> Greetings all,
> I'm trying to write a document about how we could intercept requests to
> potentially malicious websites using DNS forwarding. After doing some
> reading I stumbled across stub zones. What I don't fully understand is
> the implementation of this or which would be better.
> Example:
> Client infected with malware tries to get to So we tell
> our internal DNS servers to tell the client that instead of going out,
> my little server over here is actually effectively
> intercepting the request.
> I assumed creating a simple forward zone for *.ru would be the best was
> to accomplish this, but then I have to create a forward zone for every
> domain I want forwarded. With the stub zone I understand that I could
> just provide the DNS admin the root.stubs.conf file and this would
> effectively accomplish the same thing? Can you use wildcards in the
> root.stubs file? i.e. *.ru?
> Could someone please clarify this for me as I'm confused if they work
> the same way.
> Thanks in advance.

This is how a stub zone works

In /etc/named.conf

# stub zones

zone "ewe" {
type stub;
file "stub/ewe";
masters {;;; };

now bind will query the masters and build the following file


$TTL 3600 ; 1 hour
ewe IN SOA (
2006021100 ; serial
172800 ; refresh (2 days)
7200 ; retry (2 hours)
3600000 ; expire (5 weeks 6 days 16 hours)
172800 ; minimum (2 days)
$TTL 172800 ; 2 days

Now replace the masters with your own and copy and edit the zone file.

Dont forget to edit /etc/named.conf from "type stub;" to "type master;"
on your master and add whatever you like to the zonefile.

Dont forget to put in your NS records and delete the original.

It might be a good idea to increment the serialnumber.

Normally I do use stub zones for other things.

Kind regards
Peter and Karin

Peter and Karin Dambier
Cesidian Root - Radice Cesidiana
Graeffstrasse 14
D-64646 Heppenheim
+49(6252)671-788 (Telekom)
+49(179)108-3978 (O2 Genion)
+49(6252)750-308 (VoIP: