ndc

Set the [c]ontrol channel rendezvous point

$ ndc -c [channel] [command]

$ ndc -l [localsock] [command]

$ ndc -p [path/to/pidfile] [command]

$ ndc -d [command]

$ ndc -q [command]

$ ndc -s [command]

$ ndc -t [command]

$ ndc /help

ndc [-c config-file] [-p port] [-s socket-path] [-t chroot-dir] [-l local-addr] command [arguments]

-c config-file
    Specifies the path to the ndc configuration file.

-p port
    Specifies the TCP port on which the named daemon is listening for control commands (default often 953, but could vary in older setups).

-s socket-path
    Specifies the path to the Unix domain socket for controlling named (e.g., /var/run/ndc). This was a common and often preferred local control method.

-t chroot-dir
    Specifies a chroot directory for ndc. Useful when named itself is running in a chrooted environment.

-l local-addr
    Specifies the local IP address for outgoing TCP connections to named.

command
    The action to perform on the named daemon. Common commands include:
dumpdb: Dumps the in-memory DNS cache to a file.
halt: Stops DNS services but keeps the daemon process running.
notrace: Turns off debugging tracing.
querylog: Turns on query logging.
noquerylog: Turns off query logging.
reconfig: Reloads named.conf but not zone data.
reload: Reloads named.conf and all zone data.
restart: Restarts the named daemon process.
stats: Dumps statistics to a file.
status: Prints a summary of named's status.
stop: Stops the named daemon process.
trace [level]: Sets debugging tracing level.
version: Prints the version of named.

ndc, the Name Domain Control utility, was a command-line tool used to administer and control the named daemon, the primary component of the BIND (Berkeley Internet Name Domain) DNS server software, specifically in older versions like BIND 8. It allowed administrators to send commands to a running named instance, such as reloading configuration files, dumping DNS cache, or managing debugging levels. Commands were typically sent over a Unix domain socket or a TCP connection.

While instrumental in its time for managing DNS infrastructure, ndc is now considered deprecated. It lacked robust authentication mechanisms, making it less secure for modern deployments. Its functionality has been largely superseded by rndc (Remote Name Domain Control) which was introduced with BIND 9, offering cryptographically authenticated control and enhanced capabilities for remote administration.

ndc is largely obsolete and should not be used in modern BIND deployments. It lacks built-in authentication mechanisms, making it inherently insecure for remote control and vulnerable to unauthorized access if not properly secured via firewall rules or Unix socket permissions. Its functionality has been completely replaced by rndc, which offers robust TSIG-authenticated communication.

ndc communicates with the named daemon either via a local Unix domain socket (preferable for security on the same host) or over a TCP/IP network connection. The specific port for TCP/IP communication was configurable and sometimes shared with DNS query port 53 in very old configurations, or used a dedicated control port like 953.

ndc was the standard control utility for the BIND DNS server in its 8.x series. It provided a simple interface for managing the named daemon. With the release of BIND 9, the Internet Systems Consortium (ISC) introduced rndc as its successor. This change was primarily driven by the need for enhanced security, as rndc incorporates cryptographic authentication (TSIG) for control commands, a feature critically missing in ndc. Consequently, ndc rapidly fell out of use as BIND 9 became prevalent, and it is no longer distributed with modern BIND packages.

rndc(8), named(8), named.conf(5)