diff --git a/group_vars/pyrocufflink-dns.yml b/group_vars/pyrocufflink-dns.yml
index a27e72a..3d7312f 100644
--- a/group_vars/pyrocufflink-dns.yml
+++ b/group_vars/pyrocufflink-dns.yml
@@ -7,6 +7,8 @@ named_listen_v6:
 named_allow_query:
 - any
 named_dnssec_validation: false
+named_response_policy:
+- zone "blackhole.rpz"
 
 pyrocufflink_common_zones:
 - zone: pyrocufflink.blue
@@ -58,4 +60,4 @@ pyrocufflink_common_zones:
   - 192.168.20.146
   - 192.168.20.147
 
-named_zones: '{{ pyrocufflink_red_zones + pyrocufflink_common_zones }}'
+named_zones: '{{ pyrocufflink_red_zones + pyrocufflink_common_zones + rpz_zones }}'
diff --git a/host_vars/dns0.pyrocufflink.blue.yml b/host_vars/dns0.pyrocufflink.blue.yml
index ad026f7..f66d01a 100644
--- a/host_vars/dns0.pyrocufflink.blue.yml
+++ b/host_vars/dns0.pyrocufflink.blue.yml
@@ -18,6 +18,10 @@ pyrocufflink_red_zones:
   - '{ !{ !localhost; any; }; key local-ddns; }'
   ttl: 30
 
+rpz_zones:
+- zone: blackhole.rpz
+  type: master
+
 named_keys:
 - name: dhcp-ddns
   algorithm: hmac-md5
diff --git a/roles/named/tasks/main.yml b/roles/named/tasks/main.yml
index 52c46f4..cd0bcc7 100644
--- a/roles/named/tasks/main.yml
+++ b/roles/named/tasks/main.yml
@@ -35,7 +35,7 @@
 - name: ensure zone files exist
   template:
     src: zone.j2
-    dest: /var/named/dynamic/{{ item.zone }}.zone
+    dest: /var/named/{{ item.zone_file|d('dynamic/' + item.zone + '.zone') }}
     mode: '0640'
     owner: root
     group: named
diff --git a/roles/named/templates/named.conf.j2 b/roles/named/templates/named.conf.j2
index 0240a12..951fc6f 100644
--- a/roles/named/templates/named.conf.j2
+++ b/roles/named/templates/named.conf.j2
@@ -58,6 +58,14 @@ options {
 
 	tkey-gssapi-keytab "{{ named_keytab }}";
 {% endif %}
+{% if named_response_policy|d %}
+
+	response-policy {
+{% for policy in named_response_policy %}
+		{{ policy }};
+{% endfor %}
+	};
+{% endif %}
 
 {% for path in named_options_include %}
 	include "{{ path }}";