Bind and Open Ports
Solution 1:
RNDC is the remote administration port. Do not open it to the outside world. Unless you use the rndc utility, it's not necessary for this port to be open at all, you can safely firewall it off.
Bind needs UDP 53 to service normal requests. You should also open TCP 53 if (and only if) this server is the master for a zone and a secondary server needs to transfer from it.
Solution 2:
What does this print?
$ sudo netstat -ntlp | grep ':953\>'
It should print something like:
tcp 0 0 127.0.0.1:953 0.0.0.0:* LISTEN 1234/named
or this if you have IPv6 enabled:
tcp 0 0 127.0.0.1:953 0.0.0.0:* LISTEN 1234/named
tcp 0 0 ::1:953 :::* LISTEN 1234/named
Because it uses only the loopback address, the port is only accessible to users logged on to the server itself, not from elsewhere on the network.
rndc is used to manage the name server, for example "rndc reload" is the preferred way to tell BIND that you changed a zone file and it should re-load them.
On my Debian server (not sure about CentOS) it is also required by /etc/init.d/bind9 to start and stop the service. I think CentOS calls that file /etc/init.d/named. I wouldn't disable it or block it without checking how that script works first.
The full list of commands you can run is in the BIND 9 Administrator's Reference Manual - Administrative Tools.
As to why it uses a TCP port, run "man rndc" for the details:
rndc communicates with the name server over a TCP connection, sending
commands authenticated with digital signatures. In the current versions
of rndc and named, the only supported authentication algorithm is
HMAC-MD5, which uses a shared secret on each end of the connection.
This provides TSIG-style authentication for the command request and the
name server’s response. All commands sent over the channel must be
signed by a key_id known to the server.
rndc reads a configuration file to determine how to contact the name
server and decide what algorithm and key it should use.
So if you're looking to secure it, look into details of the key and the key file. For example, /etc/bind/rndc.key (or /etc/named/rndc.key) should have restricted permissions.