Wednesday, August 4, 2010

DNSBL

I finally realize how DNSBL or DNS block lists work. If you ask me, it's pretty smart. It uses DNS to quickly and easily respond to a requesting mail server to determine the reputation of a connecting IP address. Also, DNSBL can be used for other applications besides email ( think http authentication ).

Let's start with an example and I will explain from there. When looking up an IP address for a domain or finding a domain using an IP, Windows users use nslookup. To do this, they type the following in a command prompt


C:\Users\>nslookup blog.theozzyblogger.com
Server:  Home
Address:  XXX.XXX.XXX.XXX


Non-authoritative answer:
Name:    ghs.l.google.com
Address:  74.125.95.121
Aliases:  blog.theozzyblogger.com
          ghs.google.com

The first two lines that say server and address is the name of my DNS server and my DNS server IP address. I purposely changed it to concealed them :)

This displays the IP address associated with my web site, blog.theozzyblogger.com. The way DNSBL works, that you prefix the IP address in front of the DNS name. However, you need to reverse the IP address. So lets say I want to look up the IP address reputation of my website, 74.125.95.121. I will use spamhaus ZEN DNSBL filter: ( http://www.spamhaus.org/zen/ )

it will look like this
121.95.125.74.zen.spamhaus.org

or


C:\Users\>nslookup 121.95.125.74.zen.spamhaus.org
Server:  Home
Address:  XXX.XXX.XXX.XXX


*** Home can't find 121.95.125.74.zen.spamhaus.org: Non-existent domain




When Non-existent domain is returned that means the IP is not listed as a known spam address. When an email server or spam device receives this Non-existent domain, the email will be allowed to receive. But when an address is returned, that means the IP has a reputation for spam like this random address of 93.45.76.93:


C:\Users\>nslookup 93.76.45.93.zen.spamhaus.org
Server:  Home
Address:  XXX.XXX.XXX.XXX


Non-authoritative answer:
Name:    93.76.45.93.zen.spamhaus.org
Address:  127.0.0.11

Spamhaus has representations of what the return addresses means as do all the DNSBL's, in this case 127.0.0.11 means this IP address is listed as an IP which should not be delivering unauthenticated SMTP email:
(http://www.spamhaus.org/faq/answers.lasso?section=DNSBL%20Usage#202)









Here is a good reference too:
http://www.spamhaus.org/faq/answers.lasso?section=DNSBL%20Usage#252
My favorite MX and blacklist website
http://www.mxtoolbox.com/
http://www.mxtoolbox.com/blacklists.aspx

3 comments:

  1. Here is how DNSBLs work:

    A mail server that wants to send mail to your mail server establishes a connection to your server.

    Your server examines the socket information to find the IP address of the server at the other end of the connection.

    Your server creates a special "pseudo-hostname" by reversing the order of the components of the IP address, then concatenating them with the domain name of the blacklist:

    Example:
    If the incoming IP address is 166.70.98.32 and the name of the blacklist is dnsbl.sorbs.net, then the resulting "pseudo-hostname" is 32.98.70.166.dnsbl.sorbs.net

    Your server does a regular DNS lookup of the pseudo-hostname 32.98.70.166.dnsbl.sorbs.net. If it resolves, then the owner of the blacklist considers the host 166.70.98.32 to be a spammer. If the lookup doesn't resolve, then the IP address isn't blacklisted.

    ReplyDelete
    Replies
    1. Thanks Rick, that is an excellent explanation of DNSBL

      Delete
    2. That was actually really interesting, Rick. I never really gave much thought to how DNSBLs work - I just always used them and took them for granted! Shame on me. Haha.

      Fred | https://webhostinggeeks.com/tools/

      Delete