1NAMED(8) BIND 9 NAMED(8)
2
6 named - Internet domain name server
7
9 named [ [-4] | [-6] ] [-c config-file] [-C] [-d debug-level] [-D
10 string] [-E engine-name] [-f] [-g] [-L logfile] [-M option] [-m flag]
11 [-n #cpus] [-p port] [-s] [-t directory] [-U #listeners] [-u user] [-v]
12 [-V] ]
13
15 named is a Domain Name System (DNS) server, part of the BIND 9 distri‐
16 bution from ISC. For more information on the DNS, see RFC 1033, RFC
17 1034, and RFC 1035.
18 When invoked without arguments, named reads the default configuration
20 file /etc/named.conf, reads any initial data, and listens for queries.
21
23 -4 This option tells named to use only IPv4, even if the host ma‐
24 chine is capable of IPv6. -4 and -6 are mutually exclusive.
25 -6 This option tells named to use only IPv6, even if the host ma‐
27 chine is capable of IPv4. -4 and -6 are mutually exclusive.
28 -c config-file
30 This option tells named to use config-file as its configuration
31 file instead of the default, /etc/named.conf. To ensure that the
32 configuration file can be reloaded after the server has changed
33 its working directory due to to a possible directory option in
34 the configuration file, config-file should be an absolute path‐
35 name.
36 -C This option prints out the default built-in configuration and
38 exits.
39 NOTE: This is for debugging purposes only and is not an accurate
41 representation of the actual configuration used by named at run‐
42 time.
43 -d debug-level
45 This option sets the daemon's debug level to debug-level. Debug‐
46 ging traces from named become more verbose as the debug level
47 increases.
48 -D string
50 This option specifies a string that is used to identify a in‐
51 stance of named in a process listing. The contents of string are
52 not examined.
53 -E engine-name
55 When applicable, this option specifies the hardware to use for
56 cryptographic operations, such as a secure key store used for
57 signing.
58 When BIND 9 is built with OpenSSL, this needs to be set to the
60 OpenSSL engine identifier that drives the cryptographic acceler‐
61 ator or hardware service module (usually pkcs11).
62 -f This option runs the server in the foreground (i.e., do not dae‐
64 monize).
65 -F This options turns on FIPS (US Federal Information Processing
67 Standards) mode if the underlying crytographic library supports
68 running in FIPS mode.
69 -g This option runs the server in the foreground and forces all
71 logging to stderr.
72 -L logfile
74 This option sets the log to the file logfile by default, instead
75 of the system log.
76 -M option
78 This option sets the default (comma-separated) memory context
79 options. The possible flags are:
80 • fill: fill blocks of memory with tag values when they are al‐
82 located or freed, to assist debugging of memory problems; this
83 is the implicit default if named has been compiled with --en‐
84 able-developer.
85 • nofill: disable the behavior enabled by fill; this is the im‐
87 plicit default unless named has been compiled with --en‐
88 able-developer.
89 -m flag
91 This option turns on memory usage debugging flags. Possible
92 flags are usage, trace, record, size, and mctx. These correspond
93 to the ISC_MEM_DEBUGXXXX flags described in <isc/mem.h>.
94 -n #cpus
96 This option creates #cpus worker threads to take advantage of
97 multiple CPUs. If not specified, named tries to determine the
98 number of CPUs present and creates one thread per CPU. If it is
99 unable to determine the number of CPUs, a single worker thread
100 is created.
101 -p value
103 This option specifies the port(s) on which the server will lis‐
104 ten for queries. If value is of the form <portnum> or dns=<port‐
105 num>, the server will listen for DNS queries on portnum; if not
106 not specified, the default is port 53. If value is of the form
107 tls=<portnum>, the server will listen for TLS queries on port‐
108 num; the default is 853. If value is of the form https=<port‐
109 num>, the server will listen for HTTPS queries on portnum; the
110 default is 443. If value is of the form http=<portnum>, the
111 server will listen for HTTP queries on portnum; the default is
112 80.
113 -s This option writes memory usage statistics to stdout on exit.
115 NOTE:
117 This option is mainly of interest to BIND 9 developers and may be
118 removed or changed in a future release.
119 -t directory
121 This option tells named to chroot to directory after processing
122 the command-line arguments, but before reading the configuration
123 file.
124 WARNING:
126 This option should be used in conjunction with the -u option, as ch‐
127 rooting a process running as root doesn't enhance security on most
128 systems; the way chroot is defined allows a process with root privi‐
129 leges to escape a chroot jail.
130 -U #listeners
132 This option tells named the number of #listeners worker threads
133 to listen on, for incoming UDP packets on each address. If not
134 specified, named calculates a default value based on the number
135 of detected CPUs: 1 for 1 CPU, and the number of detected CPUs
136 minus one for machines with more than 1 CPU. This cannot be in‐
137 creased to a value higher than the number of CPUs. If -n has
138 been set to a higher value than the number of detected CPUs,
139 then -U may be increased as high as that value, but no higher.
140 -u user
142 This option sets the setuid to user after completing privileged
143 operations, such as creating sockets that listen on privileged
144 ports.
145 NOTE:
147 On Linux, named uses the kernel's capability mechanism to drop all
148 root privileges except the ability to bind to a privileged port and
149 set process resource limits. Unfortunately, this means that the -u
150 option only works when named is run on kernel 2.2.18 or later, or
151 kernel 2.3.99-pre3 or later, since previous kernels did not allow
152 privileges to be retained after setuid.
153 -v This option reports the version number and exits.
155 -V This option reports the version number, build options, supported
157 cryptographics algorithms, and exits.
158 -X lock-file
160 This option has been removed and using it will cause a fatal er‐
161 ror.
162
164 In routine operation, signals should not be used to control the name‐
165 server; rndc should be used instead.
166 SIGHUP This signal forces a reload of the server.
168 SIGINT, SIGTERM
170 These signals shut down the server.
171 The result of sending any other signals to the server is undefined.
173
175 The named configuration file is too complex to describe in detail here.
176 A complete description is provided in the BIND 9 Administrator Refer‐
177 ence Manual.
178 named inherits the umask (file creation mode mask) from the parent
180 process. If files created by named, such as journal files, need to have
181 custom permissions, the umask should be set explicitly in the script
182 used to start the named process.
183
185 /etc/named.conf
186 The default configuration file.
187 /run/named.pid
189 The default process-id file.
190
192 Red Hat SELinux BIND Security Profile:
193 By default, Red Hat ships BIND with the most secure SELinux policy that
195 will not prevent normal BIND operation and will prevent exploitation of
196 all known BIND security vulnerabilities . See the selinux(8) man page
197 for information about SElinux.
198 It is not necessary to run named in a chroot environment if the Red Hat
200 SELinux policy for named is enabled. When enabled, this policy is far
201 more secure than a chroot environment. Users are recommended to enable
202 SELinux and remove the bind-chroot package.
203 With this extra security comes some restrictions:
205 By default, the SELinux policy does not allow named to write any master
207 zone database files. Only the root user may create files in the $ROOT‐
208 DIR/var/named zone database file directory (the options { "directory" }
209 option), where $ROOTDIR is set in /etc/sysconfig/named.
210 The "named" group must be granted read privelege to these files in or‐
212 der for named to be enabled to read them.
213 Any file created in the zone database file directory is automatically
215 assigned the SELinux file context named_zone_t .
216 By default, SELinux prevents any role from modifying named_zone_t
218 files; this means that files in the zone database directory cannot be
219 modified by dynamic DNS (DDNS) updates or zone transfers.
220 The Red Hat BIND distribution and SELinux policy creates three directo‐
222 ries where named is allowed to create and modify files:
223 /var/named/slaves, /var/named/dynamic /var/named/data. By placing files
224 you want named to modify, such as slave or DDNS updateable zone files
225 and database / statistics dump files in these directories, named will
226 work normally and no further operator action is required. Files in
227 these directories are automatically assigned the 'named_cache_t' file
228 context, which SELinux allows named to write.
229
231 RFC 1033, RFC 1034, RFC 1035, named-checkconf(8), named-checkzone(8),
232 rndc(8), named.conf(5), BIND 9 Administrator Reference Manual.
233
235 Internet Systems Consortium
236
238 2023, Internet Systems Consortium
2399.19.18 NAMED(8)