[sf-lug] bindrndc

Michael Paoli Michael.Paoli at cal.berkeley.edu
Mon May 14 21:44:40 PDT 2007

You can find lots of information about BIND on the ISC site, e.g.:

For rndc to communicate properly with BIND (named) and thus be able to
control it and such, they both need to communicate on a common
port (953 by default) and on an IP they can both access (generally is used by default, for security reasons).  They also need to
be set up with a shared secret to use to authenticate (e.g. so named
can "know" that the request it is getting is legitimate and authenticated
by the shared secret, and not just some random user or process on the
host that decided to start talking to that port to see what it could manage
to get away with).  You may want to use netstat - or similar tools, to see
that named is listening on the expected port and IP, check that you can
connect to it (e.g. that it's not firewalled off), and see that they both have
access to the same key.

The diagnostics you provide would seem to imply that named isn't listening
on port 953, or it's somehow blocked/firewalled, such that the connection
is being refused.

Also, rndc won't start BIND (named) for you - it's used to communicate with
a running named.  Perhaps you need to start it first?

Quoting Alex Kleider <a_kleider at yahoo.com>:

> Perhaps someone might be able to offer some help regarding DNS.
> I am attempting to set up my own DNS server: BIND9, on a Debian Etch
> system.
> When I try to get it going I get the following error message:
> # /etc/inid.d/bind9 force-reload
> Reloading domain name service... : bindrndc: connect failed:
> connection refused
> failed!
> #
> I can only find references to rndc but only in a book dedicated to BIND
> and I can't figure out how it applies to me.
> I can find no reference to bindrndc.
> I'll be very grateful if someone can steer me towards a solution.
> alex
> alex at kleider.net

More information about the sf-lug mailing list