diff --git a/lib/krb5/krb5.conf.5 b/lib/krb5/krb5.conf.5
index 271a0d455..016ff15d7 100644
--- a/lib/krb5/krb5.conf.5
+++ b/lib/krb5/krb5.conf.5
@@ -199,6 +199,9 @@ The default is the result of
 .It Li allow_weak_crypto = Va boolean
 are weak crypto algorithms allowed to be used, among others, DES is
 considered weak.
+.It Li block_dns = Va boolean
+If true, prevent Heimdal from doing any DNS resolution.
+Default is false.
 .It Li clockskew = Va time
 Maximum time differential (in seconds) allowed when comparing
 times.
diff --git a/lib/krb5/verify_krb5_conf.c b/lib/krb5/verify_krb5_conf.c
index c258a2bd3..609b560ff 100644
--- a/lib/krb5/verify_krb5_conf.c
+++ b/lib/krb5/verify_krb5_conf.c
@@ -395,6 +395,7 @@ struct entry v4_name_convert_entries[] = {
 struct entry libdefaults_entries[] = {
     { "accept_null_addresses", krb5_config_string, check_boolean, 0 },
     { "allow_weak_crypto", krb5_config_string, check_boolean, 0 },
+    { "block_dns", krb5_config_string, check_boolean, 0 },
     { "capath", krb5_config_list, all_strings, 1 },
     { "ccapi_library", krb5_config_string, NULL, 0 },
     { "check_pac", krb5_config_string, check_boolean, 0 },