Even in times of Facebook, WhatsApp, and endless kinds of col­lab­o­ra­tion tools, email plays a big role in digital com­mu­ni­ca­tion. For a secure and pleasant ex­pe­ri­ence in your inbox, it is just as relevant now as ever to know how to recognize and prevent spam. Even decades after the first spam messages were sent, it is important to maintain a certain sense of caution with your emails.

In practice, high-per­for­mance security mech­a­nisms, such as greylist­ing, catch the most annoying or dangerous emails. One important part of these mech­a­nisms are Domain Name System-based Blackhole Lists (DNSBL) – block­lists for ques­tion­able sender addresses that can be retrieved in real-time. Keep reading to find out what a DNS-based Blackhole List is, how exactly it works, and what ad­van­tages and dis­ad­van­tages it has.

Business Email
Discover a new way to email
  • Write perfect emails with optional AI features
  • Add cred­i­bil­i­ty to your brand
  • Includes domain, spam filter and email for­ward­ing

What is a DNSBL (Domain Name System-based Blackhole List)?

A Domain Name System-based Blackhole List (DNS-based Blackhole List or DNSBL for short) is a service that email servers can use to quickly check the spam potential of IP addresses. A DNSBL has access to a list of addresses that are known senders of spam. A querying mail server can inspect the list in real-time using a DNS request. Most server software can be con­fig­ured to consult several DNS-based Blackhole Lists, providing the user with even better pro­tec­tion against unwanted junk mail. If the DNSBL query comes up with a hit, the message coming from that email address will be blocked or marked as spam.

Note

In the context of computer networks, the term “blackhole” refers to a con­nec­tion in which incoming or outgoing traffic is dropped rather than forwarded and the data source is not informed.

Real-time Blackhole List: The first Domain Name System-based Blackhole List

When reading about DNSBL, you’ll probably come across the term Real-time Blackhole List (RBL). Sometimes the terms are used in­ter­change­ably, although this isn’t quite correct. A Real-time Blackhole List is one available DNSBL and ad­mit­ted­ly a very important one. As a part of the anti-spam ini­tia­tive Mail Abuse Pre­ven­tion Systems (MAPS), it became the first official DNS-based Blackhole List in 1997.

Orig­i­nal­ly, the computer scientist behind RBL, Paul Vixie, published the spam blocklist (also known as “blacklist”, which is po­lit­i­cal­ly incorrect today) as BGP Feed (Border Gateway Protocol) rather than as a DNSBL. The feed contained a list of known spam addresses that was sent to sub­scribers’ routers using the BGP protocol. Eric Ziegast, a developer working with Vixie on the MAPS project, initiated the tran­si­tion to the more effective DNS-based trans­mis­sion.

Note

In addition to RBL, there are now countless other DNSBLs, such as the Spamhouse Block List (SBL), SORBS (Spam and Open Relay Blocking System) and ASPEWS (Another Spam Pre­ven­tion Early Warning System). These lists mostly differ with respect to their goals (which type of IP addresses are listed - in­di­vid­ual, ISPs, proxies, etc.), their sources (where the IP addresses listed come from) and their lifespan (how long IPs are listed for).

How do DNS-based Blackhole Lists work?

Three things are required to run a DNSBL query service:

  • A domain at which the Domain Name System-based Blackhole List can be hosted
  • A name server for this domain (for address res­o­lu­tion)
  • A list of IP addresses that should be made available (via DNS query)

The most difficult part of main­tain­ing a DNSBL, without a doubt, is building the list itself. Operators need to develop a clear strategy and stick to it long-term to gain and maintain users’ trust. Specific policies that are made public give an im­pres­sion of what it means to be listed in the DNSBL and how the list positions itself in terms of the three points listed above (goals, source(s), and lifespan).

On the side of the mail servers that have chosen a DNS-based Blackhole List to check for spam, the service is simple:

  1. The order of the octets in the sender’s IP address are reversed. For example, 192.168.11.12 will become 12.11.168.192.
  2. The domain name of the DNSBL is added - 12.11.168.192.dnsbl.example.net.
  3. The name server of the blocklist is checked to see whether there is a fitting A record for the address. If so, the address is sent back to the mail server, in­di­cat­ing that the client is on the blocklist. If the address isn’t listed, the code “NXDOMAIN” is sent.
  4. If an IP is listed in the DNSBL, the mail server also has the option of looking up the name as a text entry (TXT record). This is often a way to find out why the client in question is on the list.
Note

Querying a DNS-based Blackhole List works similarly to a Reverse DNS Lookup. The main dif­fer­ence between the two query types lies in the record type: In the case of a rDNS query, the PTR record is looked up instead of the A record.

How can DNSBLs be used?

The most popular use of Domain Name System-based Blackhole Lists is as the basis for a spam filter. But these practical lists also have several uses in other software and al­ter­na­tive contexts entirely:

Rule-based spam analysis software: Rule-based anti-spam programs such as Spa­mas­sas­sin can be used for a more complex analysis of a larger set of DNSBLs. This type of software uses a separate rule for each DNS-based Blackhole List, which can be referred to in com­bi­na­tion with other rules when eval­u­at­ing an incoming message. This way, emails aren’t weeded out just because their sender is on a DNSBL; instead, a set of clearly defined criteria are used to decide what is sent to the spam folder. The process can, however, lead to slower message retrieval.

Com­bi­na­tion with other list types: One of the most important tasks in managing a Domain Name System-based Blackhole List is regular main­te­nance of the list. If entries are no longer up to date, perfectly ac­cept­able messages will end up in the spam folder. To prevent this, many filters use com­bi­na­tions with other list types, including al­lowlists or passlists (“whitelists”). Depending on the tool and settings, address entries on a passlist can be given more weight than (often out-of-date) entries for the same address in a DNSBL.

Tip

Make your data exchange more secure with SSL cer­tifi­cates from IONOS and strength­en customer trust.

DNSBL: Ad­van­tages and dis­ad­van­tages

DNS-based Blackhole Lists are one of the most important parts of fighting spam, es­pe­cial­ly from the per­spec­tive of the user. The fact that listed entries can be queried via DNS makes the services quick and easy for mail servers to use, making it possible to display a filtered inbox without any no­tice­able effect on per­for­mance. The query method is easy to implement for de­vel­op­ers and operators of email servers.

However, DNS services do come with a series of problems and dif­fi­cul­ties, es­pe­cial­ly in terms being trust­wor­thy and up to date. There is, for example, no guarantee that the entries in a DNSBL are justified and regularly updated by the DNSBL provider. Ad­di­tion­al­ly, it’s often very difficult to remove addresses from the register of a DNS-based Blackhole List once they’ve landed on the list. Users of IPs that have been hacked in the past and used for spam will have a hard time re­ha­bil­i­tat­ing their address.

If you regularly send large quan­ti­ties of emails, you should consider a dedicated IP from a provider you trust, to keep the rep­u­ta­tion of the address in your own hands and have a strong partner on your side should worst come to worst.

Go to Main Menu