http:// / djbdns / bind-blocking.html

Blocking domain names with bind

Although I use djbdns on my own DNS servers, many people are still using BIND and may be able to benefit from knowing how to "block" domain names by preventing them from being able to resolve.

This page explains how I'm doing this with djbdns on my live servers now.

The "poison" zone file

The first step is to create a zone file which consists of an SOA record (so the clients will believe that the domain does indeed exist) and NO OTHER RECORDS (so the clients will believe that whatever hostname they are looking for within that domain, doesn't exist.)

At one point I found that for some reason, adding an NS record prevented some error message or another... I haven't used this stuff in quite a while and don't remember all of the specifics, I'm just reading through the files in an old backup image.

@ IN SOA (
           1 10800 3600 86400 21600 )

This file should be created in the same directory as any other "primary" zone files you may have, and should have the same ownership and permissions as your other zone files.

The "named.conf" file

After setting up the "poison" zone file, you need to direct the domains to this file in your named.conf file. You should add lines (or blocks, if you prefer to keep things on multiple lines) to named.conf which look like this:

zone "" in
    type master ;
    file "poison" ;
} ;

zone "" in { type master ; file "poison" ; } ;
zone ""      in { type master ; file "poison" ; } ;
zone "" in { type master ; file "poison" ; } ;

Note that either syntax (entries on one line or on multiple lines) is valid. Back when I ran BIND, I kept my "real" domains in multi-line entries (because I was also specifying access-control lists for zone transfers) and my "poison" domains in single-line entries (to make for easier copy-and-paste in a text editor.)

Once you have changed your named.conf file, you should restart your named process (using something like ndc restart) to make the changes "active". After restarting, WATCH YOUR SYSLOG FILE TO MAKE SURE THIS DIDN'T INTRODUCE ANY ERRORS!