Blocking verisign DNS wildcards

I am happily running BIND 9.2.3rc4 on four DNS servers around the world, blocking DNS wildcards on .net and .com zones. delegation-only feature worked fine out of the box. The only tricky part of the process was installing BIND9 on FreeBSD which has bind8 installed as part of operating system.
Installation from ports tree only installs binaries and documents. So you should perform all configurations manually.

If you are running FreeBSD 4.x, you should configure the random number generator which is needed by rndc utility. I found this article very useful.
After configuring random number generator, I enabled BIND9 in rc.conf:

named_enable="YES"
named_program="/usr/local/sbin/named"
named_flags="-c /etc/namedb/named.conf -u bind"

In above configuration, I set bind to run as bind user which already exists in /etc/passwd by default.
Then you need to setup some permissions, because your new insallation is sandboxed and can not access whatever it wants. The first thing is the pid file which can not be created in default location (/var/run). Make a separate directory for it and apply appropriate permissions:

$ mkdir /var/run/bind
$ chown bind:bind /var/run/bind

and set BIND to create pid file in new location by adding following entry to named.conf:

options {
# your configuration here.....
pid-file "/var/run/bind/named.pid";
};

the next thing to do is generating rndc authentication key and setting permission on generated key file:

$ rndc-confgen -a
$ chown bind /usr/local/etc/rndc.key

now kill the running dns server (if any) and start BIND9:

$ killall named
$ /usr/local/sbin/named -c /etc/namedb/named.conf -u bind

done! It should be working fine now, but I suggest checking log files before leaving your new dns server:

$ ps ax | grep -i named
18663  ??  Ss     1:27.11 /usr/local/sbin/named -c /etc/namedb/named.conf -u bind

$ tail /var/log/messages
Sep 26 11:20:17 pilot named[18663]: starting BIND 9.2.3rc4 -c /etc/namedb/named.conf -u bind
Sep 26 11:20:17 pilot named[18663]: command channel listening on 127.0.0.1#953
Sep 26 11:20:17 pilot named[18663]: command channel listening on ::1#953

So my installation is working fine. Now enable “delegation-only” feature by adding following lines to named.conf:

logging {
category "delegation-only" { "null" ; };
};
zone "com" { type delegation-only; };
zone "net" { type delegation-only; };

That logging section, disables logging “enforced delegation-only” messages which may fillup your disk space if you are running a busy dns server.
Now reload your bind configuration using rndc to new changes take effect (if you are coming from BIND8 world, I should remind you that ndc is dead and replaced by rndc utility:

$ rndc reconfig

Now it is time to check your bind and see effect of “delegation-only” option:

$ /usr/local/bin/dig @localhost www.somethingdoesnotexists.com

; <<>> DiG 9.2.3rc4 <<>> @localhost www.somethingdoesnotexists.com
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 25364
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;www.somethingdoesnotexists.com.        IN      A

;; Query time: 984 msec
;; SERVER: 127.0.0.1#53(localhost)
;; WHEN: Fri Sep 26 13:50:33 2003
;; MSG SIZE  rcvd: 48

$  host www.somethingdoesnotexists.com localhost
Using domain server:
Name: localhost
Addresses: 127.0.0.1

Host not found.

Well, wildcards are dead. Now I feel better while using internet.

And if you are curious, this is (almost) my current bind config:

options {
directory "/etc/namedb";
pid-file "/var/run/bind/named.pid";
version "Huh?";
};

logging {
category "delegation-only" { "null" ; };
};

zone "." {
type hint;
file "named.root";
};

zone "0.0.127.IN-ADDR.ARPA" {
type master;
file "localhost.rev";
};

zone "com" { type delegation-only; };
zone "net" { type delegation-only; };

p.s. Frankly, I am not a bind guru. Above configuration is not a secure setup. I strongly recommend reading Secure BIND Template by Team Cymru for a secure BIND setup.