Windows PowerShell DNS Server Blackhole Tool – Blacklist Domains

Use Netsparker

This is a Windows PowerShell Script to help you with blacklisting domains you wish to block in your networks.

We have written about PowerShell before, it is something which can make the windows shell a lot more flexible.

On the external DNS servers you can create primary zones for the domain names and FQDNs you do not want your users to resolve correctly. These DNS zones will all return an incorrect IP address, such as “″ or the address of an internal server, not the real address. Because the organization’s internal DNS servers are configured to forward their requests to these external DNS servers in the DMZ, the internal DNS servers will cache these incorrect addresses too when the external DNS servers respond. So, when an internal client tries to resolve an unwanted DNS name, it will receive a response, but the IP address returned will be incorrect. Because an IP address of “″ is unreachable, these unwanted zones created on the external DNS servers are said to be “blackholed”, “blacklisted” or “blocklisted”.

What to block? You can obtain lists of FQDNs and domain names to blackhole for free. Some lists are only for malware, others might be just for pornography, but be aware that they are never 100% complete or accurate (you get what you pay for, so don’t be surprised to find gaps a small number of false positives).

Some of the more popular blackhole lists include (in no particular order): (not free)

From sites like the above you can download lists of FQDNs and simple domain names which can be fed into the PowerShell script for this article in order to create blackhole zones on Windows DNS servers. If you have DNS servers running BIND, perhaps on Linux or BSD, then the sites above will also help you import blackhole domains on those DNS servers too (scripts for blackholing on BIND are common).


To use the PowerShell DNS blackhole script, you must:

  • Have PowerShell 2.0 or later on the computer where the script will be run, which may be the DNS server itself or another management workstation.
  • Use Windows Server 2003 with SP2 or later for the DNS server.
  • Allow network access to the RPC ports of the Windows Management Instrumentation (WMI) service from the workstation where the script will be run.
  • Be a member of the local Administrators group on the DNS server.

You can download the PowerShell DNS Blackhole script here:

Or read more here.

Posted in: Countermeasures, Networking Hacking, Security Software


Latest Posts:

Malcom - Malware Communication Analyzer Malcom – Malware Communication Analyzer
Malcom is a Malware Communication Analyzer designed to analyze a system's network communication using graphical representations of network traffic.
WepAttack - WLAN 802.11 WEP Key Hacking Tool WepAttack – WLAN 802.11 WEP Key Hacking Tool
WepAttack is a WLAN open source Linux WEP key hacking tool for breaking 802.11 WEP keys using a wordlist based dictionary attack.
Eraser - Windows Secure Erase Hard Drive Wiper Eraser – Windows Secure Erase Hard Drive Wiper
Eraser is a hard drive wiper for Windows which allows you to run a secure erase and completely remove sensitive data from your hard drive by overwriting it several times with carefully selected patterns.
Insecure software versions are a problem Web Security Stats Show XSS & Outdated Software Are Major Problems
Netsparker just published some anonymized Web Security Stats about the security vulnerabilities their online solution identified on their users’ web applications and web services during the last 3 years.
CTFR - Abuse Certificate Transparency Logs For HTTPS Subdomains CTFR – Abuse Certificate Transparency Logs For HTTPS Subdomains
CTFR is a Python-based tool to Abuse Certificate Transparency Logs to get subdomains from a HTTPS website in a few seconds. - Test SSL Security Including Ciphers, Protocols & Detect Flaws – Test SSL Security Including Ciphers, Protocols & Detect Flaws is a free command line tool to test SSL security, it checks a server's service on any port for the support of TLS/SSL ciphers, protocols as well as recent cryptographic flaws and more.

Comments are closed.