diff --git a/bin/update-ips.bash b/bin/update-ips.bash
index bdb508240..c8853e3c9 100755
--- a/bin/update-ips.bash
+++ b/bin/update-ips.bash
@@ -161,8 +161,8 @@ get_dns_ips() {
   local -a ips
   mapfile -t ips < <(dig +short "${domain}" | grep '^[.0-9]*$')
   if [ ${#ips[@]} -eq 0 ]; then
-    log_error "No IPs for ${domain} was found"
-    exit 1
+    log_error "No IPs for ${domain} was found. Will block all IPs"
+    echo "0.0.0.0"
   fi
   echo "${ips[@]}"
 }
diff --git a/tests/unit/general/bin-update-ips.bats b/tests/unit/general/bin-update-ips.bats
index fa5a59d2a..592f0a12d 100644
--- a/tests/unit/general/bin-update-ips.bats
+++ b/tests/unit/general/bin-update-ips.bats
@@ -93,6 +93,15 @@ _apply_normalise() {
   update_ips.assert_minimal
 }
 
+@test "ck8s update-ips blocks all without domain records" {
+  run ck8s update-ips both apply
+
+  assert_equal "$(yq.dig wc '.networkPolicies.global.scIngress.ips | . style="flow"')" "[0.0.0.0/32]"
+  assert_equal "$(yq.dig wc '.networkPolicies.global.wcIngress.ips | . style="flow"')" "[0.0.0.0/32]"
+  assert_equal "$(yq.dig sc '.networkPolicies.global.scIngress.ips | . style="flow"')" "[0.0.0.0/32]"
+  assert_equal "$(yq.dig sc '.networkPolicies.global.wcIngress.ips | . style="flow"')" "[0.0.0.0/32]"
+}
+
 @test "ck8s update-ips performs minimal run with zero diff" {
   update_ips.mock_minimal
   update_ips.populate_minimal