BIND Whitelist

BIND-whitelist is a version-specific patch for BIND that implements whitelist functionality. It uses a very fast Berkeley database backend to track and whitelist IPs (both IPv4 and IPv6) that routinely query OpenNIC TLDs. So long as a specific IP queries for OpenNIC TLDs within the TTL (time to live, default 1 month) value, the IP will remain in the whitelist and be permitted to query any TLD (OpenNIC, ICANN, etc.) IPs that are not in the whitelist will have all queries returned as REFUSED. This typically takes less than 1 ms to process.

BIND-whitelist distributions are version-specific. Please ensure you are using a BIND-whitelist distribution that matches the version number of BIND that you are compiling against. Each BIND-whitelist distribution contains a detailed README that explains how to install and test. Below is a typical README; please note that READMEs may differ depending upon the BIND version.

Currently, the OpenNIC Tier 2 server at (more on Tier 2) is running BIND-whitelist; you can easily test against this server provided you have never accessed an OpenNIC TLD via the IP you're testing with. Simply attempt to access a non-OpenNIC domain:

dig @

The request should be REFUSED. Now, access an OpenNIC domain:

dig @ www.geek

This should resolve with a valid ANSWER section. Now you should be able to repeat the first dig command and have the query return with a valid answer.

  • /wiki/data/pages/bind_whitelist.txt
  • Last modified: 8 weeks ago
  • by Vip00722