How to block part of a zone

Kevin Darcy kcd at
Tue Sep 16 16:30:04 UTC 2014

You have multiple choices here.

Loopback is sometimes a bad choice, since the client may try to connect 
to itself, and in pathological cases this could cause an infinite loop.

You could consider an A record with RDATA, the "null" or 
"unspecified" address. It is not legal for that ever to be a destination 
address for a connection attempt, so it's marginally safer than

For that matter, you don't need to define *any* A (or AAAA) record in 
the zone at all. Then any resolution attempts will get a so-called 
"NODATA" response (NOERROR, but 0 answers), which the vast majority of 
stub resolvers won't be able to distinguish from NXDOMAIN.

                                                         - Kevin

On 9/16/2014 12:20 PM, King, Harold Clyde (Hal) wrote:
> I need to block a host in an exterior domain.
> Resolve all traffic for from example.com¹s dns servers, but
> stop
> I guess I could become authoritative for and point the
> host to
> Does that sound like bad things would happen?
> Zone ³badhost.example.com² {
> 	type master;
> 	file ³/etc/named/²;
> }
> IN SOA localhost (
> 		Admin.localhost
> 		2014091601
> 		3600
> 		900
> 		860000
> 		3600 )
> 	NS localhost.
> 	A

More information about the bind-users mailing list