named Daemon

Managing the named daemon. Service lifecycle, rndc control channel, file permissions, and log diagnostics.

Service Management

Check named status — is the daemon running?

systemctl status named

Start named

sudo systemctl start named

Enable named at boot

sudo systemctl enable named

Restart named — full restart, drops cache

sudo systemctl restart named

Restarts clear the cache entirely. Prefer rndc reload for zone changes — it preserves the cache.

Reload via rndc — graceful, no cache loss

sudo rndc reload

Re-reads all zone files and named.conf without dropping existing cache entries. This is the standard way to apply changes.

Main configuration — /etc/named.conf

sudo named-checkconf /etc/named.conf

Always validate before reloading. A syntax error in named.conf prevents named from starting.

Include files — split config into manageable pieces

include "/etc/named/zones.conf";
include "/etc/named/acls.conf";
include "/etc/named/logging.conf";

Keeps the main named.conf clean. Each include file can be validated independently.

VyOS BIND configuration path

# VyOS stores BIND config at:
/etc/bind/named.conf         # Debian-based path
/config/user-data/named/     # VyOS persistent custom configs

VyOS uses Debian’s BIND package. Custom zone files go in persistent storage so they survive image upgrades.

Check which user named runs as

ps aux | awk '/[n]amed/{print $1}'

Named typically runs as the named or bind user. Zone files and log directories must be owned by this user.

Check listening ports — confirm named binds correctly

ss -tlnp | awk '/:53 /'

Verify named listens on the expected IPs and port. If it shows 0.0.0.0:53, it’s listening on all interfaces — tighten with listen-on.

Check named version — confirm BIND release

named -v

Full version with build options

named -V

Shows compile-time options including DNSSEC support, libxml2 stats, and GeoIP.

rndc key setup — secure rndc-to-named communication

sudo rndc-confgen -a

Generates /etc/rndc.key with a shared HMAC-MD5 key. Both named.conf and rndc.conf reference this key for authenticated control channel access.

rndc status — server health at a glance

sudo rndc status

Shows BIND version, uptime, number of zones, recursion status, and worker thread count.

rndc statistics — detailed query counters

sudo rndc stats
cat /var/named/data/named_stats.txt | tail -50

Dumps cumulative statistics to a file. Includes query counts by type, response codes, and cache hit rates.

rndc trace — increase debug logging temporarily

sudo rndc trace 3
# ... reproduce the issue ...
sudo rndc notrace

Debug levels 1-3. Level 3 is extremely verbose. Always notrace after debugging — debug logging at high levels impacts performance.

Verify zone file ownership — named must be able to read them

ls -la /var/named/*.zone

Zone files should be owned by root:named with mode 640 (or named:named with 644). Slave zone files need write permission for the named user.

Fix permissions on slave zone directory

sudo chown named:named /var/named/slaves/
sudo chmod 770 /var/named/slaves/

Slaves write zone files received via AXFR. The directory must be writable by the named process.

Check named logs for errors — find startup or zone problems

sudo journalctl -u named --since "1 hour ago" --no-pager | tail -30

Dedicated named log file — if configured

tail -50 /var/log/named/default.log

Filter for zone load errors

sudo journalctl -u named | awk '/zone.*error|refused|denied/'

Zone load errors appear at startup and after rndc reload. Common causes: syntax errors, missing files, permission denied.