(Note: As of October 2011 this feature is present in most recursive resolvers.
This project is now archived and is left as a record.)

dnswall is a daemon that filters DNS responses for private IP addresses. It is
designed to be used in conjunction with an existing recursive DNS resolver in
order to protect networks against DNS rebinding attacks.

dnswall takes all its configuration on the command-line: the IP address and
port to listen for incoming queries on, and the IP address and port to forward
these queries to. It blocks responses that contain any dangerous IPv4 or IPv6
addresses, including localhost, private ranges, and multicast.

To use dnswall with an existing BIND resolver, run dnswall as:
  dnswall -b 127.0.0.1 -B 5353 -f 127.0.0.1 -F 53
and follow the comment instructions in contrib/named.conf.example-* to
transform an existing named.conf into one that works with dnswall. Other DNS
servers that support source IP-based responses should also work with a similar
configuration.

Otherwise, two servers will be required: one in front to answer all trusted
subdomains and forward everything to dnswall, and a second server to answer all
forwarded requests for external names. The second server can be outside the
firewall (adding a measure of safety) and can easily be just an upstream
recursive resolver (such as those provided by ISPs).

See INSTALL for (generic) installation instructions: basically
  ./configure && make && make install