Blocklist Removal Center
About Spamhaus  |  FAQs  |  News Blog   
Frequently Asked Questions (FAQ)
DNSBL Usage
Generic Questions
Glossary
Hacked... Here's help
ISP Spam Issues
Legal Questions
Marketing FAQs
Online Scams
Organization
ROKSO FAQ
Spamhaus BCL
Spamhaus CSS
Spamhaus DBL
Spamhaus HBL
Spamhaus PBL
Spamhaus SBL
Spamhaus XBL
Spamhaus DROP
 » BGPf FAQs
 » Datafeed FAQs



DNSBL Usage


DEFINITION: "Domain Name System BlockList" (DNSBL)

What is a DNSBL?

FOR POSTMASTERS

Why use a DNSBL?
How to use a Spamhaus DNSBL?
Which DNSBL should be used?
Is a private DNS server required in order to use Spamhaus DNSBLs? Rsync or DQS?
What do the 127.*.*.* Return Codes mean?
How do I check my DNS server results?
Free Use vs Commercial Use
Using SpamAssassin and Rspamd with Spamhaus data
Questions about the Spamhaus DNSBL network reliability and speed
Are there any other DNSBL uses that could help?
Can the Spamhaus DNSBL be used on a web server or other applications?
What about lookups using the Spamhaus Blocklist Removal Center?
What is the "Data Feed"? (rsync)
What is DQS? (Data Query Service)

TROUBLESHOOTING

Your DNSBL blocks the whole Internet!
Your DNSBL blocks nothing at all!
I am getting a "This is not the DNSBL you're looking for" error, why?
I'm seeing bounces, but I don't find my IP address in your list... help?
Why is the A record is missing for sbl/xbl/pbl/dbl/zen.spamhaus.org?



DEFINITION: "Domain Name System BlockList" (DNSBL)


What is a DNSBL?
A DNSBL is a "Domain Name System Block List": A list of IP address ranges or other information compiled and presented as a DNS zone.

Information in DNS format is easy to query and transport, and its small answers are very "light" on bandwidth overhead.

Spamhaus Zen is a DNSBL, as are its component zones of SBL, XBL, CSS, and PBL.

Spamhaus DBL is a domain DNSBL. It may be used to identify URL domains with poor domain reputation, or as a "Right Hand Side Block List" (RHSBL) for email addresses.



FOR POSTMASTERS


Why use a DNSBL?
Doing a DNSBL lookup on an email message during the SMTP connection is cheap in hardware cycles and system time. If the MTA already knows the incoming message is spam it can deny a spam message before having to take additional action; The DNS server may even have the results cached from previous attempts!

System costs:
  • Passing it to a mail-scanner (medium cost);
  • Using a Bayesian filter (medium)
  • Running it through a virus scanner (medium to expensive)
  • Doing SpamAssassin network tests that check blocklists, DCC, pyzor, razor, etc. (medium to expensive)
Mail rejected by a DNSBL during delivery is not silently discarded. A realtime DNSBL rejection creates a delivery status notification (DSN) to the sender identifying the cause of the rejection, allowing troubleshooting on the sender's end.

Realtime rejection avoids the backscatter problem of some spam filters which accept delivery, close the connection, and then try to return the mail after it is determined to be spam.
  • Most spam and all viruses have forged sender addresses, and so the bounce would be sent to an innocent third party (if it is deliverable at all). This can be extremely disruptive to the third party!
Using the SBL, XBL & PBL lists together, or the combined Spamhaus Zen zone (recommended), rejects a large amount of spam and virus mail with very low "false positive" rejections of legitimate mail.


How to use a Spamhaus DNSBL?
This FAQ entry assumes that the reader is running their own mail server and has a developed technical understanding of how mail servers and DNSBLs work. Any DNSBL that is chosen for use should be fully understood before deployment.

All modern mail servers have a "DNSBL" feature (sometimes called "RBL Servers" or "Blacklist"). If it appears not to, please refer to the "Help" file or ask the mail server vendor for clarification.

The Spamhaus public mirrors can be used free of charge by querying "zen.spamhaus.org", if all three of the following criteria are met:
  1. Use of the Spamhaus DNSBLs is non-commercial;
    and
  2. Email traffic is less than 100,000 SMTP connections per day;
    and
  3. DNSBL query volume is less than 300,000 queries per day.
If traffic volume is higher than 300k, please see our Spamhaus DNSBL Usage Terms page for additional information and a quote.

Remember, MTAs should be set to query a Spamhaus DNS zone such as "zen.spamhaus.org".
  • Do NOT automate queries of our website lookup form!
Other ways to use DNSBLs beyond just checking the connecting IP:
  • Our Effective Spam Filtering page has suggestions for checking URLs against SBL, which has excellent results.
  • "Nameserver IPs of connecting hosts" is another check which some admins have found effective.
    • If such a check is going to be utilized, be very careful which Spamhaus zone is selected for each step!
  • Checking against SBL is quite conservative and will have few false positives.
  • Checking against XBL is more aggressive and while it will catch more spam it may also intercept more non-spam mail.
  • Using URL checks against PBL is very risky; please ensure that how this will work is completely understood before deployment.
    • It will result in rejecting non-spam mail for most servers!
NOTE: Zen contains SBL, XBL and PBL combined, so the correct response will need to be chosen based on the 127 return code.


Which DNSBL should be used?
Which DNSBL to choose depends on what the desired outcome is, and whether it is for small-volume or professional use.

For IP-based datasets, we recommend using our 3-in-1 zone, Spamhaus Zen:
  • Zen can be used by all modern mail servers by setting the mail server's anti-spam DNSBL feature (also called "Blacklist DNS Servers" or "RBL servers") to query zen.spamhaus.org .
  • The subzones of Zen (SBL, XBL, PBL) should not be queried seperately.
  • The 3 subzones of Zen are:
    • The "Spamhaus Block List" (SBL)
      • The SBL lists IPs identified to Spamhaus’ best ability as likely to be:
        • Direct spam sources
        • Spammer hosting/DNS
        • Spam gangs
        • Spam support services.
    • The "Exploits Block List" (XBL)
      • Automated tools observe email traffic at spamtrap and production mail servers in near-real-time to find characteristic patterns of malware or botnet-infected computers. It lists IP addresses that are hosting:
        • Bots
        • Malware-infected computers.
    • The "Policy Block List" (PBL)
      • PBL is a list of IP space that should not be sending email directly to the Internet: often these are IP ranges assigned by ISPs to broadband or dial-up customers, but the PBL does include other types of IP space.
For domain-based datasets, we recommend using the Spamhaus DBL.
  • The Domain Block List (DBL) is a list of domain names with poor reputations.
  • The DBL lists ONLY domains. The DBL should not be used to query for IP addresses.
Other DNSBLs published by other organizations can also be used. Information, reputation, and opinions about other DNSBLs are available on the web.
  • Careful selection and implementation of DNSBLs, including the order in which a mail server queries various zones, can provide optimal performance and spam protection.
NOTE: With so many different mail servers in use we can not offer technical help with setting up the query system. For instructions on how to configure a specific mail server to use the Spamhaus zones, please refer to that mail server's documentation or manuals, or ask your mail server administrator.
  • As a general rule, DNSBLs - particularly PBL - should not be applied to outbound mail.
  • Authenticating users via SMTP Authentication is strongly recommended and avoids the need to whitelist and maintain authorized dynamic ranges.
An expanded set of data is available in the DQS offering of our commercial sister company, Spamhaus Technologies, Ltd

An overview of Effective Spam Filtering strategies explains additional uses of various Spamhaus datasets in tools like SpamAssassin or Rspamd.



Is a private DNS server required in order to use Spamhaus DNSBLs? Rsync or DQS?

It is not necessary, but it is worth considering.

Spamhaus DNSBL data can be accessed and used through the global Domain Name System (DNS).

  • DNS traffic itself carries the questions and answers regarding the (DNSBL listed/not-listed status) of IP addresses and domains;
  • Normally one or more DNS servers (typically two) are configured in an operating system.
    • Those are the IP addresses of the servers that will negotiate all the DNS requests made by your applications, and therefore those DNS servers will be the vehicle for your Spamhaus DNSBL requests, too.

There are several ways to access Spamhaus DNSBL data:

  • For many small, low-volume users' mail servers, Spamhaus data is available via our own global network of mirrors.
    • These low-volume mail servers issue a DNS query via the locally specified DNS server.
      • that DNS server could be operated locally on the same computer,
      • on the same network as the mail server,
      • operated by a hosting ISP or other outsourced DNS provider,
      • or it could be an "open" or "public" DNS server that answers anyone who queries it.

For higher-volume clients which exceed a query volume threshold, our expectation is that they use either

  • The Spamhaus Datafeed Rsync Service
    • This delivers the DNSBL zone data to their own local DNS server,
    • in order to utilize Datafeed Rsync, users must run a local DNS server which receives and stores Spamhaus data, and answers their queries.
    or

  • Datafeed Query Service (DQS).
    • DQS queries work just like small-user queries, via whatever DNS server is configured in the operating system.
Most ISPs, hosting and DNS service providers are very careful about providing highly accurate DNS results. As long as legitimate DNS servers are used, our DNSBL zones will provide accurate answers and mail filtering will work correctly.

NOTE: There can be issues with using some consumer oriented ISPs and many "open" or "public" DNS services.
  • Some of them use NXDOMAIN hijacking to monetize null DNS answers as explained in this FAQ
  • Other public DNS servers are blocked from querying Spamhaus data; see this FAQ
Some public DNS providers provide non-hijacked responses for known DNSBL zones like Spamhaus, but such servers can be risky to use to answer DNSBL queries.

For additional information please see this related article on Spamhaus Technology's blog.


What do the 127.*.*.* Return Codes mean?
Spamhaus uses this general convention for return codes:

Return Code Description
127.0.0.0/24 Spamhaus IP Blocklists
127.0.1.0/24 Spamhaus Domain Blocklists
127.0.2.0/24 Spamhaus Zero Reputation Domains list
127.255.255.0/24 ERRORS (not implying a "listed" response)

Currently used return codes for Spamhaus public IP zones:

Return Code Zone Description
127.0.0.2 SBL Spamhaus SBL Data
127.0.0.3 SBL Spamhaus SBL CSS Data
127.0.0.4 XBL CBL Data
127.0.0.9 SBL Spamhaus DROP/EDROP Data (in addition to 127.0.0.2, since 01-Jun-2016)
127.0.0.10 PBL ISP Maintained
127.0.0.11 PBL Spamhaus Maintained

127.0.0.5-7 are allocated to XBL for possible future use; 127.0.0.8 is allocated to SBL for possible future use.

See the DBL FAQ for return codes for DBL.

The following special codes indicate an error condition and must not be taken to imply that the object of the query is "listed":

Return Code Zone Description
127.255.255.252 Any Typing error in DNSBL name
127.255.255.254 Any Query via public/open resolver
127.255.255.255 Any Excessive number of queries



How do I check my DNS server results?

A quick way to check that Spamhaus DNSBL responses are correct:

  • Command-line DNS queries for a target known to be
    • listed in a Spamhaus zone (127.0.0.2)
    • and
    • a target known to be not listed (127.0.0.1)
    • A query for a "listed" object must answer with a correct return code; for Spamhaus that would be one or more of our 127.* responses.
    • Queries for "not_listed" objects must always return NXDOMAIN for mail filtering to work properly. For example:
$ dig +short @DNS.server 2.0.0.127.zen.spamhaus.org
127.0.0.10
127.0.0.4
127.0.0.2
$
$ dig +short @DNS.server 1.0.0.127.zen.spamhaus.org
Host 1.0.0.127.zen.spamhaus.org not found: 3(NXDOMAIN)
$
  • The command "$ host 2.0.0.127.zen.spamhaus.org DNS.server" provides similar results.
  • In Windows, try "C:\>nslookup 2.0.0.127.zen.spamhaus.org".
NOTE:
It is critical to check for correct results for both 'listed' and 'not listed' queries. In either case, the italicized DNS.server in the above example represents the hostname or IP address of the DNS server you wish to query.

If the @DNS.server is not included on the command line query, the query will be handled by the DNS server configured in the local computer's OS. That is the server most people wish to check.

Checking our DBL zone uses similar DNS queries; see this DBL FAQ for details.

ADDITIONAL CHECKS
To confirm that the mail server will provide the correct results for delivery error messages, it is also valuable to check the TXT record of '2.0.0.127.zen.spamhaus.org' with 'dig' or 'host':
$ dig +short TXT 2.0.0.127.zen.spamhaus.org @DNS.server
"http://www.spamhaus.org/sbl/query/SBL233"
"http://www.spamhaus.org/query/bl?ip=127.0.0.2"

To find which DNS server(s) a unix, linux or OSX computer is using, run this command on the machine in question: "$ cat /etc/resolv.conf".
In Windows, the DNS servers are configured under "Control Panel/Network and Internet".


Free Use vs Commercial Use
Use of the Spamhaus DNSBLs via DNS queries to our public DNSBL mirrors is free of charge for low-volume non-commercial use. To check if you qualify for free use, please see the Spamhaus DNSBL Usage Terms.

Use of the Spamhaus DNSBLs by ISPs, corporations and networks with high email traffic, or commercial spam filter companies requires a subscription to either the dedicated Data Feed Service (rsync) or to DQS (Data Query Service), both run by Spamhaus Technology. Compare those options here.


Using SpamAssassin and Rspamd with Spamhaus data
We have developed our datasets with the final goal of being the most compatible with existing software. The two most biggest open source antispam projects are SpamAssassin and Rspamd.

To show the best way to use our data with these products, we have created two dedicated Github projects that contains the most up to date use-cases. The projects contains instructions, ruleset and code to make the best out of our DQS product, either in the free version and with the paid-for zones.


Questions about the Spamhaus DNSBL network reliability and speed
How reliable is the Spamhaus DNSBL network?
  • The Spamhaus DNSBL network currently consists of over 80 servers distributed throughout the world.
  • They are mainly located in major co-location facilities with dedicated multi-megabit connections, and with extensive network peering at each facility.
  • The Spamhaus DNSBL network has been designed with complete redundancy and has never been "off the air" or unavailable since its inception in 2001.
How fast is the Spamhaus DNSBL network?
  • Our servers are very fast and run software optimized specifically for speedy DNSBL replies.
  • They are geographically distributed around the globe and connected via high-bandwidth pipes.
  • Query response time is typically in the low milliseconds and once a query is done, it is cached at the local DNS resolver for a period of time. That makes further queries "local" and extremely fast.
What happens if there is a delay?
  • Modern mail-servers process separate incoming messages in parallel, so a slight pause in processing of one message will have no effect on another.
  • DNS is inherently very efficient and uses a minimal amount of bandwidth.
  • Using a Spamhaus DNSBL will use far less bandwidth than having to accept every spam and virus email sent to your system.
  • By rejecting such email at the SMTP connection, no further data is sent thereby significantly reducing overall bandwidth use.
  • DNS caching by the local resolver means that not every query counts towards outside bandwidth use.
An additional benefit is that on the hardware side, servers won't have to do expensive post-delivery filtering and storage of spam messages.


Are there any other DNSBL uses that could help?
There are some additional, limited use cases.
  • Using the data in the SBL and XBL portions of the Spamhaus DNSBL zones can be used to prevent blog and guestbook spam and abuse.
  • Some Apache webserver plugins like mod_spamhaus and Squid DNSBL redirector can be used to ban blocklisted visitors to a website.
NOTE: Reading the FAQ on the XBL is a must before trying these techniques.


Can the Spamhaus DNSBL be used on a web server or other applications?
The SBL and XBL can be queried to prevent things such as blog-comment and guestbook spamming, click-fraud, and automated email address harvesting.
  • This can be done by programming application(s) to query our DNS servers to determine whether a specific IP address is on one of our blocklists.
  • Such queries can be used to stop posts from users who use IP addresses on the SBL or XBL to connect to a web site, or to block comment and guestbook posts that contain URLs hosted on IP addresses listed in the SBL or XBL.
Comment and guestbook posts can also be searched for for URLs that contain domains found in our domain blocklist, the DBL. More information on what the Spamhaus DBL is, and how it works, can be found in the DBL FAQ

There are open-sourced code bases available in Perl and PHP for performing DNS queries that can be found by searching the Web. Some useful web sites that have code to perform DNS lookups:

If you prefer to write your own code, below is the information you will need:

  • ZONE = zen.spamhaus.org
  • PROTOCOL & PORT = UDP/53
  • QUERY SYNTAX = <REVIP>.zen.spamhaus.org, where "<REVIP>" is the IP you are querying, reversed.
  • For example, if you want to check 192.168.25.1, you would query 1.25.168.192.zen.spamhaus.org.

  • RESPONSE CODES
General Advice:
  • We encourage applications to query zen.spamhaus.org and then parse the return code(s) to determine whether to block an IP, whenever possible.
  • This prevents unnecessary queries and speeds processing on your application.
  • If your application cannot parse return codes, you can query sbl.spamhaus.org to determine whether an IP address is on the SBL, and xbl.spamhaus.org to determine whether an IP address is on the XBL.
    • Either of these zones returns 127.0.0.2 if the IP address is on that blocklist.

WARNING! Do not block users using IP addresses listed on the PBL from accessing Web-based applications. The PBL is not a list of "spamming IP addresses"; treating IP address on it as if they all belong to spammers will result in blocking large numbers of legitimate users. Consult the Spamhaus FAQ on the PBL for more information on what the PBL is and how it works.



What about lookups using the Spamhaus Blocklist Removal Center?
The Blocklist Removal Center lookup tool is:
  • Provided for people to check their own IPs or domains.
  • Designed to direct any listed parties to the correct information for fixing the problem and removing the listing.
  • Intended for manual lookups only.
No automated lookups, please!

NOTE: Any perceived use of automated tools to access the web lookup system will result in firewalling or other countermeasures. Access to blocked IPs will result in "403 ERROR" HTTP responses.


What is the "Data Feed"? (rsync)
The Spamhaus dedicated Data Feed is an rsync zone transfer service for corporate networks, spam filter companies, and ISPs. The Data Feed transfers the Spamhaus DNSBL zones to a local DNS server on your network and keeps the zones synchronised every few minutes.


What is DQS? (Data Query Service)
Spamhaus Data Query Service (DQS) provides real-time access to a network of over 80 global Spamhaus mirrors (servers). It utilizes traditional DNS queries to ensure easy mail server configuration. Its users do not need to operate their own DNS servers. Some Spamhaus data sets are available exclusively via DQS. See Spamhaus Technology for more information about DQS.



TROUBLESHOOTING


Your DNSBL blocks the whole Internet!
There can be several reasons why a DNSBL can appear to list all IPv4 addresses (when it really doesn't):
  • Most common: the zone name is spelled incorrectly.
    • If a wrong domain such as 'spamhous.org' or 'spamhouse.com' is entered, the queries will go to some unrelated place which can answer queries with a valid A record containing an IP address (this is often done by typosquatters to catch web traffic).
    • Even if the IP is not a conventional Spamhaus DNSBL answer in the 127.0.0.x range, a mail server may still interpret it as a "listed" answer, and block the mail.

  • There are ISPs that can "hijack" some DNS replies. This is done to monetize website traffic
    • Instead of returning an NXDOMAIN ("not found") answer for a DNS request that cannot be found (resolved), a pointer to an advertising page or search page is given.
    • Many public or "open" resolvers, as well as some secure resolvers on cloud-based or wide area networks, use NXDOMAIN hijacking.
    • Since the Spamhaus "not listed in our zone" replies are the same as a "webpage not found" reply, users affected by this kind of scheme will always see an IP address returned rather than the correct NXDOMAIN DNS answer.
If DNS hijacking is the issue, there are three possible ways to resolve it:
  • Set up your own DNS resolver (the best solution from a technical perspective).
  • Instruct the mail server to ignore all response codes that are not in 127.0.0.0/8, because they come from a "man in the middle" hijacking, not from Spamhaus.
  • Contact your ISP or DNS provider to see if you can opt out of the DNS hijacking; if that fails, change DNS resolvers.
Finally, erroneously using DBL as an IP list rather than as a domain list may also have the effect of blocking all mail: see the DBL FAQs.



Your DNSBL blocks nothing at all!
Sometimes a misconfiguration can make it appear that a DSNBL is blocking nothing.
  • The most common reason for this is a spelling error in the mailserver or DNSBL configuration.
  • If you are using a free "open DNS resolver" service such as the Google Public DNS (8.8.8.8) in most cases they will return a "not listed" (NXDOMAIN) reply from Spamhaus' public DNSBL servers.
    • We recommend using your own DNS servers when doing DNSBL queries to Spamhaus. If this is not possible, contact us for other options.
NOTE: Other free/open DNS resolvers include Alternate DNS, Comodo Secure, DNS.Watch, DynDNS, FreeDNS, Hurricane, NeuStar DNS Advantage, Norton ConnectSafe, OpenNIC, Puncat, Quad9, SafeDNS, Uncensored, Verisign, Yandex.DNS, or large cloud/outsourced public DNS servers, such as the ones operated by Level3, Verizon or AT&T. There are many more; this is not a complete list.


I am getting a "This is not the DNSBL you're looking for" error, why?
The domain "spamhaus.org" has probably been incorrectly spelled "spamhouse.org" in the mail server configuration. This is the error message defined by the people administering that domain (not us). Please see the relevant FAQ.


I'm seeing bounces, but I don't find my IP address in your list... help?
The most important question if an IP is found to be on any blocklist of any kind is: "Is this listing affecting delivery?"
  • There are lots of DNSBLs, and many will have no any meaningful impact on email delivery in most cases.
  • Check your mail server logs before taking any action! If there are no bounces, there is no problem.
The Spamhaus Blocklists are only some of the many public DNSBL systems. In addition to publicly-queriable lists, many networks maintain their own private blocking lists, and DNSBLs are only one of many reasons that could cause a Delivery Status Notication (DSN), also commonly referred to as a "bounce". Here are some actions that can help make sense of the problem:
  • Read the bounce ('DSN') messages carefully; they often contain valuable information regarding why email was rejected.
    • Unfortunately, some of them are not accurate or helpful; sometimes they even indicate a Spamhaus list for no valid reason.
    • Since each system that rejects email may give a different reason, it can be helpful read several of the bounces. It should be possible to find some that make sense and help to track down the problem.
  • Locate the IP address which was rejected, which is generally the IP address of your outbound mail server and is usually noted in the DSN message.
    • Test it in the "IP Removal" form on the Spamhaus website. This form queries all the most current Spamhaus zones.
    • If it does not show up when using this form, the address is not listed in any Spamhaus DNSBL.
A few websites which may track down issues with DNSBLs other than Spamhaus: NOTE: None of those sites runs a DNSBL itself. They cannot block any email. They are offered on a voluntary basis, are free of charge and do NOT offer support. Use their web services, but please don't abuse them!



Why is the A record is missing for sbl/xbl/pbl/dbl/zen.spamhaus.org?
"I can't trace zen.spamhaus.org, I get 'host not found'..."
"All your DNSBLs are down! None of them resolve to an IP!"
"I can't ping zen.spamhaus.org..."


The Spamhaus DNSBL zones (sbl.spamhaus.org, xbl.spamhaus.org, sbl-xbl.spamhaus.org, pbl.spamhaus.org, zen.spamhaus.org & dbl.spamhaus.org) are not hosts or servers, they are DNS zones.
  • DNS zones map specially-formatted queries (such as '2.0.0.127.zen.spamhaus.org') to DNSBL servers which in turn provide authoritative answers to the DNSBL queries.
  • DNS zones do not normally have 'A' records, so a DNS zone can not resolve to an IP address or to a specific machine.
  • Trying to resolve or ping a DNS zone is like trying to resolve or ping '.com' (which is also a DNS zone) and '.com' doesn't have an 'A' record (so '.com' cannot be resolved to an IP address either).
Each of Spamhaus's DNSBL zones is load-balanced into sub-zones, served by over 80 DNSBL servers ('mirrors') located around the world. Our DNSBL server IP addresses change frequently as servers are added or removed from the pool, but the DNS zone always knows where to find them.

Never set an anti-spam filter to query the IP addresses of Spamhaus zone DNS servers, as these can change at any time. For IP address checks, always query only the advertized zones themselves: SBL, XBL, PBL, or preferably the combined Zen zone. For domains, use the DBL zone.


© 1998-2020 The Spamhaus Project SLU. All rights reserved.
Legal  |  Privacy