Bind is the world’s most used DNS server. Keep reading to learn how to configure Bind9 to work with Malware Patrol’s data.

Getting Started

Malware Patrol provides a zone file compatible with Bind9. Its usage as a DNSBL (DNS black list) denies access to domains that are involved in malware and ransomware activities. DNS queries for malicious domains return the loopback address ( preventing access to download malicious binaries, to relay stolen data and to contact command and control servers. You can follow these simple steps to configure your Bind9 instance and protect the internal network, computers and users from getting infected by malware.


Please be advised that we have noticed that Bind on CentOS 7 is somehow limited in the number of zones it can load and therefore doesn’t work well with our block list. If you experience trouble loading the zone file, Bind exists unexpectedly, this may be the reason, contact our tech support.

Step-by-Step Instructions

1) Make sure your Bind9 is installed and working properly. There are several resources on the Internet that can help you install it depending on your platform. If you are experiencing trouble, start at: https://www.isc.org/downloads/bind/. You should also be able to use distribution specific tools like apt-get and yum. For example: apt-get install bind9.

2) Determine the path to the configuration files used by Bind9. This most likely will be /etc/bind or /etc/named. One way to find the path is to issue this command: find / -name named.conf

3) Notice: the path /etc/bind will be used throughout this how-to, please adapt the commands shown here appropriately if your path is different.

4) Change to the directory that contains Bind configuration files, for example: cd /etc/bind

5) Download Malware Patrol’s zone file:

wget -O /etc/bind/blackhole.malwarepatrol.zone ‘https://malwarepatrol.net/pub/20160707/blackhole.malwarepatrol.zone’

6) Add the following line to the end of the file /etc/bind/named.conf

include “/etc/bind/blackhole.malwarepatrol.conf”;

7) Execute the first update:

/usr/bin/wget –no-check-certificate -qO- ‘_URL_TO_BIND_BLOCK_LIST_’ | sed ‘s/mbl.zone.file//etc/bind/blackhole.malwarepatrol.zone/g’ > /etc/bind/blackhole.malwarepatrol.conf

notice 1: don’t forget to change the command line if your path is not /etc/bind

notice 2: don’t forget to change the _URL_TO_BIND_BLOCK_LIST_ paramenter to your custom URL. To find the correct address, log in to your account, right click on the “download” link for the Bind block list and choose “Copy link location”

8) Restart Bind with the following command: service bind9 restart

9) Configure a new cronjob to update the Bind zone every hour:

MM * * * * /usr/bin/wget –no-check-certificate -qO- ‘_URL_TO_BIND_BLOCK_LIST_’ | sed ‘s/mbl.zone.file//etc/bind/blackhole.malwarepatrol.zone/g’ > /etc/bind/blackhole.malwarepatrol.conf ; service bind9 restart

To make this set up effective, you should configure your customers’ DNS server(s) to point to the new Bind. This can be easily achieved via DHCP. Still, customers may manually configure their systems to use external DNS servers, therefore bypassing this protection mechanism. To avoid that, apply firewall rules that properly deny traffic to external DNS servers.

If you experience any difficulties configuring Bind9 to use Malware Patrol, please make sure it is working properly and contact our tech support at support (@) malwarepatrol.net.

For other configuration guides, check out our Tech Support page.