Block ads and malware via BIND9 RPZ

Installation on Ubuntu 20.04 LTS

  • Run following command to install BIND 9 on Ubuntu 20.04
$ sudo apt update
$ sudo apt install bind9 bind9utils bind9-dnsutils

Configurations for recursive DNS resolver with RPZ(response policy zone)

  • To enable recursion service, edit /etc/bind/named.conf.options :
    // hide version number from clients for security reasons.
    version "not currently available";

    // optional - BIND default behavior is recursion
    recursion yes;

    // provide recursion service to trusted clients only
    allow-recursion {;;; };

    // disallow zone transfer
    allow-transfer { none; };

    // enable the query log
    querylog yes;

    //enable response policy zone.
    response-policy {
        zone "blocked.local";
  • Add RPZ zone in /etc/bind/named.conf.local :
    zone "blocked.local" {
        type master;
        file "/etc/bind/db.blocked.local";
        allow-query { localhost; };
        allow-transfer { localhost; };
  • add following lines in /etc/bind/named.conf to use separate log file for RPZ(recommended):
    logging {
        channel blockedlog {
            file "/var/log/named/blocked-zone.log" versions unlimited size 100m;
            print-time yes;
            print-category yes;
            print-severity yes;
            severity info;
        category rpz { blockedlog; };
  • If /var/log/named/ directory doesn't exist, create it and make bind as the owner:
$ sudo mkdir /var/log/named/
$ sudo chown bind:bind /var/log/named/ -R

Creating Zone File

  • first, clone this repository:
$ git clone
  • If there is domain(s) you want to block, you can add it to the blacklist file.

  • execute the script(this script downloads StevenBlack host file and then creates RPZ zone file):

$ sudo bash

Check configurations and service:

$ sudo named-checkconf
$ sudo named-checkzone rpz /etc/bind/db.blocked.local

If no problem, restart and enable bind9 service;

$ sudo systemctl restart bind9
$ sudo systemctl enable bind9


  • You can run the dig command on the BIND server to see if RPZ is working:
$ dig A @
  • You can also check '/var/log/named/blocked-zone.log' for query log:
$ sudo tail /var/log/named/blocked-zone.log
  • READY, you can add this BIND9 host IP address to your host(s).