diff --git a/spec/lib/gitlab/tcp_checker_spec.rb b/spec/lib/gitlab/tcp_checker_spec.rb
index 49f04f269ae64ca97f8897579ea42c610e10fb37..9474e79cc5dc6afe53cfb9a7034def909c2787e4 100644
--- a/spec/lib/gitlab/tcp_checker_spec.rb
+++ b/spec/lib/gitlab/tcp_checker_spec.rb
@@ -2,7 +2,7 @@
 
 require 'spec_helper'
 
-describe Gitlab::TcpChecker do
+describe Gitlab::TcpChecker, :permit_dns do
   before do
     @server = TCPServer.new('localhost', 0)
     _, @port, _, @ip = @server.addr
diff --git a/spec/lib/gitlab/url_blocker_spec.rb b/spec/lib/gitlab/url_blocker_spec.rb
index a68ba489986dc629bd4ca0e34fee1a1edf22193c..97859c82e9eba4dffa1a696f71e9a77d013b82db 100644
--- a/spec/lib/gitlab/url_blocker_spec.rb
+++ b/spec/lib/gitlab/url_blocker_spec.rb
@@ -2,7 +2,7 @@
 
 require 'spec_helper'
 
-describe Gitlab::UrlBlocker do
+describe Gitlab::UrlBlocker, :stub_invalid_dns_only do
   include StubRequests
 
   describe '#validate!' do
diff --git a/spec/support/dns.rb b/spec/support/dns.rb
new file mode 100644
index 0000000000000000000000000000000000000000..3e5c8e698e16069378264ca271648a72dbc74ab3
--- /dev/null
+++ b/spec/support/dns.rb
@@ -0,0 +1,20 @@
+# frozen_string_literal: true
+
+require Rails.root.join("spec/support/helpers/dns_helpers")
+
+RSpec.configure do |config|
+  config.include DnsHelpers
+
+  config.before do
+    block_dns!
+  end
+
+  config.before(:each, :permit_dns) do
+    permit_dns!
+  end
+
+  config.before(:each, :stub_invalid_dns_only) do
+    permit_dns!
+    stub_invalid_dns!
+  end
+end
diff --git a/spec/support/helpers/dns_helpers.rb b/spec/support/helpers/dns_helpers.rb
new file mode 100644
index 0000000000000000000000000000000000000000..941b57c2c97780350f1a5d6f5ac00efe318673d4
--- /dev/null
+++ b/spec/support/helpers/dns_helpers.rb
@@ -0,0 +1,30 @@
+# frozen_string_literal: true
+
+module DnsHelpers
+  def block_dns!
+    stub_all_dns!
+    stub_invalid_dns!
+    permit_local_dns!
+  end
+
+  def permit_dns!
+    allow(Addrinfo).to receive(:getaddrinfo).and_call_original
+  end
+
+  def stub_all_dns!
+    allow(Addrinfo).to receive(:getaddrinfo).with(anything, anything, nil, :STREAM).and_return([])
+    allow(Addrinfo).to receive(:getaddrinfo).with(anything, anything, nil, :STREAM, anything, anything).and_return([])
+  end
+
+  def stub_invalid_dns!
+    allow(Addrinfo).to receive(:getaddrinfo).with(/foobar\.\w|(\d{1,3}\.){4,}\d{1,3}/i, anything, nil, :STREAM) do
+      raise SocketError.new("getaddrinfo: Name or service not known")
+    end
+  end
+
+  def permit_local_dns!
+    local_addresses = /(127|10)\.0\.0\.\d{1,3}|(192\.168|172\.16)\.\d{1,3}\.\d{1,3}|0\.0\.0\.0|localhost/i
+    allow(Addrinfo).to receive(:getaddrinfo).with(local_addresses, anything, nil, :STREAM).and_call_original
+    allow(Addrinfo).to receive(:getaddrinfo).with(local_addresses, anything, nil, :STREAM, anything, anything).and_call_original
+  end
+end