A short guide on how to block the entire .zip TLD using pfSense. In particular using a package called pfBlocker-NG, which can be thought of as a “PiHole” alternative. pfBlocker-NG is capable of much much more but won’t be covered in this blog.

Why is .zip TLD a problem?

It’s simple really, Phishing. Whether it’s abusing a HTTP URI scheme or using special unicode characters, having a .zip TLD which has always been attributed to the compression file extension is just a bad idea.

Here are some excellent resources explaining the problem in greater detail:

  1. The Dangers of Google’s .zip TLD - the author mentions a bug reported in Chromium which allow hostnames containing U+2044 (⁄) and U+2215 (∕), which is almost identical to the forward slash (/) in URL PATHs. And can be used to trick users.
  2. Zip domains, a bad idea nobody asked for - also references the above.
  3. google-zip-mov-domains-social-engineers-shiny-new-tool - mentions there hasn’t been active abuse (yet).

Install package

Note: It’s now recommended to install the pfBlockerNG version rather than pfBlockerNG-devel version, since both versions have synced up.

On your pfSense admin panel, go to System and Package Manager.

Select Available Packages and make sure it’s the latest then hit Install.

Configure package

A new option will now be available under the Firewall menu called pfBlockerNG.

Go to the DNSBL pane and make sure these options are enabled:

  • Enable DNSBL
  • Wildcard Blocking (TLD)

Whilst on the same page scroll down until you see TLD Blacklist/Whitelist and expand it. Next, add your chosen TLD to the TLD Blacklist input field (without the dot). You can block multiple TLDs, but it must be separated one per line e.g.


When you’re done click Save DNSBL settings.

The final step is to reload the settings by going to Update (still in the pfBlockerNG menu) and clicking on Reload. If you don’t it’ll update in 1 hour automatically by default.



When any of the devices on my network try access a .zip domain, they’ll get an error. Or more specifically the domain will resolve to an internal address which shows a this site has been blocked message.

This page also can be customised by modifying dnsbl_active.php file located in:


DNS lookup

pfBlockerNG was configured to use a IP range outside my VLAN. All the blocked domains will resolve to Here’s an example of using the dig utility:

➜  ~ dig +short nic.zip
➜  ~ dig +short 124.zip
➜  ~ dig +short latest.zip
➜  ~ dig +short stable.zip
➜  ~ dig +short winrar.zip

Other misused TLDs

In 2021, Palo Alto’s Unit 42 threat intelligence team published a blog about their research of popular top-level domains used in cyber crime. The team looked at several different TLDs across six categories (Malicious, Phishing, Malware, Grayware, C2, and Sensitive).

A table from Palo Alto’s blog of TLDs with the highest number of malicious domains: