184.108.40.206 -> 220.127.116.11
Before we get started here, if you are already aware what a DNSBL is, yes, I know that my post title is redundant; a little like ATM machine. :)
I recently acquired an additional IP address from which to run my website, email server, irc server, etc. However, upon sending my first email, I noticed a few providers were blocking my server. This was no surprise of course. I could be wrong, but I suspect that every single IP address in the /0 range has been used for spamming at some point in time. No problem though (well, it is). I just needed to clean up its reputation.
So, I started work on cleaning up the reputation of my new IP. First stop: mxtoolbox.com. When I ran their blacklist checker, I noticed my IP was on only one blacklist. I contacted them (SORBS) requested my IP be de-listed.
This process got me thinking though. How do the DNS blacklists work? I went to the one provider who had marked my IP as blacklisted to see how I could query their list for future checks, and noticed they used something called DNSBL.
A DNSBL, or DNS BasedList, is an extension of DNS A and TXT records that allows these records to be used to mark IP addresses as known sources of spam (or other things). Since this is done with DNS, querying is relatively easy, as the tooling and protocol are relatively standardized.
For further reading, see the Wikipedia article.
Querying a DNSBL is actually fairly simple if you know how to use the dig command (the olde timey nslookup should also work, though the output format won’t be identical).
Let’s assume for this example, we want to check the IP address for my web server: 18.104.22.168. Given that my new IP was blacklisted by the SORBS DNSBL, we’ll use their endoint for testing purposes. This is dnsbl.sorbs.net.
The first step, we need to reverse the ip address octet order.
22.214.171.124 -> 126.96.36.199
Second, we need to prepend the DNSBL endpoint with this reversed IP.
Finally, we dig the A record for that endpoint.
dig -t a +short 188.8.131.52.dnsbl.sorbs.net
In +short (hehe), if you get an empty response back from the dig query, the IP isn’t on the blacklist. If you do get a response back, it is on the blacklist. Many blacklists return different responses to indicate blacklist status, so unfortunately, we can only easily rely on the binary is (response) or is not (no response) blacklisted states.
Fortunately however, many of the DNSBL maintainers will publish more detailed reasons for blacklisting the IP via DNS TXT records. If you want to query that, just follow the previous instuctions, but query for a TXT record instead of an A record. Example:
dig -t txt +short 184.108.40.206.dnsbl.sorbs.net
There are lots of DNSBLs out there and checking each one by hand is a real pain. That is why sites like mxtoolbox exist. However, if you are interested in looking this information up for yourself, I wrote a handy script to help!
You can find the source code here.
I recommend downloading it with git clone though, as it contains a config file with a known list of 52 common DNSBL endpoints that the script points to by default.
git clone https://oper.io/src/nullspoon/dnsbl-check.git
To use it, just type…
It will check all of the DNSLB endpoints in the config file for your specified IP.
Some sample output:
all.s5h.net : Not found b.barracudacentral.org : Found bl.emailbasura.org : Not found bl.spamcannibal.org : Not found bl.spamcop.net : Not found blacklist.woody.ch : Found bogons.cymru.com : Not found cbl.abuseat.org : Not found cdl.anti-spam.org.cn : Not found
If you know any DNSBL endpoints you want me to add to the default config, send me an email and I’ll get it added.
Last edited: 2019-03-14 14:33:04 UTC