How to Fix “rndc: connect failed: connection refused” in BIND DNS Server
Introduction
The error “rndc: connect failed: connection refused” is commonly encountered when managing a BIND DNS server. In most cases, the issue occurs because the named service is not running properly or is unable to create its PID file due to incorrect configuration or permission issues.
Prerequisites
Before proceeding, ensure that:
- You have root access to the server.
- BIND (named) DNS server is installed.
- You have access to edit the
/etc/named.conffile. - The
rndcutility is installed and configured.
Issue
You may receive the following error while checking the status of the DNS server:
rndc status rndc: connect failed: connection refused
In some cases, restarting the service appears successful:
service named start
However, the named process is not actually running.
Cause
The issue can occur when BIND attempts to create its PID file in a location where the named user does not have the required permissions.
For example, BIND may try to write to:
/var/run/named.pid
On many Linux distributions, the correct location should be:
/var/run/named/named.pid
Since the PID file cannot be created, the DNS service fails to start properly, causing RNDC commands to return a connection refused error.
Resolution
Step 1: Edit the BIND Configuration
Open the configuration file:
vi /etc/named.conf
Locate the options section and add the following directive:
options {
pid-file "/var/run/named/named.pid";
}
Step 2: Verify RNDC Configuration
Ensure the RNDC configuration exists and is correctly configured:
key "rndc-key" {
algorithm hmac-md5;
secret "YOUR_SECRET_KEY";
};
controls {
inet 127.0.0.1 port 953
allow { 127.0.0.1; }
keys { "rndc-key"; };
};
If you generated the configuration using rndc-confgen, verify that these entries are present in the configuration file.
Step 3: Validate the Configuration
Run the following command to verify the configuration syntax:
named-checkconf
If no output is returned, the configuration is valid.
Step 4: Restart the DNS Service
Restart the BIND service:
systemctl restart named
or on older systems:
service named restart
Verify that the service is running:
systemctl status named
Step 5: Test RNDC
Run:
rndc status
The command should now return the DNS server status instead of the connection refused error.
Verification
You can verify that the service is functioning correctly using the following commands:
ps -ef | grep named
netstat -tulpn | grep named
ls -l /var/run/named/named.pid
If the PID file exists and the service is running, the issue has been successfully resolved.
Conclusion
The “rndc: connect failed: connection refused” error is typically caused by BIND failing to start due to an incorrect PID file location or incomplete RNDC configuration. Updating the PID file path, validating the configuration, and restarting the DNS service will usually resolve the issue and restore normal DNS management functionality.
