What is a DNS blacklist? Dispelling the myths

By Michele Neylon.

One of the most common issues faced by server admins is spam. If you are not concerned about protecting your users from receiving it, you are probably worried about your users sending it (intentionally or otherwise).

DNSBLs (DNS Blacklists) are one of the many tools used by server administrators in the ongoing war on spam.

So what exactly are they?

The Wikipedia definition is helpful:

A DNS-based Blackhole List, or DNSBL, is a means by which an Internet site may publish a list of IP addresses, in a format which can be easily queried by computer programs on the Internet. As the name suggests, the technology is built on top of the Internet DNS or Domain Name System. DNSBLs are chiefly used to publish lists of addresses linked to spamming.

If an IP address is identified as an open relay (ie. anybody can use it to send mail) or as a source of viruses or spam it may be listed in a DNSBL. Each DNSBL has its own listing criteria. In most cases the criteria are listed on their respective websites. Before you start using a DNSBL read the criteria carefully. Do not simply rely on someone else's comments.
For example the Spamhaus project maintains a number of lists, each with slightly different listing criteria. The SBL list is defined as:

The SBL is a realtime database of IP addresses of verified spam sources (including spammers, spam gangs and spam support services), maintained by the Spamhaus Project team and supplied as a free service to help email administrators better manage incoming email streams.

In most cases an IP will only be listed if multiple reports of abusive behaviour has been reported. For example, larger networks such as AOL, manage their own blacklisting. If they see multiple spams from an IP they will blacklist it for several days.
Of course if the IP address keeps on appearing in spam emails then it will continue to be listed.

Things to note:

DNSBLs are used by a lot of email administrators
The check is DNS based
The only thing checked is the IP
The content of the email is not examined

There is no point getting upset if your mail server blocks an innocent email based on a DNSBL check. The DNSBL does not know about your emails' content. The only thing it is concerned with is IP addresses. Nothing more. Nothing less.

If an IP address is listed in a blacklist there is usually a reason.
It usually takes more than one report for an IP address to be listed.
Each DNSBL has its own criteria, so you should examine them before you use them.
The DNSBL admins are mostly volunteers. They are not interested in personal vendettas and the fact that your server or ISP is listed is not a reflection of anything other than the IP's behaviour.

Notes:
This article is aimed at providing basic information on how DNSBLs work. If anyone feels that there are errors or wishes to make suggestions please use the comments section below or email me directly.

Related:
All About DNS
Securing DNS with Transaction Signatures

About the author, Michele Neylon.

USERS COMMENTS

Maintained by the ILUG website team. The aim of Linux.ie is to support and help commercial and private users of Linux in Ireland. You can display ILUG news in your own webpages, read backend information to find out how. Networking services kindly provided by HEAnet, server kindly donated by Dell. Linux is a trademark of Linus Torvalds, used with permission. No penguins were harmed in the production or maintenance of this highly praised website. Looking for the Indian Linux Users' Group? Try here. If you've read all this and aren't a lawyer: you should be!