---
title: "How to bind to port 53 when using 'named -u bind' with FreeBSD"
slug: "aa-00621"
description: "Instructions on how to allow named to bind to port 53"
updated: 2022-03-22T12:48:14Z
published: 2022-03-22T12:48:14Z
canonical: "kb.isc.org/aa-00621"
---

> ## Documentation Index
> Fetch the complete documentation index at: https://kb.isc.org/llms.txt
> Use this file to discover all available pages before exploring further.

# How to bind to port 53 when using 'named -u bind' with FreeBSD

Normally binding to a reserved port on FreeBSD requires the process to be be running as root. For most uses this is not a problem as **named** binds to port 53 before changing user id; however, if you are running in a environment where interface addresses are changing this can be a issue. FreeBSD has a kernel module, *mac-portacl*, that will allow a non-privileged user to bind to specified ports.

Assuming that the user ***bind*** has user id *53*, adding the following configuration elements and rebooting will allow **named**, running as bind, to bind to the reserved port 53.

```
/boot/loader.conf:
mac_portacl_load="YES"

/etc/sysctl.conf:  
net.inet.ip.portrange.reservedlow=0
net.inet.ip.portrange.reservedhigh=0
security.mac.portacl.port_high=1023
security.mac.portacl.suser_exempt=1
security.mac.portacl.rules=uid:53:tcp:53,uid:53:udp:53
```

Note - apply carefully
 Getting this wrong may lock you out of the system if you are accessing it across the network!

                         

When using DNS over TLS, add port number 853 to the rules. When using DNS over HTTPS, add port number 443 to the rules. Below are the configuration rules when using all three ports:

```
security.mac.portacl.rules=uid:53:tcp:53,uid:53:udp:53,uid:53:tcp:853,uid:53:tcp:443
```

More information about mac-portacl can be found here: [https://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/mac-policies.html](https://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/mac-policies.html)