DNSMasq vs Bind for simple dns url blocking


Taking it for granted that DNS blacklisting is not a way to stop someone from getting to a site if they really want to, but useful for dealing with malicious software and casual attempts to get to a bad website...

Response Policy Zones (RPZ)

RPZ allows you to create a zone file that defines response rewriting rules. These were implemented in version 9.8.1.

Let's say you want to block badrecord.example.com., which has an IP address of The real IP doesn't matter here, but providing one to help reinforce what happens.

options {
    # Snip.
    response-policy { zone "mypolicy"; };

zone "mypolicy" {
    type master;
    file "mypolicy.zone";
    allow-query { none; };

The zone file would look like:

@                       SOA LOCALHOST. doesnt.really.matter.example.org. (1 1h 15m 30d 2h)

                        ; NS required for zone syntax reasons, but ignored
                        NS  LOCALHOST.

; CNAME bad reply to a DNS record that isn't in this file
badrecord.example.com.  CNAME mywalledgarden.example.edu.

; replace bad reply with fixed IP address
badrecord2.example.com. A

; rewrite the top of a bad domain, as well as all records immediately
; beneath the apex. (i.e. not further than one level deep)
example.net.            A
*.example.net.          A


  • "mypolicy" is an actual DNS zone. You can use zone transfers to distribute it around your environment and control the data from a single server.
  • Users are not allowed to directly query the zone due to the allow-query rule.
  • These rules do not block queries, but any replies to a query that would normally contain the bad data will be rewritten. A side effect of this is that a request for a non-existent record will return NXDOMAIN properly. You will only modify the response if it was possible for a client to obtain a response containing bad data.
  • The usual rules for DNS wildcard matching apply.

These are not the only rewrites that you can perform. For full the syntax and potential applications, I recommend that you consult the BIND ARM.

You may find some guides on the internet that suggest things such as creating a root (.) zone, or creating one zone for every domain you need to block. Don't do that. It's an older, kludgy way of doing things that DNS admins resorted to for lack of better options. If RPZ is an option and it covers your needs, use it. If you are not authoritative for the domain, don't configure yourself to be authoritative for it.


Related videos on Youtube

Author by


Updated on September 18, 2022


  • 최원석
    최원석 almost 2 years

    I am building a dns server that will block access to specific websites by returning an incorrect ip address for a domain.

    Currently I use DNSMasq to perform this however my list is quiet large and I am looking to move to bind to perform this function. Although DNSMasq handles the large list quiet well it does have a few limitations forcing my choice. In order to do this for an entire domain in DNSMasq I simply add one line in the configuation file like this:


    This will always return for *.url.com

    I am looking for some assistance with the following:

    1. How I can achieve a very basic zone setup for BIND that will accomplish a similar thing?
    2. Keeping in mind my domain list is 1000000+ records
    3. Can I just have a master zone and simple a big domain list that will be the included in this zone?

