NAME

       named - Internet domain name server

SYNOPSIS

       named  [  [-4] | [-6] ] [-c config-file] [-C] [-d debug-level] [-D string] [-E engine-name] [-f] [-g] [-L
       logfile] [-M option] [-m flag] [-n #cpus] [-p port] [-s] [-t directory] [-u user] [-v] [-V] ]

DESCRIPTION

       named is a Domain Name System (DNS)  server,  part  of  the  BIND  9  distribution  from  ISC.  For  more
       information on the DNS, see RFC 1033, RFC 1034, and RFC 1035.

       When  invoked  without  arguments, named reads the default configuration file /etc/bind/named.conf, reads
       any initial data, and listens for queries.

OPTIONS

       -4     This option tells named to use only IPv4, even if the host machine is capable of IPv6. -4  and  -6
              are mutually exclusive.

       -6     This  option  tells named to use only IPv6, even if the host machine is capable of IPv4. -4 and -6
              are mutually exclusive.

       -c config-file
              This option tells named to use config-file as its  configuration  file  instead  of  the  default,
              /etc/bind/named.conf.  To  ensure that the configuration file can be reloaded after the server has
              changed its working directory due to to a possible directory option  in  the  configuration  file,
              config-file should be an absolute pathname.

       -C     This option prints out the default built-in configuration and exits.

              NOTE:  This  is  for  debugging  purposes only and is not an accurate representation of the actual
              configuration used by named at runtime.

       -d debug-level
              This option sets the daemon's debug level to debug-level. Debugging traces from named become  more
              verbose as the debug level increases.

       -D string
              This  option specifies a string that is used to identify a instance of named in a process listing.
              The contents of string are not examined.

       -E engine-name
              When applicable, this option specifies the hardware to use for cryptographic operations, such as a
              secure key store used for signing.

              When  BIND  9  is  built  with OpenSSL, this needs to be set to the OpenSSL engine identifier that
              drives the cryptographic accelerator or hardware service module (usually pkcs11).

       -f     This option runs the server in the foreground (i.e., do not daemonize).

       -F     This options turns on FIPS (US Federal Information Processing Standards) mode  if  the  underlying
              crytographic library supports running in FIPS mode.

       -g     This option runs the server in the foreground and forces all logging to stderr.

       -L logfile
              This option sets the log to the file logfile by default, instead of the system log.

       -M option
              This option sets the default (comma-separated) memory context options. The possible flags are:

              • fill:  fill  blocks  of  memory  with  tag  values  when  they are allocated or freed, to assist
                debugging of memory problems; this is the implicit default  if  named  has  been  compiled  with
                --enable-developer.

              • nofill: disable the behavior enabled by fill; this is the implicit default unless named has been
                compiled with --enable-developer.

       -m flag
              This option turns on memory usage debugging flags. Possible flags are usage, trace, record,  size,
              and mctx. These correspond to the ISC_MEM_DEBUGXXXX flags described in <isc/mem.h>.

       -n #cpus
              This  option  creates  #cpus  worker threads to take advantage of multiple CPUs. If not specified,
              named tries to determine the number of CPUs present and creates one  thread  per  CPU.  If  it  is
              unable to determine the number of CPUs, a single worker thread is created.

       -p value
              This  option specifies the port(s) on which the server will listen for queries. If value is of the
              form <portnum> or dns=<portnum>, the server will listen for DNS queries on  portnum;  if  not  not
              specified,  the  default is port 53. If value is of the form tls=<portnum>, the server will listen
              for TLS queries on portnum; the default is 853.  If value is  of  the  form  https=<portnum>,  the
              server  will  listen  for  HTTPS  queries on portnum; the default is 443.  If value is of the form
              http=<portnum>, the server will listen for HTTP queries on portnum; the default is 80.

       -s     This option writes memory usage statistics to stdout on exit.

       NOTE:
          This option is mainly of interest to BIND 9 developers and may be  removed  or  changed  in  a  future
          release.

       -t directory
              This  option  tells  named to chroot to directory after processing the command-line arguments, but
              before reading the configuration file.

       WARNING:
          This option should be used in conjunction with the -u option, as chrooting a process running  as  root
          doesn't  enhance  security  on  most  systems;  the  way  chroot is defined allows a process with root
          privileges to escape a chroot jail.

       -U #listeners
              This option has been removed. Attempts to use it now result in a warning.

       -u user
              This option sets the setuid to user after  completing  privileged  operations,  such  as  creating
              sockets that listen on privileged ports.

       NOTE:
          On  Linux, named uses the kernel's capability mechanism to drop all root privileges except the ability
          to bind to a privileged port and set process resource limits. Unfortunately, this means  that  the  -u
          option  only  works when named is run on kernel 2.2.18 or later, or kernel 2.3.99-pre3 or later, since
          previous kernels did not allow privileges to be retained after setuid.

       -v     This option reports the version number and exits.

       -V     This option reports the version number, build options, supported  cryptographics  algorithms,  and
              exits.

       -X lock-file
              This option has been removed and using it will cause a fatal error.

SIGNALS

       In routine operation, signals should not be used to control the nameserver; rndc should be used instead.

       SIGHUP This signal forces a reload of the server.

       SIGINT, SIGTERM
              These signals shut down the server.

       The result of sending any other signals to the server is undefined.

CONFIGURATION

       The  named  configuration  file  is  too  complex  to  describe in detail here. A complete description is
       provided in the BIND 9 Administrator Reference Manual.

       named inherits the umask (file creation mode mask) from the parent process. If files  created  by  named,
       such  as journal files, need to have custom permissions, the umask should be set explicitly in the script
       used to start the named process.

FILES

       /etc/bind/named.conf
              The default configuration file.

       /run/named.pid
              The default process-id file.

SEE ALSO

       RFC 1033, RFC 1034, RFC 1035, named-checkconf(8),  named-checkzone(8),  rndc(8),  named.conf(5),  BIND  9
       Administrator Reference Manual.

AUTHOR

       Internet Systems Consortium

COPYRIGHT

       2025, Internet Systems Consortium