DNSBL (Domain Name System-based Blackhole List)

Even in times of Facebook, WhatsApp, and endless kinds of collaboration tools, email plays a big role in digital communication. For a secure and pleasant experience in your inbox, it is just as relevant now as ever to know how to recognise and prevent spam. Even decades after the first spam messages were sent, it is important to maintain a certain sense of caution with your emails.

In practice, high-performance security mechanisms, such as greylisting, catch the most annoying or dangerous emails. One important part of these mechanisms are Domain Name System-based Blackhole Lists (DNSBL) – blocklists for questionable sender addresses that can be retrieved in real-time. Keep reading to find out what a DNS-based Blackhole List is, how exactly it works, and what advantages and disadvantages it has.

A Domain Name System-based Blackhole List (DNS-based Blackhole List or DNSBL for short) is a service that email servers can use to quickly check the spam potential of IP addresses. A DNSBL has access to a list of addresses that are known senders of spam. A querying mail server can inspect the list in real-time using a DNS request. Most server software can be configured to consult several DNS-based Blackhole Lists, providing the user with even better protection against unwanted junk mail. If the DNSBL query comes up with a hit, the message coming from that email address will be blocked or marked as spam.

When reading about DNSBL, you’ll probably come across the term Real-time Blackhole List (RBL). Sometimes the terms are used interchangeably, although this isn’t quite correct. A Real-time Blackhole List is one available DNSBL and admittedly a very important one. As a part of the anti-spam initiative Mail Abuse Prevention Systems (MAPS), it became the first official DNS-based Blackhole List in 1997.

Originally, the computer scientist behind RBL, Paul Vixie, published the spam blocklist (also known as ‘blacklist’, which is politically incorrect today) as BGP Feed (Border Gateway Protocol) rather than as a DNSBL. The feed contained a list of known spam addresses that was sent to subscribers’ routers using the BGP protocol. Eric Ziegast, a developer working with Vixie on the MAPS project, initiated the transition to the more effective DNS-based transmission.

Three things are required to run a DNSBL query service:

• A domain at which the Domain Name System-based Blackhole List can be hosted
• A name server for this domain (for address resolution)
• A list of IP addresses that should be made available (via DNS query)

The most difficult part of maintaining a DNSBL, without a doubt, is building the list itself. Operators need to develop a clear strategy and stick to it long-term to gain and maintain users’ trust. Specific policies that are made public give an impression of what it means to be listed in the DNSBL and how the list positions itself in terms of the three points listed above (goals, source(s), and lifespan).

On the side of the mail servers that have chosen a DNS-based Blackhole List to check for spam, the service is simple:

1. The order of the octets in the sender’s IP address are reversed. For example, 192.168.11.12 will become 12.11.168.192.
2. The domain name of the DNSBL is added - 12.11.168.192.dnsbl.example.net.
3. The name server of the blocklist is checked to see whether there is a fitting A record for the address. If so, the address is sent back to the mail server, indicating that the client is on the blocklist. If the address isn’t listed, the code ‘NXDOMAIN’ is sent.
4. If an IP is listed in the DNSBL, the mail server also has the option of looking up the name as a text entry (TXT record). This is often a way to find out why the client in question is on the list.

The most popular use of Domain Name System-based Blackhole Lists is as the basis for a spam filter. But these practical lists also have several uses in other software and alternative contexts entirely:

Rule-based spam analysis software: Rule-based anti-spam programs such as Spamassassin can be used for a more complex analysis of a larger set of DNSBLs. This type of software uses a separate rule for each DNS-based Blackhole List, which can be referred to in combination with other rules when evaluating an incoming message. This way, emails aren’t weeded out just because their sender is on a DNSBL; instead, a set of clearly defined criteria are used to decide what is sent to the spam folder. The process can, however, lead to slower message retrieval.

Combination with other list types: One of the most important tasks in managing a Domain Name System-based Blackhole List is regular maintenance of the list. If entries are no longer up to date, perfectly acceptable messages will end up in the spam folder. To prevent this, many filters use combinations with other list types, including allowlists or passlists (‘whitelists’). Depending on the tool and settings, address entries on a passlist can be given more weight than (often out-of-date) entries for the same address in a DNSBL.

DNS-based Blackhole Lists are one of the most important parts of fighting spam, especially from the perspective of the user. The fact that listed entries can be queried via DNS makes the services quick and easy for mail servers to use, making it possible to display a filtered inbox without any noticeable effect on performance. The query method is easy to implement for developers and operators of email servers.

However, DNS services do come with a series of problems and difficulties, especially in terms being trustworthy and up to date. There is, for example, no guarantee that the entries in a DNSBL are justified and regularly updated by the DNSBL provider. Additionally, it’s often very difficult to remove addresses from the register of a DNS-based Blackhole List once they’ve landed on the list. Users of IPs that have been hacked in the past and used for spam will have a hard time rehabilitating their address.

If you regularly send large quantities of emails, you should consider a dedicated IP from a provider you trust, to keep the reputation of the address in your own hands and have a strong partner on your side should worst come to worst.