named - Man Page

Internet domain name server

Examples (TL;DR)

Synopsis

named [ [-4] | [-6] ] [-c config-file] [-C] [-d debug-level] [-D string] [-E engine-name] [-f] [-g] [-L logfile] [-M option] [-m flag] [-n #cpus] [-p port] [-s] [-t directory] [-U #listeners] [-u user] [-v] [-V] [-X lock-file]

Description

named is a Domain Name System (DNS) server, part of the BIND 9 distribution from ISC. For more information on the DNS, see RFC 1033, RFC 1034, and RFC 1035.

When invoked without arguments, named reads the default configuration file /etc/named.conf, reads any initial data, and listens for queries.

Options

-4

This option tells named to use only IPv4, even if the host machine is capable of IPv6. -4 and -6 are mutually exclusive.

-6

This option tells named to use only IPv6, even if the host machine is capable of IPv4. -4 and -6 are mutually exclusive.

-c config-file

This option tells named to use config-file as its configuration file instead of the default, /etc/named.conf. To ensure that the configuration file can be reloaded after the server has changed its working directory due to to a possible directory option in the configuration file, config-file should be an absolute pathname.

-C

This option prints out the default built-in configuration and exits.

NOTE: This is for debugging purposes only and is not an accurate representation of the actual configuration used by named at runtime.

-d debug-level

This option sets the daemon's debug level to debug-level. Debugging traces from named become more verbose as the debug level increases.

-D string

This option specifies a string that is used to identify a instance of named in a process listing. The contents of string are not examined.

-E engine-name

When applicable, this option specifies the hardware to use for cryptographic operations, such as a secure key store used for signing.

When BIND 9 is built with OpenSSL, this needs to be set to the OpenSSL engine identifier that drives the cryptographic accelerator or hardware service module (usually pkcs11).

-f

This option runs the server in the foreground (i.e., do not daemonize).

-g

This option runs the server in the foreground and forces all logging to stderr.

-L logfile

This option sets the log to the file logfile by default, instead of the system log.

-M option

This option sets the default (comma-separated) memory context options. The possible flags are:

  • fill: fill blocks of memory with tag values when they are allocated or freed, to assist debugging of memory problems; this is the implicit default if named has been compiled with --enable-developer.
  • nofill: disable the behavior enabled by fill; this is the implicit default unless named has been compiled with --enable-developer.
-m flag

This option turns on memory usage debugging flags. Possible flags are usage, trace, record, size, and mctx. These correspond to the ISC_MEM_DEBUGXXXX flags described in <isc/mem.h>.

-n #cpus

This option creates #cpus worker threads to take advantage of multiple CPUs. If not specified, named tries to determine the number of CPUs present and creates one thread per CPU. If it is unable to determine the number of CPUs, a single worker thread is created.

-p value

This option specifies the port(s) on which the server will listen for queries. If value is of the form <portnum> or dns=<portnum>, the server will listen for DNS queries on portnum; if not not specified, the default is port 53. If value is of the form tls=<portnum>, the server will listen for TLS queries on portnum; the default is 853. If value is of the form https=<portnum>, the server will listen for HTTPS queries on portnum; the default is 443. If value is of the form http=<portnum>, the server will listen for HTTP queries on portnum; the default is 80.

-s

This option writes memory usage statistics to stdout on exit.

NOTE:

This option is mainly of interest to BIND 9 developers and may be removed or changed in a future release.

-S #max-socks

This option is deprecated and no longer has any function.

WARNING:

This option should be unnecessary for the vast majority of users. The use of this option could even be harmful, because the specified value may exceed the limitation of the underlying system API. It is therefore set only when the default configuration causes exhaustion of file descriptors and the operational environment is known to support the specified number of sockets. Note also that the actual maximum number is normally slightly fewer than the specified value, because named reserves some file descriptors for its internal use.

-t directory

This option tells named to chroot to directory after processing the command-line arguments, but before reading the configuration file.

WARNING:

This option should be used in conjunction with the -u option, as chrooting a process running as root doesn't enhance security on most systems; the way chroot is defined allows a process with root privileges to escape a chroot jail.

-U #dispatches

This option specifies the number of per-interface UDP #dispatches that named should use to handle the outgoing (recursive) UDP connection, to reduce contention between the resolver threads.

If not specified, named calculates a default value based on the number of detected CPUs: 1 for a single CPU, and the number of detected CPUs minus one for machines with more than 1 CPU.

This cannot be increased to a value higher than the number of CPUs (see -n on how to override the value).

WARNING:

This option should be unnecessary for the vast majority of users, and will be removed in the next version of BIND 9.

-u user

This option sets the setuid to user after completing privileged operations, such as creating sockets that listen on privileged ports.

NOTE:

On Linux, named uses the kernel's capability mechanism to drop all root privileges except the ability to bind to a privileged port and set process resource limits. Unfortunately, this means that the -u option only works when named is run on kernel 2.2.18 or later, or kernel 2.3.99-pre3 or later, since previous kernels did not allow privileges to be retained after setuid.

-v

This option reports the version number and exits.

-V

This option reports the version number, build options, supported cryptographics algorithms, and exits.

-X lock-file

This option acquires a lock on the specified file at runtime; this helps to prevent duplicate named instances from running simultaneously. Use of this option overrides the lock-file option in named.conf. If set to none, the lock file check is disabled.

Signals

In routine operation, signals should not be used to control the nameserver; rndc should be used instead.

SIGHUP

This signal forces a reload of the server.

SIGINT, SIGTERM

These signals shut down the server.

The result of sending any other signals to the server is undefined.

Configuration

The named configuration file is too complex to describe in detail here. A complete description is provided in the BIND 9 Administrator Reference Manual.

named inherits the umask (file creation mode mask) from the parent process. If files created by named, such as journal files, need to have custom permissions, the umask should be set explicitly in the script used to start the named process.

Files

/etc/named.conf

The default configuration file.

/run/named.pid

The default process-id file.

Notes

Red Hat SELinux BIND Security Profile:

By default, Red Hat ships BIND with the most secure SELinux policy that will not prevent normal BIND operation and will prevent exploitation of all known BIND security vulnerabilities . See the selinux(8) man page for information about SElinux.

It is not necessary to run named in a chroot environment if the Red Hat SELinux policy for named is enabled. When enabled, this policy is far more secure than a chroot environment. Users are recommended to enable SELinux and remove the bind-chroot package.

With this extra security comes some restrictions:

By default, the SELinux policy does not allow named to write any master zone database files. Only the root user may create files in the $ROOTDIR/var/named zone database file directory (the options { "directory" } option), where $ROOTDIR is set in /etc/sysconfig/named.

The "named" group must be granted read privelege to these files in order for named to be enabled to read them.

Any file created in the zone database file directory is automatically assigned the SELinux file context named_zone_t .

By default, SELinux prevents any role from modifying named_zone_t files; this means that files in the zone database directory cannot be modified by dynamic DNS (DDNS) updates or zone transfers.

The Red Hat BIND distribution and SELinux policy creates three directories where named is allowed to create and modify files: /var/named/slaves, /var/named/dynamic /var/named/data. By placing files you want named to modify, such as slave or DDNS updateable zone files and database / statistics dump files in these directories, named will work normally and no further operator action is required. Files in these directories are automatically assigned the 'named_cache_t' file context, which SELinux allows named to write.

See Also

RFC 1033, RFC 1034, RFC 1035, named-checkconf(8), named-checkzone(8), rndc(8), named.conf(5), BIND 9 Administrator Reference Manual.

Author

Internet Systems Consortium

Referenced By

ddns-confgen(8), delv(1), dig(1), dnstap-read(1), dnsviz-probe(1), genreport(1), gethostbyname(3), getnameinfo(3), host(1), host.conf(5), hostname(7), hosts(5), in.rlogind(8), in.rshd(8), named-checkconf(1), named-checkzone(1), named-compilezone(1), named.conf(5), named-journalprint(1), named-rrchecker(1), named_selinux(8), nsdiff(1), nslookup(1), nsupdate(1), opendkim-genzone(8), pmdabind2(1), pmdanamed(1), resolv.conf(5), resolvconf.conf(5), resolvconf.openresolv(8), resolver(3), rndc(8), rndc-confgen(8), rollerd(1), tsig-keygen(8).

9.18.30 BIND 9