diff --git a/go.mod b/go.mod
index 8190c32c..748fe135 100644
--- a/go.mod
+++ b/go.mod
@@ -12,7 +12,7 @@ require (
 	github.com/klauspost/pgzip v1.2.6
 	github.com/mdlayher/genetlink v1.3.2
 	github.com/pelletier/go-toml/v2 v2.2.4
-	github.com/qdm12/dns/v2 v2.0.0-rc10
+	github.com/qdm12/dns/v2 v2.0.0-rc9.0.20260216144148-3f6b7de87740
 	github.com/qdm12/gosettings v0.4.4
 	github.com/qdm12/goshutdown v0.3.0
 	github.com/qdm12/gosplash v0.2.0
diff --git a/go.sum b/go.sum
index 680da7ae..bb280962 100644
--- a/go.sum
+++ b/go.sum
@@ -73,8 +73,8 @@ github.com/prometheus/common v0.60.1 h1:FUas6GcOw66yB/73KC+BOZoFJmbo/1pojoILArPA
 github.com/prometheus/common v0.60.1/go.mod h1:h0LYf1R1deLSKtD4Vdg8gy4RuOvENW2J/h19V5NADQw=
 github.com/prometheus/procfs v0.15.1 h1:YagwOFzUgYfKKHX6Dr+sHT7km/hxC76UB0learggepc=
 github.com/prometheus/procfs v0.15.1/go.mod h1:fB45yRUv8NstnjriLhBQLuOUt+WW4BsoGhij/e3PBqk=
-github.com/qdm12/dns/v2 v2.0.0-rc10 h1:IyeNEYXfhBsaE1dwxx5eAqdAz1HS98dT+8c7xoKODa0=
-github.com/qdm12/dns/v2 v2.0.0-rc10/go.mod h1:98foWgXJZ+g8gJIuO+fdO+oWpFei5WShMFTeN4Im2lE=
+github.com/qdm12/dns/v2 v2.0.0-rc9.0.20260216144148-3f6b7de87740 h1:MJKaCmBFnmaX9uZUZYHB+kpxF+FRoDBY1Fx8CVaes6I=
+github.com/qdm12/dns/v2 v2.0.0-rc9.0.20260216144148-3f6b7de87740/go.mod h1:98foWgXJZ+g8gJIuO+fdO+oWpFei5WShMFTeN4Im2lE=
 github.com/qdm12/goservices v0.1.1-0.20251104135713-6bee97bd4978 h1:TRGpCU1l0lNwtogEUSs5U+RFceYxkAJUmrGabno7J5c=
 github.com/qdm12/goservices v0.1.1-0.20251104135713-6bee97bd4978/go.mod h1:D1Po4CRQLYjccnAR2JsVlN1sBMgQrcNLONbvyuzcdTg=
 github.com/qdm12/gosettings v0.4.4 h1:SM6tOZDf6k8qbjWU8KWyBF4mWIixfsKCfh9DGRLHlj4=
diff --git a/internal/configuration/settings/dnsblacklist.go b/internal/configuration/settings/dnsblacklist.go
index 716a2dca..bf380cfe 100644
--- a/internal/configuration/settings/dnsblacklist.go
+++ b/internal/configuration/settings/dnsblacklist.go
@@ -23,7 +23,9 @@ type DNSBlacklist struct {
 	AddBlockedIPs        []netip.Addr
 	AddBlockedIPPrefixes []netip.Prefix
 	// RebindingProtectionExemptHostnames is a list of hostnames
-	// exempt from DNS rebinding protection.
+	// exempt from DNS rebinding protection. It can contain parent
+	// domains which are of the form "*.example.com". Note the wildcard
+	// can only be used at the start of the hostname.
 	RebindingProtectionExemptHostnames []string
 }
 
@@ -55,6 +57,9 @@ func (b DNSBlacklist) validate() (err error) {
 	}
 
 	for _, host := range b.RebindingProtectionExemptHostnames {
+		if len(host) > 2 && host[:2] == "*." {
+			host = host[2:]
+		}
 		if !hostRegex.MatchString(host) {
 			return fmt.Errorf("%w: %s", ErrRebindingProtectionExemptHostNotValid, host)
 		}