Howto Abuse DNS to Blacklist/Block Sites

This is yet another utility for converting the format of one or more hosts files listing nasty or nefarious or advertising/tracking or other unwanted sites and domains to be blacklisted, into a zones list format suitable to be included into a bind9 config file. (Note: “bind9” is called “named” on some Linux distributions.)

Greater detail and alternate methods are left to another Howto page… 🙂

Two example hosts files sources are:

Collect whichever blacklists you wish, for example in files hosts01 hosts02 etc…

Then use on a commandline:
cat hosts?? | ./hosts2nullzone >blacklist_zones.conf
The “./” (and a “chmod +x hosts2nullzone”) will be needed if running it from your current directory.

Check and then move the resultant file to your bind9 conf directory and add immediately before your zones lines an ‘include’, for example:
include "/etc/bind/blacklist_zones.conf";

You need to have a dummy zone file “null.db” that returns the IP address or whatever to neuter that DNS lookup. Fastest is if your firewall issues a REJECT for that address. Or you can run a lightweight web server that returns whatever result for your preference, so that your web browser isn’t waiting on a timeout for an otherwise dropped request.

If you are running your own LAN for a number of machines, then a good solution is to instead use a network address that either returns an immediate REJECT, or serves whatever desired dummy response.

“hosts2nullzone” is a bash script (released under the GPL) that has been knocked up to allow the combining of multiple lists. (In hindsight for this task, bash proved to be rather turgid, and the utilities “sort” and “uniq” were rather quirky, for what I thought was going to be easy streamlined piped code. I’m sure other languages can give much neater and more understandable code for the task!)

One known problem: Multibyte character codes in the input may not be successfully handled. (If using the example source links above, note the accented “e” in “Jose” in the credits comments!)

Comments and improvements welcomed,



hosts2nullzone features summary

  • Input is one or more hosts files, output is a bind9 zones list pointing to a null.db zone file
  • Anything with a local address 127.0.0. is assumed to be a blacklisted site or domain. That is, all “127.0.0.” entries are zoned to a null “null.db” zone file to return a dummy dns value. (“localhost” lines are ignored.)
  • Everything else is assumed to be a comment and is listed out as a comments header
  • Leading “ww*” addresses are stripped to blacklist that entire domain, unless listed in the “ex( )” exclusion list in the bash script
  • The hosts txt is input on std input
  • A bind9 zones file is output on std output
  • Update the “ex( )” array at the start of the script to NOT have certain domains and/or subdomains blacklisted
  • Example usage: “cat /etc/hosts | hosts2nullzone >blacklist_zones.conf”



  • Download the hosts2nullzone bash script (select the link to then “save as”)
  • Example null.db file (plain text despite the “db” suffix, select the link to then “save as”)
  • Example zones blacklist output (purely just my personal opinion)

2 comments to Howto Abuse DNS to Blacklist/Block Sites

  • Martin L

    Apparently for Apple Mac machines, returning the dummy IP address causes the Safari web browser to make repeated requests to that address. Better/faster is to use as the dummy target address, for which the browser requests are not retried.

  • roadSurfer

    I’ve done something similar using dnsmasq (for no other reason than I found a nice guide, which I forgot to bookmark). It is running purely as a DNS cache and ad-blocker just now.

    All I really did was install it and then edit “/etc/dnsmasq.conf” and plug in some obvious values. The file is very well commented.

    Next was to finalise the blockers.
    sudo touch /etc/dnsmasq.adblock.conf

    Create a tiny bash script
    curl "" | sed "s/address=\/grapeshot\.co\.uk\/127\.0\.0\.1//" > /etc/dnsmasq.adblock.conf
    /etc/init.d/dnsmasq restart

    Ideally the above would be on a cron job to run weekly, I’ve simply not bothered to do that yet as I plan to fiddle a bit more with dnsmasq (e.g. set it up for DHCP) and running in manually is no big burden (I do it when I remember to).

    You’ll note I removing “grapeshot” from the block-list, that’s because VirginMedia use them to deliver the video content and you will break their player if you block grapeshot. Not that their player supports GNU/Linux and they have an OS block which is so draconian it even blocks the FAQ(!) and iPlayer et al which work fine. Luckily it can be made to work with PlayOnLinux (I had no success with directly using WINE). Anyway…

    An improved solution would be to add pixelserv into the mix like this article suggests. An even more awesome solution might be to add in the returning of empty files for those pernicious JavaScript libraries every site wants to down load.

    It might not be as feature rich as bind9, but it was certainly an improvement.

Leave a Reply