DNSBL: Encyclopedia II - DNSBL - DNSBL Operation

DNSBL - DNSBL Operation

To operate a DNSBL requires three things: a domain to host it under, a nameserver for that domain, and a list of addresses to publish.

It is possible to serve a DNSBL using BIND, the popular DNS software. However, BIND is inefficient for zones containing large numbers of addresses, particularly DNSBLs which list entire Classless Inter-Domain Routing netblocks. DNSBL-specific software—such as Michael J. Tokarev's rbldnsd or Daniel J. Bernstein's rbldns—is faster, uses less memory, and is easier to configure than the general-purpose BIND. Alternatively, Simplicita Software offers a commercial DNSBL server that provides additional benefits such as point-in-time auditing and 24/7 IP address monitoring.

The hard part of operating a DNSBL is populating it with addresses. DNSBLs intended for public use usually have specific, published policies as to what a listing means, and must be operated accordingly to attain or keep public confidence.

DNSBL - DNSBL Queries

When a mail server receives a connection from a client, and wishes to check that client against a DNSBL (let's say, spammers.example.net), it does more or less the following:

1. Take the client's IP address—say, 192.168.42.23—and reverse the bytes, yielding 23.42.168.192.
2. Append the DNSBL's domain name: 23.42.168.192.spammers.example.net.
3. Look up this name in the DNS as a domain name ("A" record). This will return either an address, indicating that the client is listed; or an "NXDOMAIN" ("No such domain") code, indicating that the client is not.
4. Optionally, if the client is listed, look up the name as a text record ("TXT" record). Most DNSBLs publish information about why a client is listed as TXT records.

Looking up an address in a DNSBL is thus similar to looking it up in reverse-DNS. The differences are that a DNSBL lookup uses the "A" rather than "PTR" record type, and uses a forward domain (such as spammers.example.net above) rather than the special reverse domain in-addr.arpa.

There is an informal protocol for the addresses returned by DNSBL queries which match. Most DNSBLs return an address in the 127.0.0.0/8 IP loopback network. The address 127.0.0.2 indicates a generic listing. Other addresses in this block may indicate something specific about the listing—that it indicates an open relay, proxy, spammer-owned host, etc. [2]

DNSBL - DNSBL Policies

Different DNSBLs have different policies. DNSBL policies differ from one another on three fronts:

• Goals. What does the DNSBL seek to list? Is it a list of open-relay mail servers or open proxies—or of IP addresses known to send spam—or perhaps of IP addresses belonging to ISPs that harbor spammers?
• Nomination. How does the DNSBL discover addresses to list? Does it use nominations submitted by users? Spam-trap addresses or honeypots?
• Listing lifetime. How long does a listing last? Are they automatically expired, or only removed manually? What can the operator of a listed host do to have it delisted?

Adapted from the Wikipedia article "DNSBL Operation", under the G.N U Free Docmentation License. Please also see http://en.wikipedia.org/wiki