF
recursive clients: 0/0/1000
tcp clients: 0/100
server is up and running