1NAMED(8) BIND 9 NAMED(8)
2
6 named - Internet domain name server
7
9 named [ [-4] | [-6] ] [-c config-file] [-C] [-d debug-level] [-D
10 string] [-E engine-name] [-f] [-g] [-L logfile] [-M option] [-m flag]
11 [-n #cpus] [-p port] [-s] [-t directory] [-U #listeners] [-u user] [-v]
12 [-V] [-X lock-file]
13
15 named is a Domain Name System (DNS) server, part of the BIND 9 distri‐
16 bution from ISC. For more information on the DNS, see RFC 1033, RFC
17 1034, and RFC 1035.
18 When invoked without arguments, named reads the default configuration
20 file /etc/named.conf, reads any initial data, and listens for queries.
21
23 -4 This option tells named to use only IPv4, even if the host ma‐
24 chine is capable of IPv6. -4 and -6 are mutually exclusive.
25 -6 This option tells named to use only IPv6, even if the host ma‐
27 chine is capable of IPv4. -4 and -6 are mutually exclusive.
28 -c config-file
30 This option tells named to use config-file as its configuration
31 file instead of the default, /etc/named.conf. To ensure that the
32 configuration file can be reloaded after the server has changed
33 its working directory due to to a possible directory option in
34 the configuration file, config-file should be an absolute path‐
35 name.
36 -C This option prints out the default built-in configuration and
38 exits.
39 NOTE: This is for debugging purposes only and is not an accurate
41 representation of the actual configuration used by named at run‐
42 time.
43 -d debug-level
45 This option sets the daemon's debug level to debug-level. Debug‐
46 ging traces from named become more verbose as the debug level
47 increases.
48 -D string
50 This option specifies a string that is used to identify a in‐
51 stance of named in a process listing. The contents of string are
52 not examined.
53 -E engine-name
55 When applicable, this option specifies the hardware to use for
56 cryptographic operations, such as a secure key store used for
57 signing.
58 When BIND 9 is built with OpenSSL, this needs to be set to the
60 OpenSSL engine identifier that drives the cryptographic acceler‐
61 ator or hardware service module (usually pkcs11).
62 -f This option runs the server in the foreground (i.e., do not dae‐
64 monize).
65 -g This option runs the server in the foreground and forces all
67 logging to stderr.
68 -L logfile
70 This option sets the log to the file logfile by default, instead
71 of the system log.
72 -M option
74 This option sets the default (comma-separated) memory context
75 options. The possible flags are:
76 • fill: fill blocks of memory with tag values when they are al‐
78 located or freed, to assist debugging of memory problems; this
79 is the implicit default if named has been compiled with --en‐
80 able-developer.
81 • nofill: disable the behavior enabled by fill; this is the im‐
83 plicit default unless named has been compiled with --en‐
84 able-developer.
85 -m flag
87 This option turns on memory usage debugging flags. Possible
88 flags are usage, trace, record, size, and mctx. These correspond
89 to the ISC_MEM_DEBUGXXXX flags described in <isc/mem.h>.
90 -n #cpus
92 This option creates #cpus worker threads to take advantage of
93 multiple CPUs. If not specified, named tries to determine the
94 number of CPUs present and creates one thread per CPU. If it is
95 unable to determine the number of CPUs, a single worker thread
96 is created.
97 -p value
99 This option specifies the port(s) on which the server will lis‐
100 ten for queries. If value is of the form <portnum> or dns=<port‐
101 num>, the server will listen for DNS queries on portnum; if not
102 not specified, the default is port 53. If value is of the form
103 tls=<portnum>, the server will listen for TLS queries on port‐
104 num; the default is 853. If value is of the form https=<port‐
105 num>, the server will listen for HTTPS queries on portnum; the
106 default is 443. If value is of the form http=<portnum>, the
107 server will listen for HTTP queries on portnum; the default is
108 80.
109 -s This option writes memory usage statistics to stdout on exit.
111 NOTE:
113 This option is mainly of interest to BIND 9 developers and may be
114 removed or changed in a future release.
115 -S #max-socks
117 This option is deprecated and no longer has any function.
118 WARNING:
120 This option should be unnecessary for the vast majority of users.
121 The use of this option could even be harmful, because the specified
122 value may exceed the limitation of the underlying system API. It is
123 therefore set only when the default configuration causes exhaustion
124 of file descriptors and the operational environment is known to sup‐
125 port the specified number of sockets. Note also that the actual max‐
126 imum number is normally slightly fewer than the specified value, be‐
127 cause named reserves some file descriptors for its internal use.
128 -t directory
130 This option tells named to chroot to directory after processing
131 the command-line arguments, but before reading the configuration
132 file.
133 WARNING:
135 This option should be used in conjunction with the -u option, as ch‐
136 rooting a process running as root doesn't enhance security on most
137 systems; the way chroot is defined allows a process with root privi‐
138 leges to escape a chroot jail.
139 -U #listeners
141 This option tells named the number of #listeners worker threads
142 to listen on, for incoming UDP packets on each address. If not
143 specified, named calculates a default value based on the number
144 of detected CPUs: 1 for 1 CPU, and the number of detected CPUs
145 minus one for machines with more than 1 CPU. This cannot be in‐
146 creased to a value higher than the number of CPUs. If -n has
147 been set to a higher value than the number of detected CPUs,
148 then -U may be increased as high as that value, but no higher.
149 -u user
151 This option sets the setuid to user after completing privileged
152 operations, such as creating sockets that listen on privileged
153 ports.
154 NOTE:
156 On Linux, named uses the kernel's capability mechanism to drop all
157 root privileges except the ability to bind to a privileged port and
158 set process resource limits. Unfortunately, this means that the -u
159 option only works when named is run on kernel 2.2.18 or later, or
160 kernel 2.3.99-pre3 or later, since previous kernels did not allow
161 privileges to be retained after setuid.
162 -v This option reports the version number and exits.
164 -V This option reports the version number, build options, supported
166 cryptographics algorithms, and exits.
167 -X lock-file
169 This option acquires a lock on the specified file at runtime;
170 this helps to prevent duplicate named instances from running si‐
171 multaneously. Use of this option overrides the lock-file option
172 in named.conf. If set to none, the lock file check is disabled.
173
175 In routine operation, signals should not be used to control the name‐
176 server; rndc should be used instead.
177 SIGHUP This signal forces a reload of the server.
179 SIGINT, SIGTERM
181 These signals shut down the server.
182 The result of sending any other signals to the server is undefined.
184
186 The named configuration file is too complex to describe in detail here.
187 A complete description is provided in the BIND 9 Administrator Refer‐
188 ence Manual.
189 named inherits the umask (file creation mode mask) from the parent
191 process. If files created by named, such as journal files, need to have
192 custom permissions, the umask should be set explicitly in the script
193 used to start the named process.
194
196 /etc/named.conf
197 The default configuration file.
198 /run/named.pid
200 The default process-id file.
201
203 Red Hat SELinux BIND Security Profile:
204 By default, Red Hat ships BIND with the most secure SELinux policy that
206 will not prevent normal BIND operation and will prevent exploitation of
207 all known BIND security vulnerabilities . See the selinux(8) man page
208 for information about SElinux.
209 It is not necessary to run named in a chroot environment if the Red Hat
211 SELinux policy for named is enabled. When enabled, this policy is far
212 more secure than a chroot environment. Users are recommended to enable
213 SELinux and remove the bind-chroot package.
214 With this extra security comes some restrictions:
216 By default, the SELinux policy does not allow named to write any master
218 zone database files. Only the root user may create files in the $ROOT‐
219 DIR/var/named zone database file directory (the options { "directory" }
220 option), where $ROOTDIR is set in /etc/sysconfig/named.
221 The "named" group must be granted read privelege to these files in or‐
223 der for named to be enabled to read them.
224 Any file created in the zone database file directory is automatically
226 assigned the SELinux file context named_zone_t .
227 By default, SELinux prevents any role from modifying named_zone_t
229 files; this means that files in the zone database directory cannot be
230 modified by dynamic DNS (DDNS) updates or zone transfers.
231 The Red Hat BIND distribution and SELinux policy creates three directo‐
233 ries where named is allowed to create and modify files:
234 /var/named/slaves, /var/named/dynamic /var/named/data. By placing files
235 you want named to modify, such as slave or DDNS updateable zone files
236 and database / statistics dump files in these directories, named will
237 work normally and no further operator action is required. Files in
238 these directories are automatically assigned the 'named_cache_t' file
239 context, which SELinux allows named to write.
240
242 RFC 1033, RFC 1034, RFC 1035, named-checkconf(8), named-checkzone(8),
243 rndc(8), named.conf(5), BIND 9 Administrator Reference Manual.
244
246 Internet Systems Consortium
247
249 2023, Internet Systems Consortium
2509.18.20 NAMED(8)