What is DNSBL and Why Use It?

In this article, we will talk about Domain Name System BlackLists (DNSBL), Real-time Blackhole Lists, and how they are used today, as well as their history and why you should opt for one for purposes of improved cybersecurity.

Updated: 14 Dec, 21 by Antoniy Yushkevych 4 Min

List of content you will read in this article:

No one likes spam, and while most of it is simply a slight annoyance, there can be dangerous implications to not filtering your incoming mail. While simple spam can just be deleted, certain unwanted messages can include malicious code or links that take you to phishing sites. In order to improve your protection against such attacks, and to simply get rid of pesky spam messages, many turn to a DNSBL.

 

Domain Name System Blacklists (DNSBL) are spam blocking lists that allow system moderators to block messages from specific systems that have a history of sending spam.  As the name suggests, these lists are based on the Domain Name System (DNS) which converts numerical IP addresses into domain names. If the maintainer of the DNSBL receives spam from a specific domain name, that server would be blacklisted and all messages sent from it would either be flagged or rejected by any sites that use the said list.

There are three basic components that make up a DNSBL:

  • A domain name to host it under
  • A server to host the aforementioned domain
  • A list of addresses that make up the blacklist

 

The first DNSBL was created by MAPS (i.e. Mail Abuse and Prevention System) in 1997. They called it the Real-time Blackhole List (RBL) and its original purpose was to block spam emails and educate ISPs and other websites on spam and its prevention. Nowadays, DNSBLs are rarely used for educational purposes, however, their primary purpose as a spam blocker and filter is being served to this day. In fact, nearly all email servers support at least one DNSBL in order to minimize the amount of junk mail their users receive.

 

More than 20 years have passed since the introduction of RBL, and since then, dozens of different blacklists have sprung up and are available for public use. They all have their own criteria of what they do and do not consider spam, therefore all of them have their own lists. Because of this, DNSBLs vary vastly from one another. Some are way stricter than others, and some are much more lenient. There are DNS blacklists that list sites only for a set amount of time since the last received spam, while others are monitored and managed completely manually. In fact, some of the DNSBLs not only block the IP address of the website but even sometimes entire Internet Service Providers (ISPs) known to host spammers.

The variety of DNS blacklists available allows the user to choose the desired blacklists based on how well the DNSBL’s criteria for spam match with the user’s needs. Less lenient lists might allow some spam to be let through, but not block misidentified non-spam messages and vice versa.

 

Doing a DNSBL lookup on an email message during the SMTP connection is cheap in hardware cycles and system time. If the MTA already knows the incoming message is spam it can deny a spam message before having to take additional action; The DNS server may even have the results cached from previous attempts!

System costs:

  • Passing it to a mail-scanner (medium cost);
  • Using a Bayesian filter (medium)
  • Running it through a virus scanner (medium to expensive)
  • Doing SpamAssassin network tests that check blocklists, DCC, pyzor, razor, etc. (medium to expensive)

Mail rejected by a DNSBL during delivery is not silently discarded. A real-time DNSBL rejection creates a delivery status notification (DSN) to the sender identifying the cause of the rejection, allowing troubleshooting on the sender's end. Real-time rejection avoids the backscatter problem of some spam filters which accept delivery, close the connection, and then try to return the mail after it is determined to be spam.

 

Having a DNSBL is recommended, especially if you receive lots of spam. It can even reduce your chances of being a target of phishing and malicious code injection. We hope that with the help of this article, you were able to better understand what DNSBL is and why you should use it. If you have any questions or suggestions, please leave them in the comment section below.

Antoniy Yushkevych

Antoniy Yushkevych

Master of word when it comes to technology, internet and privacy. I'm also your usual guy that always aims for the best result and takes a skateboard to work. If you need me, you will find me at the office's Counter-Strike championships on Fridays or at a.yushkevych@monovm.com