Solved DNS blacklisting by wildcard?

[getopt]

I do DNS blacklisting with Unbound. While this works fine

local-data: "evil.com A 127.0.0.1"
local-data: "very.evil.com A 127.0.0.1"

I'm looking for a solution to block all subdomain names i.E. *.evil.com
based on regex/wildcard on sub/domain names to get rid of

local-data: "very1324.evil.com A 127.0.0.1"
local-data: "very2436.evil.com A 127.0.0.1"
local-data: "very34.evil.com A 127.0.0.1"
local-data: "34.very.evil.com A 127.0.0.1"
local-data: "45.very.evil.com A 127.0.0.1"
local-data: "veryhot.evil.com A 127.0.0.1"
local-data: "verycool.evil.com A 127.0.0.1"
...

Which makes it necessary to know all the subdomain names and to edit the blacklist, and still not catching new created subdomain names.

Any ideas?

 

[freethread]

Blocking the 2nd level domain should also block all 3rd and above domains, but perhaps Unbound is different. I never had to do with it.

 

[obsigna]

I do DNS blacklisting with Unbound. While this works fine

local-data: "evil.com A 127.0.0.1"
local-data: "very.evil.com A 127.0.0.1"

Any ideas?

Please define DNS blacklisting more in detail.

I do DNS blacklisting with Unbound for the purpose of Ad-Blocking for the local Web-Clients. If this would be your purpose as well, then the solution is quite simple, namely instead of local-data: specify local-zone:, remove the A record, and add the static directive at the end of each local-zone: line:

local-zone: "evil.com" static
local-zone: "malware.org" static
...

These specifications let Unbound respond the status code NXDOMAIN for the given domains and all of its sub-domains. This is ideal for Web-Browsers (better than A 127.0.0.1), because they don't even try to find the requested resource on localhost (127.0.0.1).

This is not your solution if you want to create a DNS blocklist for your mail server.