mail us  |  mail this page

contact us
training  | 
tech stuff  | 

BIND 9 Support

DNSBL (DNS Black List)

Black Lists are used in the context of email to define the IP addresses or netblocks of well known sources of SPAM. DNSBL defines a method of using standard DNS zone files to store such IP addresses. Standard DNS A RR queries are used to interrogate the black list which is organised as a reverse mapping zone file. DNSBL is now the subject of RFC 5782 which has INFORMATIONAL status.

Assuming the blacklist is held at the domain name blacklist.example.com, the process works as follows:

  1. The receiving SMTP Agent extracts the IP address of the sending SMTP Agent, for example 192.168.2.135.
  2. The address is reversed to create a label, in the above case this becomes 135.2.168.192
  3. The reversed label is prepended to the DNSRBL name to give a domain name of 135.2.168.192.blacklist.example.com
  4. A DNS A RR query is issued to the domain name of 135.2.168.192.blacklist.example.com
  5. The responding name server either returns a valid A RR (confirming the IP address is in the black list) or an NXDOMAIN error (the IP address is not in the blacklist).
  6. For those IP addresses which appear in the black list the DNSBL may optionally store a standard TXT RR at the same name giving some explanation for the black listing.
  7. The fact that an A RR is returned confirms that the queried IP address does appear in the specific blacklist. The actual address returned is by convention in the loopback range 127/8 - each address may have a specific meaning - it is used as a return code - some of which are defined in the list below.
  8. IPv6 addresses may be handled within the same blacklist. The construction of the reverse map is defined in IPv6 Reverse Mapping.

Example black list zone file

The following shows a black list zone file fragment:

$TTL 2d # default RR TTL
$ORIGIN blacklist.example.com.
               IN      SOA   ns1.example.com. hostmaster.example.com.(
                              2003080800 ; se = serial number
                              3h         ; ref = refresh
                              15m        ; ret = update retry
                              3w         ; ex = expiry
                              3h         ; min = minimum
                              )
               IN      NS      ns1.example.com.
               IN      NS      ns2.example.com.
# black list records - using origin substitution rule
# order not important other than for local usage reasons
# by convention this address should be listed to allow for external testing 
2.0.0.127      IN      A			 127.0.0.2
# black list RRs
135.2.168.192  IN      A       127.0.0.2 # or some specific result code address
               IN      TXT     "Optional - Some explanation for black listing"
# the above entries expand to 135.2.168.192.blacklist.example.com
...
135.17.168.192 IN      A       127.0.0.2 # generic list
...

Note: An A RR for the address 127.0.0.2, by convention, should always be present in any DNSBL system to allow for external testing and confirmation of operation - bear in mind, however, that spammers may also use this knowledge to mount DoS attacks on the DNSBL.

127/8 Return Codes

There is no standard, or even consensus, usage of the address returned by the DNS A RR query other that it lies in the netblock 127/8 (127.0.0.0 - 127.255.255.255). In most cases email software which uses DNSBL access will return a failing code if any address is returned (the IP is in the list). When reviewing a number of DNSBL web sites to obtain the value of return codes they were not easily identifiable. The following is the meaning of the returned address when using the SORBS black list:

127.0.0.2  - Open HTTP Proxy Server (http.dnsbl.sorbs.net)
127.0.0.3  - Open SOCKS Proxy Server (socks.dnsbl.sorbs.net)
127.0.0.4  - Open Proxy Server not listed in the SOCKS or 
             HTTP lists. (misc.dnsbl.sorbs.net)
127.0.0.5  - Open SMTP relay server (smtp.dnsbl.sorbs.net)
127.0.0.6  - Hosts sending spam/UCE/UBE to SORBS, netblocks 
             of spam supporting service providers
             (list.spam.dnsbl.sorbs.net)
127.0.0.7  - Web servers email vulnerabilities (e.g. FormMail scripts)
             (web.dnsbl.sorbs.net)
127.0.0.8  - Hosts demanding not to be tested by SORBS (block.dnsbl.sorbs.net)
127.0.0.9  - Networks hijacked from original owners (zombie.dnsbl.sorbs.net)
127.0.0.10 - Dynamic IP Address ranges (dul.dnsbl.sorbs.net)
127.0.0.11 - Domain names with bad A or MX RRs (badconf.rhsbl.sorbs.net)
127.0.0.12 - Domain names with no emai originating (nomail.rhsbl.sorbs.net) 

Some Additional Notes:

While the terminology - DNSBL - defines the above to be a black list there is nothing to stop it being used as, say, a white list to speed up handling of incoming mail by using the SMTP Agent's IP addresses. Always assuming your favorite mail software will support such a concept and format. Further by prepending domain names or full email addresses such a white list may be even more useful. For example assume the following zone file fragment for whitelist.example.com (or even vhost.whitelist.example.com for virtual hosted sites)

$TTL 2d # default RR TTL
$ORIGIN whitelist.example.com.
...
# white list records - using origin substitution rule
# order not important other than for local usage reasons
# normal whitelist RRs
# by convention this address should be listed to allow for external testing 
2.0.0.127      IN      A			 127.0.0.2
# black list RRs
135.2.168.192  IN      A       127.0.0.2 # or some specific result code address
               IN      TXT     "Optional - Some explanation for white listing"
# the above entries expand to 135.2.168.192.blacklist.example.com
...
135.17.168.192 IN      A       127.0.0.2 # generic list
...
# name based RRs for white listing
friend.com     IN      A       127.0.0.1 # all domain email addresses
# expands to friend.com.whitelist.example.com
joe.my.my      IN      A       127.0.0.2 # single address
# expands to joe.my.my.whitelist.example.com
...

In the above example mail addresses of the form joe@my.my would require subsitution of @ with . (dot) before being appended to the whitelist domain name to avoid use of @ in the domain name.

Resources

DECLUDE maintain a page containing many known DNSBL format black lists.



Problems, comments, suggestions, corrections (including broken links) or something to add? Please take the time from a busy life to 'mail us' (at top of screen), the webmaster (below) or info-support at zytrax. You will have a warm inner glow for the rest of the day.

Pro DNS and BIND by Ron Aitchison

Contents

tech info
guides home
dns articles
intro
contents
1 objectives
big picture
2 concepts
3 reverse map
4 dns types
quickstart
5 install bind
6 samples
reference
7 named.conf
8 zone records
operations
9 howtos
10 tools
11 trouble
programming
12 bind api's
security
13 dns security
bits & bytes
15 messages
resources
notes & tips
registration FAQ
dns resources
dns rfcs
change log

Creative Commons License
This work is licensed under a Creative Commons License.

If you are happy it's OK - but your browser is giving a less than optimal experience on our site. You could, at no charge, upgrade to a W3C STANDARDS COMPLIANT browser such as Firefox

Search

web zytrax.com

Share

Icons made by Icomoon from www.flaticon.com is licensed by CC 3.0 BY
share page via facebook tweet this page

Page

email us Send to a friend feature print this page Display full width page Decrease font size Increase font size

Resources

Systems

FreeBSD
NetBSD
OpenBSD
DragonFlyBSD
Linux.org
Debian Linux

Software

LibreOffice
OpenOffice
Mozilla
GitHub
GNU-Free SW Foundation
get-dns

Organizations

Open Source Initiative
Creative Commons

Misc.

Ibiblio - Library
Open Book Project
Open Directory
Wikipedia

Site

CSS Technology SPF Record Conformant Domain
Copyright © 1994 - 2024 ZyTrax, Inc.
All rights reserved. Legal and Privacy
site by zytrax
hosted by javapipe.com
web-master at zytrax
Page modified: January 20 2022.