TechTheft

Building a DNSBL
Books:
  Spam Wars
  Building a DNSBL

Projects:
  Global WHOIS
  DNSBL Scan
  TTBL
  RBL Registry

General:
  NANAE Advice
  Network Tools
  Humour

Login



Forgot Password?

What is a DNSBL?

A DNSBL (whether said Black, Block, or Boycott List) is quite simply a list of IP addresses published via the Internet (Domain Name System) DNS.

    DNSBLs can be built:
  • by anyone with a computer
  • for any purpose
  • with any criteria

Indeed, there is a DNSBL in existence which blocks every computer connected to the Internet. And one (CUBL) that lists 1,000 random machines and changes the list every day. Just for the heck of it.

DNSBL are made up of 'Zones', each zone is a distinct list of IPs which can be queried individually for the presence of an IP. Zones have, for the purpose of this document, been split into four categories:

Comical - listing for absurd reasons. i.e. Existence of a PC, Owner swore while in a chat room, etc. These zones should not be used to affect Internet traffic under any circumstances.

Objective - listing fixed and clearly defined groups of IPs i.e. IP by Country, IP by service type, etc. These zones are primarily used for research or internet Boycott purposes. The listings are largely static due to the nature of the organisations and IPs listed.

Security - listing groups of IPs objectively but without fixed basis i.e. RFC-Ignorant lists networks ignoring common standards, Open-Relay Database lists insecure email relays, etc. These zones list IPs on some testable service or state. Yet the IPs listed can be volatile as the some machines move around and problems are fixed.

Policy - listings created to perform some public service. i.e. SPEWS identifies networks supporting spam email, SpamCop identifies sources of spam email, etc. These zones are used by administrators and home users to restrict access to the internet based on their own policies. Where an administrators local policies match with the listing criteria a zone has, it may be used to enforce those policies and reduce the work the administrator has to do.

Many DNSBL commonly known (SPEWS, SpamCop, Sorbs, ORDB, Maps, etc.) have zones which are a combination of Policy and Security types. A good example of this is a spam email listing; An entry is caused by a machine originating a spam email. That receiving action is not testable at a later time so it is Policy. Repeated hits from an IP can cause expansion of a listing via WHOIS lookup which is testable and there becomes Security (WHOIS will report differently only when ownership changes) but is still kept in the list caused by a Policy listing.