rndc on local host: need named running?

Woodworth, John R John.Woodworth at CenturyLink.com
Tue Aug 30 07:55:10 UTC 2016 

> My plan is to have two remote, authoritative name servers
> (master and slave) for my owned domains.  I would like to use rndc
> to control them from my local host.
>
> A couple of questions:

Tom,

I have a slightly unorthodox view on this which may even offer a bit more
security.  The answers are listed below inline.

>
> 1. Does named need to be running on the local host?

No, in fact you don't even need rndc installed locally or a
machine necessarily capable of running rndc.

You can invoke rndc via ssh using ssh keys and best of all the rndc
control port does not need to be exposed to the world.

An example use would be:
  #> ssh user at secrethost rndc reconfig

Which would invoke the 'rndc reconfig' command remotely.

A point of note would be the rndc *version* would also always be
in perfect synchronization with the local version of the server
further lowering the overall LOE (maintenance) for the remote client.


>
> 2. Can I use rndc from my local host which doesn't have a fixed
> ip address?


With this configuration it would not matter the source IP (apart from
ssh configuration).  I would also highly recommend some type of
"role account" to further increase security and minimize risk of
unintentionally allowing elevated privileges.

Most of all, as with any security tool if you are not at least familiar
with ssh and any risks associated, please step cautiously and minimally
familiarize yourself with it or avoid it.  Better safe than sorry.


Regards,
John


>
> Thanks.
>
> Best regards,
>
> -Tom
>

-- THESE ARE THE DROIDS TO WHOM I REFER:

This communication is the property of CenturyLink and may contain confidential or privileged information. Unauthorized use of this communication is strictly prohibited and may be unlawful. If you have received this communication in error, please immediately notify the sender by reply e-mail and destroy all copies of the communication and any attachments.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20160830/2ce7a0e8/attachment.html>

More information about the bind-users mailing list