1 Checking DNSBL Lists
2 ====================
3 :author: Aaron Ball
4 :email: nullspoon@oper.io
5
6
7 Before we get started here, if you are already aware what a DNSBL is, yes, I
8 know that my post title is redundant; a little like ATM machine. :)
9
10 I recently acquired an additional IP address from which to run my website,
11 email server, irc server, etc. However, upon sending my first email, I noticed
12 a few providers were blocking my server. This was no surprise of course. I
13 could be wrong, but I suspect that every single IP address in the /0 range has
14 been used for spamming at some point in time. No problem though (well, it is).
15 I just needed to clean up its reputation.
16
17 So, I started work on cleaning up the reputation of my new IP. First stop:
18 link:https://mxtoolbox.com/[mxtoolbox.com]. When I ran their
19 link:https://mxtoolbox.com/blacklists.aspx[blacklist checker], I noticed my IP
20 was on only one blacklist. I contacted them (SORBS) requested my IP be
21 de-listed.
22
23 This process got me thinking though. How do the DNS blacklists work? I went to
24 the one provider who had marked my IP as blacklisted to see how I could query
25 their list for future checks, and noticed they used something called DNSBL.
26
27
28 What is a DNSBL
29 ---------------
30
31 A DNSBL, or **DNS** **B**ased**L**ist, is an extension of DNS A and TXT records
32 that allows these records to be used to mark IP addresses as known sources of
33 spam (or other things). Since this is done with DNS, querying is relatively
34 easy, as the tooling and protocol are relatively standardized.
35
36 For further reading, see the link:https://en.wikipedia.org/wiki/DNSBL[Wikipedia
37 article].
38
39
40 How to Query a DNSBL
41 --------------------
42
43 Querying a DNSBL is actually fairly simple if you know how to use the **dig**
44 command (the olde timey nslookup should also work, though the output format
45 won't be identical).
46
47 Let's assume for this example, we want to check the IP address for my web
48 server: __46.22.210.153__. Given that my new IP was blacklisted by the SORBS
49 DNSBL, we'll use their endoint for testing purposes. This is
50 __dnsbl.sorbs.net__.
51
52 The first step, we need to reverse the ip address octet order.
53
54 46.22.210.153 -> 153.210.22.46
55
56
57 Second, we need to prepend the DNSBL endpoint with this reversed IP.
58
59 153.210.22.46.dnsbl.sorbs.net
60
61
62 Finally, we dig the A record for that endpoint.
63
64 dig -t a +short 153.210.22.46.dnsbl.sorbs.net
65
66
67 DNSBL Responses
68 ---------------
69
70 In +short (hehe), if you get an empty response back from the dig query, the IP
71 **isn't** on the blacklist. If you do get a response back, it **is** on the
72 blacklist. Many blacklists return different responses to indicate blacklist
73 status, so unfortunately, we can only easily rely on the binary **is**
74 (response) or **is not** (no response) blacklisted states.
75
76 Fortunately however, many of the DNSBL maintainers will publish more detailed
77 reasons for blacklisting the IP via DNS TXT records. If you want to query that,
78 just follow the previous instuctions, but query for a TXT record instead of an
79 A record. Example:
80
81 dig -t txt +short 153.210.22.46.dnsbl.sorbs.net
82
83
84 Easier Script
85 -------------
86
87 There are lots of DNSBLs out there and checking each one by hand is a real
88 pain. That is why sites like mxtoolbox exist. However, if you are interested in
89 looking this information up for yourself, I wrote a handy script to help!
90
91 You can find the source code link:/src/nullspoon/dnsbl-check.git/[here].
92
93 I recommend downloading it with git clone though, as it contains a config file
94 with a known list of 52 common DNSBL endpoints that the script points to by
95 default.
96
97 git clone https://oper.io/src/nullspoon/dnsbl-check.git
98
99 To use it, just type...
100
101 ./dnsbl-check.sh <ip>
102
103 It will check all of the DNSLB endpoints in the config file for your specified
104 IP.
105
106 Some sample output:
107
108 ----
109 all.s5h.net : Not found
110 b.barracudacentral.org : Found
111 bl.emailbasura.org : Not found
112 bl.spamcannibal.org : Not found
113 bl.spamcop.net : Not found
114 blacklist.woody.ch : Found
115 bogons.cymru.com : Not found
116 cbl.abuseat.org : Not found
117 cdl.anti-spam.org.cn : Not found
118 ----
119
120 If you know any DNSBL endpoints you want me to add to the default config, send
121 me an email and I'll get it added.
122
123
124 [role="datelastedit"]
125 Last edited: {docdate} {doctime}
|
