DNS Blacklists: What Are They, How Do They Work And Why Do We Need Them?

I would like to talk to you about DNS Blacklists. Most IT Administrators that deal with mail have heard of this term but some components are still unclear. This post aims to clarify these doubts and is split into 3 sections: Definition of DNS Blacklists, How they work, Use of DNSBlacklists. I have also added a bonus section at the end, which explains how to test DNSBlacklists.

Domain Name System Blacklists (DNSBLs) are spam blocking lists which contain a number of IPs (mailserver IPs) which have been reported as sending out spam. These lists are based on the Internet’s DNS, which converts IP addresses such as into domain names like spam.com, making the lists much easier to read, use, and search.

DNS Blacklists may also include a zombie check. These particular DNS Blacklists therefore check the addresses of zombie computers or other computers being used to send spam, listing the addresses of ISPs who willingly host spammers, or addresses which have sent spam to a honeypot system.

Many anti-spam software programs use these lists to control Spam by blocking any email that originates from one of these domains. These lists are developed and maintained by organisations such as SORBS and SpamHaus.

The three basic components that make up a DNS Blacklist are the following:

1. A domain to host it under.
2. A name server to host that domain.
3. A list of addresses to publish the list.

The following four steps explain what is done when a mail server checks an email sender againts a DNS Blacklist:

1. The receiving mailserver takes the sender’s mail server IP address, say, and reverses the order of octets, yielding
2. It appends the DNSBL’s domain name:
3. It looks up this name in the DNS as a domain name (”A” record). This will return either an IP address, indicating that the sender is listed; or an “NXDOMAIN” (”No such domain”) code, indicating that the sender is not.
4. If the sender is blacklisted, what is done with the email then depends on what actions you configure on your mail server or anti-spam software.

DNSBLs are used by spam blocking software where different blacklists are given point scores, which can be mitigated by white rules to reduce false positives. They can also be used by mail servers like Exchange and Postfix to outright block email if the senders IP address or host name is listed in a DNSBL.

Some DNSBLs in anti-spam software also hold a cache of the requests that have been done in memory. All requests are retained in the cache for X days. This will result in faster responses for the items which are found in the cache, since DNS requests may be time consuming. The side effect of this is that the DNSBL feature may return that an IP address is on the DNSBL site, when in reality it has been removed.

Finally, I would like to give you a few tips on how to test DNSBlacklists using Nslookup.

1. Open Command Prompt
2. Type ‘nslookup’ without the “‘”and press Enter
3. By default the query type is for A records. You can specify other query types, for example to request TXT records, use ‘set type=txt’ or ‘set q=txt’
4. Type the domain that you would like to query (e.g. sorbs.net or bl.spamcop.net )
5. When the domain does not exist, you will get a “Non-existent domain” in the response.
6. When the domain exists, the way the result is displayed will depend on the type of DNS record requested.
7. For A records, one or more IP addresses may be returned.

Emmanuel Carabott CISSP heads security research at GFI Software. He has over 12 years’ experience in the security field and is a regular contributor to several websites and blogs. For more information about the benefits of using email usage reporting.