diff --git a/firewall/interception.go b/firewall/interception.go
index edc04d4b..f505bfaa 100644
--- a/firewall/interception.go
+++ b/firewall/interception.go
@@ -2,6 +2,7 @@ package firewall
 
 import (
 	"context"
+	"net"
 	"os"
 	"sync/atomic"
 	"time"
@@ -29,6 +30,9 @@ var (
 	packetsBlocked  = new(uint64)
 	packetsDropped  = new(uint64)
 	packetsFailed   = new(uint64)
+
+	blockedIPv4 = net.IPv4(0, 0, 0, 17)
+	blockedIPv6 = net.ParseIP("::17")
 )
 
 func init() {
@@ -84,6 +88,11 @@ func handlePacket(ctx context.Context, pkt packet.Packet) {
 func fastTrackedPermit(pkt packet.Packet) (handled bool) {
 	meta := pkt.Info()
 
+	// Check for blocked IP
+	if meta.Dst.Equal(blockedIPv4) || meta.Dst.Equal(blockedIPv6) {
+		_ = pkt.PermanentBlock()
+	}
+
 	switch meta.Protocol {
 	case packet.ICMP:
 		// Always permit ICMP.
diff --git a/nameserver/nsutil/nsutil.go b/nameserver/nsutil/nsutil.go
index 0a6f103d..53372b75 100644
--- a/nameserver/nsutil/nsutil.go
+++ b/nameserver/nsutil/nsutil.go
@@ -58,9 +58,9 @@ func ZeroIP(msgs ...string) ResponderFunc {
 
 			switch question.Qtype {
 			case dns.TypeA:
-				rr, err = dns.NewRR(question.Name + " 0 IN A 0.0.0.0")
+				rr, err = dns.NewRR(question.Name + " 1 IN A 0.0.0.17")
 			case dns.TypeAAAA:
-				rr, err = dns.NewRR(question.Name + " 0 IN AAAA ::")
+				rr, err = dns.NewRR(question.Name + " 1 IN AAAA ::17")
 			}
 
 			switch {
@@ -100,9 +100,9 @@ func Localhost(msgs ...string) ResponderFunc {
 
 			switch question.Qtype {
 			case dns.TypeA:
-				rr, err = dns.NewRR("localhost. 0 IN A 127.0.0.1")
+				rr, err = dns.NewRR("localhost. 1 IN A 127.0.0.1")
 			case dns.TypeAAAA:
-				rr, err = dns.NewRR("localhost. 0 IN AAAA ::1")
+				rr, err = dns.NewRR("localhost. 1 IN AAAA ::1")
 			}
 
 			switch {