Domain Name System Blocklist Basics and Best Practices

Author

Reads 3.6K

Close-up of a surveillance camera with neon lighting, symbolizing modern home security technology.
Credit: pexels.com, Close-up of a surveillance camera with neon lighting, symbolizing modern home security technology.

The Domain Name System (DNS) blocklist is a crucial tool in preventing malicious activities on the internet.

A DNS blocklist is essentially a list of known malicious domains that have been flagged by security experts and researchers.

By blocking access to these domains, you can significantly reduce the risk of your users falling victim to phishing scams, malware distribution, and other online threats.

To effectively use a DNS blocklist, you need to understand its basics and best practices.

Curious to learn more? Check out: Domains by Proxy

What is a DNSBL?

A DNSBL, or Domain Name System blocklist, is a list of IP addresses known to be involved in spamming or other malicious activities.

Three things are required to start the DNSBL query service:

How DNSBL Works

DNSBLs work by using a domain name to store a list of IP addresses that are known to be sending spam. This list is then used by mail servers to block incoming emails from these addresses.

Here's an interesting read: Get Domain Name and Email Addresses

Credit: youtube.com, DNSBL Blacklist: Everything You Need to Know

The domain where the DNSBL can be placed is the first step in setting up a DNSBL. This domain is used to store the list of IP addresses.

Name servers are used to resolve the domain name to an IP address, which is necessary for the mail server to check the list.

The list of IP addresses is stored as a TXT record, which can provide additional information about why an IP address is on the list.

To check if an IP address is on the list, the mail server sends a DNS query to the name server of the DNSBL. If the IP address is on the list, the mail server receives a response indicating that the address is blocked.

Here's a step-by-step breakdown of how DNSBL works:

  • The order of octets in the sender’s IP address is reversed.
  • The domain name DNSBL is added to the reversed IP address.
  • The name server of the DNSBL is checked for the presence of a suitable entry for the address.
  • If the address is on the list, the mail server receives a response indicating that the address is blocked.
  • If the address is not on the list, the mail server receives a response of "NXDOMAIN".

Using DNSBL Data

You can apply the Domain Blocklist to identify, classify, or reject mail containing listed domains, particularly for emails that pass IP-based protection at the SMTP transaction.

Credit: youtube.com, pfSense DNSBL - DNS Setup

The Domain Blocklist should be used at specific points during the email filtering process, including the initial connection, throughout the pre-data phase of an email, and once the email data has been accepted.

To make the best use of Spamhaus' data, blocklists should be utilized at specific points during the email filtering process, such as against the domain associated to the connecting IP via rDNS, the HELO string, and Mail From domain.

The Spam Filter repository maintains the latest version of core DNSBL servers, which are regularly updated to ensure they remain effective against the latest spam sources and threats.

Administrators can customize the behavior of DNSBL server checks while maintaining compatibility with automatic updates by disabling the core server and creating a custom DNSBL server configuration with the desired changes.

Core DNSBL servers, a list of predefined DNS-based Blocklist (DNSBL) servers, are regularly updated to ensure they remain effective against the latest spam sources and threats.

Here are the supported scopes for DNSBL checks:

  • url: Applies to URLs in the message.
  • domain: Applies to domains found in the message.
  • email: Applies to email addresses in the message.
  • ip: Applies to IP addresses associated with the message.
  • header: Applies to message headers.
  • body: Applies to the message body.
  • any: Applies to any part of the message.

Types of DNSBLs

Credit: youtube.com, WEBINAR | Know How | DNS Blocklist Refresh - APAC Region

There are two main types of DNSBLs: public and private. Public DNSBLs, like Spamhaus and SURBL, are widely used and maintained by third-party organizations. They can be queried via DNS or a web lookup form.

Spamhaus, for example, publishes both an IP list and a domain list, making it a popular choice for email deliverability. Its algorithm detects newly registered domains and lists them on the Spamhaus DBL without ever being included in a single email message.

Here are some key public DNSBLs:

In contrast, private DNSBLs are maintained by individual organizations and are not publicly accessible. They can be used to block specific IP addresses or domains within an organization's network.

Blacklists vs DNSBLs

DNSBLs are often confused with domain blacklists, but they're not the same thing. The term DNSBL stands for Domain Name Server Block List and refers specifically to the mechanism by which the block list is published.

In fact, DNSBLs can be either lists of IP addresses or lists of domain names. Most DNSBLs are listings of IP addresses, but some list domain names.

It's worth noting that GMass users are more concerned with domain blacklists, as they send emails from Gmail's IPs, which are rarely blocked.

For more insights, see: Cluster IP

Public Blacklists

Credit: youtube.com, What is an Email Blacklist? | How to Avoid & Fix Blacklisted Emails

Public Blacklists are a crucial part of the DNSBL world. They're maintained by organizations like Spamhaus, SURBL, and URIBL, which provide a way to query their lists using DNS or web lookup forms.

The most well-known public domain blacklist is Spamhaus, which publishes both an IP list and a domain list. Spamhaus has an algorithm that detects newly registered domains and lists them if they meet certain criteria.

Spamhaus is the 300-pound gorilla of blacklists, and it's relatively easy to get a domain off their list if you can provide a reasonable explanation for why your domain was used in spam. In fact, I've never been turned down when asking for a domain to be delisted from SURBL, as long as I've provided a good explanation.

To query Spamhaus, you can use their web lookup form or query the domain via DNS using the format [domain].dbl.spamhaus.org. If the domain is listed, you'll get a response of 127.0.0.2.

Here's a brief rundown of the three main public domain blacklists:

Keep in mind that URIBL isn't mentioned in the article section facts, but it's worth noting that it's another public domain blacklist.

Private Blacklists

Credit: youtube.com, How to Blacklist Check - Spam Database and DNSBL Blacklist Emails checker Online blacklist lookup

Private Blacklists are maintained by companies like AOL, Barracuda, and Google, but they're not always easy to search.

You can determine if your domain is on a private blacklist by sending an email with the listed domain to an address that uses a particular filter. The SMTP bounce response will indicate if the domain is on that blacklist.

Barracuda's Intent List is private and can't be searched via DNS lookup. However, you can examine SMTP responses to determine listings.

If your domain is on Barracuda's Intent List, you'll get a bounce with an SMTP code that looks like: 550 5.7.1: This message was blocked by the Barracuda Spam & Virus Firewall.

Barracuda's response code for an IP-based block is specific to that IP address, making it easier to determine the type of block.

AOL's private domain blacklist can be identified by an SMTP response code containing "HVU", which stands for High Volume URL. If a domain is on AOL's private domain blacklist, the SMTP response will look like: 550 5.7.1: This message was blocked by the AOL filter due to HVU:B2.

It's worth noting that some companies, like AOL, are fairly stringent about their domain blacklist, making it difficult to get delisted.

Worth a look: Email Code Html

Spam Rl

Credit: youtube.com, Know How - DNSBL Basics

SpamRL is a DNSBL that uses an SMTP response to indicate if a URL is on their blacklist. There is no web lookup form or DNS method to query the list.

To check if your domain is on SpamRL's blacklist, you'll need to receive an SMTP response. This means you'll need to send an email to see if it gets blocked.

You can self-de-list your domain on SpamRL.com for up to 7 days, giving you some time to resolve any issues before you're fully removed.

Recommended read: Anti-Spam SMTP Proxy

Maintaining a Positive Reputation

To avoid getting listed on a domain name system blocklist, it's essential to maintain a positive reputation. This can be achieved by taking advantage of registrar security services, such as registry lock or monitoring for any DNS changes.

Communicate with your registrar to see what services they provide and take action accordingly. For instance, they may offer registry lock, which can prevent unauthorized changes to your domain's DNS records.

Expand your knowledge: Azure Domain Services

Credit: youtube.com, Podcast: IP Blacklisting

Monitoring DMARC reports is crucial to detect attempts to spoof your domain. This will help you identify and prevent potential spam issues.

Restrict outbound SMTP traffic by configuring your firewall to allow only outgoing SMTP traffic from your mail server's internal IP address. This will prevent spammers from using your domain for malicious activities.

Use double opt-in to ensure that only real and interested recipients receive your emails. This will help you avoid spam traps and maintain a positive reputation.

Ensuring that your hostname and HELO match, and that your reverse DNS (PTR record) is defined and pointing to the same hostname, is also crucial. This will help prevent spam filters from flagging your emails as suspicious.

Here are some best practices to maintain a positive domain reputation:

  1. Registrar security services
  2. Monitor DMARC reports
  3. Restrict outbound SMTP traffic
  4. Use double opt-in
  5. Configuration

DNSBL Checks

DNSBL checks are an essential tool in the fight against spam. They allow administrators to configure custom DNSBL checks for the spam filter, which can be used to evaluate specific aspects of incoming messages and assign tags based on the results.

Credit: youtube.com, How Do I Check If An IP Is On A DNSBL? - TheEmailToolbox.com

The settings used to configure DNSBL servers in the spam filter include enable, scope, zone, and tag. The enable setting determines whether the DNSBL server is enabled, while the scope setting specifies the part of the message to which the DNSBL server should apply.

The zone setting defines an expression that evaluates to the DNSBL zone to query, and the tag setting specifies an expression that evaluates to the tag to apply to the message based on the DNS query result.

Supported scopes include url, domain, email, ip, header, body, and any, which allows for precise tagging based on the returned DNS results.

Here are the supported scopes with a brief description of each:

The maximum number of DNSBL queries that can be made for a single email is determined by the settings in the spam filter.

Limitations and Action

The DNSBL system has its limits, and it's essential to understand them to ensure smooth operation.

Credit: youtube.com, Know How - DNSBL Basics

The maximum number of IP address queries allowed per email is 100, as set by the spam-filter.dnsbl.max-check.ip parameter.

You can also set limits on domain queries with the spam-filter.dnsbl.max-check.domain parameter, which defaults to 100 queries per email.

Similarly, the spam-filter.dnsbl.max-check.email parameter limits email queries to 100 per email.

URL queries are also subject to limits, with the spam-filter.dnsbl.max-check.url parameter setting the maximum to 100 queries per email.

Limits

You can only query a certain number of IP addresses per email, which is set by the spam-filter.dnsbl.max-check.ip limit.

This limit helps prevent spam filters from becoming overwhelmed and slowing down email delivery.

The maximum number of domain queries allowed per email is also limited, set by the spam-filter.dnsbl.max-check.domain parameter.

The spam-filter.dnsbl.max-check.email limit sets the maximum number of email queries allowed per email.

The spam-filter.dnsbl.max-check.url limit determines the maximum number of URL queries allowed per email.

Here's a summary of the limits:

Action Steps

Regularly check the domains important to you against public and private blacklists. This will help you stay on top of any listings that could be affecting your email deliverability.

Woman using a secure mobile app, showcasing data encryption on a smartphone.
Credit: pexels.com, Woman using a secure mobile app, showcasing data encryption on a smartphone.

You can use blacklist monitoring services to check your domains against Spamhaus, SURBL, and URIBL. These services will alert you if your domains are listed.

GMass users have their domains checked against public blacklists every hour. This is handled by GMass's internal deliverability monitoring tools.

You can also manually scan your SMTP responses to look for patterns that indicate a listing on a private blacklist. Or, you can use a system like GMass's intelligent private blacklist detection system, which works in near real-time.

Beatrice Giannetti

Senior Writer

Beatrice Giannetti is a seasoned blogger and writer with over a decade of experience in the industry. Her writing style is engaging and relatable, making her posts widely read and shared across social media platforms. She has a passion for travel, food, and fashion, which she often incorporates into her writing.

Love What You Read? Stay Updated!

Join our community for insights, tips, and more.