How to configure domain blocking in BIND

BIND allows you to define restricted-name lists, preventing specific domains from being registered or resolved locally. This helps block addresses commonly used in attacks, reducing risks such as DNS Hijacking and DNS Spoofing.

How DNS manipulation works

Attackers abuse DNS manipulation to trick users and redirect traffic. They create fake records for legitimate domains and send victims to fraudulent pages that mimic original websites.

What attackers need

• A DNS zone for the target domain: to imitate legitimate names.
• An IP address: traffic is redirected to attacker-controlled infrastructure.
• DNS zone creation: manually through .db files or control panel.
• Record tampering: DNS records point to malicious IPs.
• Victim redirection: user lands on fake site thinking it is legitimate.

Practical example

If a server uses 192.168.0.1 and zone coca-cola.com.br is tampered with, victims can be redirected to a fake clone site. This can scale to entire networks when modem/Wi-Fi DNS is compromised.

Impact of DNS manipulation

• Phishing: credential and banking data theft.
• Data collection: cookies, history, and system fingerprinting.
• Malware delivery: malicious payloads served through fake pages.

Protection with BIND block lists

An effective defense is defining blocked zones in BIND to stop malicious domain use. Attempts to include/query suspicious names can be denied by policy.

Step-by-step configuration

Go to BIND directory:

cd /etc/bind

Create zones directory:

mkdir zones

Create blockeddomains.db with:

;
; File used to block domains in Bind9
$TTL    3600
@       IN      SOA     ns01.HOSTNAME.local. root.HOSTNAME.local. (
                            2014052101 ; Serial
                            7200       ; Refresh
                            120        ; Retry
                            2419200    ; Expire
                            3600)      ; Default TTL
;
        A       127.0.0.1
*       IN      A       127.0.0.1
mail    IN      A       127.0.0.1
ftp     IN      A       127.0.0.1
webmail IN      A       127.0.0.1
panel   IN      A       127.0.0.1
www     IN      A       127.0.0.1

Replace HOSTNAME with your server hostname (e.g., NS01).

Set permissions:

chmod +x blockeddomains.db
chown root.bind blockeddomains.db

Block file configuration

In /etc/bind, create blocked_domain_acl.conf:

zone "domain.com.br" { type master; file "/etc/bind/zones/blockeddomains.db"; };

Include in named.conf:

include "/etc/bind/blocked_domain_acl.conf";

Restart BIND:

service bind9 restart

Zone testing

Test with dig:

dig +short @SERVER_IP domain.com.br

If no answer is returned, blocking is active. For valid domains, BIND should return authorized IP addresses.

This post is licensed under CC BY-NC.