Basic Example for Response-Policy-Zones with BIND

I would like to emulate a public DNS entry that does not exist yet, while i am developing the service that will use this name on an intranet server. Let a public domain name i develop the service for be When working in my intranet, i want to override whatever public DNS resolves this as to some the IP I would like to implement this using the „response-policy zones“ (RPZ) feature available in recent versions of BIND.

There is an installation of BIND in my intranet that functions as a forwarding DNS for all clients in It is called intradns.mydomain. BIND satisfies the minimum version requirement for RPZ (i am using BIND version 9.10 from Debian GNU/Linux unstable).

On intradns.mydomain i  extend the named.conf.local file of BIND9 as follows:

include "/etc/bind/zones.response-policy";

I create a file /etc/bind/zones.response-policy with the following content:

zone "response-policy" {
        type master;
        file "/var/lib/bind/db.response-policy";
        allow-query { none; };

I add an option to the file named.conf.options that requests the use of this new zone:

options {
    // ... other existing entries ...
    response-policy { zone "response-policy"; };

I create the zonefile /var/lib/bind/db.response-policy with the following content (i have added bold formatting to the portions you want to modify for your setup):

$TTL 3600
@ IN SOA intradns.mydomain. root.mydomain. (
     2015103101 ; serial number YYMMDDNN
     3600       ; refresh 1 hour
     600        ; retry 10 minutes
     86400      ; expiry 1 week
     600 )      ; min ttl 10 minutes

@ IN NS intradns.mydomain. A

I reload BIND9 with

rndc reload

and test the setup with:

64 bytes from ( icmp_seq=1 ttl=64 time=0.049 ms
64 bytes from ( icmp_seq=2 ttl=64 time=0.061 ms