Disallow queries for certain zones

Kevin Darcy kcd at daimlerchrysler.com
Thu Oct 12 16:05:48 UTC 2006

J wrote:
> Greetings.  Is there a way I can disallow queries for a certain zone or
> set of zones?  I have 2 uses for this ability.  I'd like to not allow
> queries from my internal users to certain zones.  
Just set up a dummy version of the zone on your forwarding/resolving 
nameserver instance(s)/view(s).
> I also have an
> external domain.tld that chose to point their NS record at my server.
> I am being bombarded for queries.  I'd like to configure Bind to not
> give out any answer to those queries.  As an alternative I could
> configure a copy of the zone to hand out bogus info that will
> eventually get the domain owners attention.  How do I configure Bind to
> return a NXDOMAIN to all queries for records in that zone?
Basically the same answer: create a dummy domain.tld zone, in this case 
in your hosting instance(s)/view(s). If you don't have any A records in 
the zone, all A-record queries will get NXDOMAIN or NODATA responses. If 
you don't have any records in the zone other than at the apex, then all 
non-apex queries of all types will get NXDOMAIN. If you want to have 
more fun than that, technically, you could put whatever you want in that 
zone, e.g. point www.domain.tld at a porn site, a hate group site, a 
competitor site to the jerks who pointed their NS records at your 
nameservers, etc. Whether any of this is legal or ethical, I'm not 
qualified to answer. If you wanted to be nice about it, you could point 
www.domain.tld to one of your own webservers (or a vserver within one of 
your webservers), with a nice little static web page explaining that 
someone's DNS is misconfigured, and perhaps the end-user should contact 
the appropriate party and get them to fix it.

                  - Kevin

More information about the bind-users mailing list