diff --git a/modules/misc/ids.nix b/modules/misc/ids.nix
index d1621c0c74ef..13ebf954f329 100644
--- a/modules/misc/ids.nix
+++ b/modules/misc/ids.nix
@@ -71,6 +71,7 @@ in
     mpd = 50;
     clamav = 51;
     fprot = 52;
+    bind = 53;
 
     # When adding a uid, make sure it doesn't match an existing gid.
 
diff --git a/modules/services/networking/bind.nix b/modules/services/networking/bind.nix
index 1e04b354939b..a5e4c9d1d027 100644
--- a/modules/services/networking/bind.nix
+++ b/modules/services/networking/bind.nix
@@ -6,6 +6,8 @@ let
 
   cfg = config.services.bind;
 
+  bindUser = "named";
+
   confFile = pkgs.writeText "named.conf"
     ''
       acl cachenetworks { ${concatMapStrings (entry: " ${entry}; ") cfg.cacheNetworks} };
@@ -118,6 +120,12 @@ in
 
   config = mkIf config.services.bind.enable {
 
+    users.extraUsers = singleton
+      { name = bindUser;
+        uid = config.ids.uids.bind;
+        description = "BIND daemon user";
+      };
+
     jobs.bind =
       { description = "BIND name server job";
 
@@ -126,9 +134,10 @@ in
         preStart =
           ''
             ${pkgs.coreutils}/bin/mkdir -p /var/run/named
+            chown ${bindUser} /var/run/named
           '';
 
-        exec = "${pkgs.bind}/sbin/named ${optionalString cfg.ipv4Only "-4"} -c ${cfg.configFile} -f";
+        exec = "${pkgs.bind}/sbin/named -u ${bindUser} ${optionalString cfg.ipv4Only "-4"} -c ${cfg.configFile} -f";
       };
 
   };