Port 953: RNDC — The control panel for DNS servers

Port 953 is the Remote Name Daemon Control (RNDC) port—the secure management channel for BIND, the most widely deployed DNS server software on the Internet.

What Runs on Port 953

RNDC (Remote Name Daemon Control) operates on port 953. It's the control utility that lets administrators manage BIND nameservers without restarting them. Zone reloads, cache flushes, statistics queries, configuration changes—all of these management operations happen through port 953.¹

The protocol is simple: encrypted, authenticated TCP connections carrying administrative commands. The authentication uses TSIG (Transaction Signature) with a shared secret key, typically stored in /etc/rndc.key.²

The Problem RNDC Solved

Before RNDC, managing a DNS server meant one of two things:

1. Restart the entire server to reload configuration changes—dropping every in-flight query
2. Send UNIX signals to the process (like kill -HUP)—crude, error-prone, and impossible to do remotely in a secure way

For DNS servers handling millions of queries, neither option was acceptable. You can't restart the Internet's phonebook every time you add a phone number.

RNDC changed this. Introduced with BIND 9 in 2000,³ it provided a secure, authenticated way to send management commands to a running nameserver. The server keeps answering queries while you reconfigure it in real-time.

How It Works

RNDC operates over TCP on port 953. By default, BIND listens only on the loopback interface (127.0.0.1 and ::1), meaning local-only access.⁴ For remote management, administrators must explicitly configure which IP addresses can connect and provide the appropriate cryptographic key.

Common RNDC commands include:

• rndc reload — Reload zone files without restarting
• rndc flush — Clear the DNS cache
• rndc status — Check server status and statistics
• rndc reconfig — Reload configuration file
• rndc freeze/thaw — Temporarily stop updates to a zone

Every command is authenticated. Without the correct key, the server refuses the connection.

Security Considerations

Default exposure: BIND enables the RNDC control channel by default, listening on localhost port 953 even without explicit configuration.⁵ While this is safe for local-only access, administrators should be aware of it.

Remote access risks: If you configure RNDC to accept remote connections, you've opened a control channel to your DNS infrastructure. Secure it properly:

• Use strong TSIG keys (the default key in /etc/rndc.key should be regenerated)
• Restrict access by IP address using firewall rules or BIND's allow statements
• Never expose port 953 to the public Internet
• If you don't use RNDC remotely, keep it bound to localhost only

Disabling RNDC: If you don't use RNDC at all, disable it explicitly with an empty controls clause in your BIND configuration.⁶

Why This Port Matters

Port 953 is the reason the Internet's DNS infrastructure can be managed in real-time. When a major website changes its IP address, when a domain moves between hosting providers, when zones need emergency updates—all of this happens through RNDC commands on port 953, without interrupting the billions of DNS queries flowing through port 53.

It's the control panel for the Internet's naming system. Invisible to end users, essential to operators.

Related Ports

• Port 53 — DNS queries and responses (the main DNS port)
• Port 22 — SSH (common alternative for remote DNS server management)
• Port 8953 — Sometimes used as an alternative RNDC port to avoid conflicts