Wildcard DNS with Bind

I recently had occasion to setup a DNS server that would give back a single IP for any and all requests. A sort of DNS blackhole. The Internet was only mildly helpful in pointing out how to do this, so here is the configuration magic that let it happen:

In your /etc/bind/named.conf file, change the root zone to something like:

zone "." {
        type master;
        file "/etc/bind/db.blackhole";

The above code makes your DNS server act like a master root DNS server. That is, your DNS is now authoritative for all root lookups.

Now add the file db.blackhole which looks like:

$TTL    604800
@       IN      SOA     . root.localhost. (
                              1         ; Serial
                         604800         ; Refresh
                          86400         ; Retry
                        2419200         ; Expire
                         604800 )       ; Negative Cache TTL

        IN      NS      .
*.      IN      A       XXX.XXX.XXX.XXX

Obviously, replace XXX.XXX.XXX.XXX with the appropriate IP. Really, the above is a simple DNS entry, but the tricky part is the last line. Normally wildcards just match subdomains, but the trailing period tells bind that the wildcard is an absolute wildcard, able to match the whole domain in question.

To really make this blackhole server interesting, you may want to use something like the following .htaccess in the root directory of your Apache install:

RewriteEngine on
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule .* /rickroll.html

11 thoughts on “Wildcard DNS with Bind”

  1. Thank you so much for this… have wanted to do this forever! You’re a life saver!

  2. Hey. Thanks very much for this!

    Only problem im having is that the URL the user types must be a proper domain (eg. google.com) and locate to a folder (eg. google.com/hello).

    Any ideas?

  3. Solution: DNS has nothing to do with paths. You need to set a 404 error document on your web server to redirect to your web server.

  4. Hithanks for this great tip but what if i want to block only a domian name for example i want my dns server not to replay back for *.net or i would like to create a blackhole for whole .net domain pointing to my dns

Comments are closed.