A DNS-based Blackhole List, or DNSBL, is a means by which an Internet site may publish a list of IP addresses, in a format which can be easily queried by computer programs on the Internet. As the name suggests, the technology is built on top of the Internet DNS or Domain Name System. DNSBLs are chiefly used to publish lists of addresses linked to spamming. Most mail server software can be configured to reject or flag messages which have been sent from a site listed on one or more such lists.

Table of contents
1 History of DNSBLs
2 DNSBL Operation
3 Terminology

History of DNSBLs

The first DNSBL was the Real-time Blackhole List (RBL), created in 1997 by Paul Vixie as part of his Mail Abuse Prevention System (MAPS). Vixie, an influential Internet programmer and administrator, encouraged the authors of sendmail and other mail software to implement RBL clients. These allowed the mail software to query the RBL and reject mail from listed sites. However, the purpose of the RBL was not simply to block spam -- it was to educate Internet service providers and other Internet sites about spam and related problems, such as open SMTP relays. Before an address would be listed on the RBL, volunteers and MAPS staff would attempt repeatedly to contact the persons responsible for it and get its problems corrected.

Soon after the advent of the RBL, others started developing their own lists with different policies. One of the first was Alan Brown's Open Relay Behavior-modification System (ORBS). This used automated testing to discover and list mail servers running as open mail relays -- exploitable by spammers to carry their spam. ORBS was controversial at the time because many people felt running an open relay was acceptable, and that scanning the Internet for open mail servers could be abusive.

In recent events (2003), a number of DNSBLs have come under denial-of-service attacks. Since no party has admitted to these attacks nor been discovered responsible, their purpose is a matter of speculation. However, many observers believe the attacks are perpetrated by spammers in order to interfere with the DNSBLs' operation or hound them into shutting down. In August 2003, the firm Osirusoft, an operator of several DNSBLs including one based on the SPEWS data set, shut down its lists after suffering weeks of near-continuous attack.

Major events: ORBS controversy, lawsuits, RBL commercialization, ORBS breakup, ORBZ, SBL, SPEWS, RHSBLs

DNSBL Operation

To operate a DNSBL requires three things: a domain under which to host it, a nameserver for that domain, and a list of addresses to publish.

It is possible to serve a DNSBL using BIND, the popular DNS software. However, BIND is inefficient for zones containing large numbers of addresses, particularly DNSBLs which list entire CIDR netblocks. DNSBL-specific software -- such as Michael J. Tokarev's rbldnsd or Daniel J. Bernstein's rbldns -- is faster, uses less memory, and is easier to configure than the general-purpose BIND.

The hard part of operating a DNSBL is populating it with addresses. DNSBLs intended for public use usually have specific, published policies as to what a listing means, and must be operated accordingly to attain or keep public confidence.

DNSBL Queries

When a mail server receives a connection from a client, and wishes to check that client against a DNSBL (let's say, spammers.example.net), it does more or less the following:

  1. Take the client's IP address -- say, 192.168.42.23 -- and reverse the bytes, yielding 23.42.168.192.
  2. Append the DNSBL's domain name: 23.42.168.192.spammers.example.net.
  3. Look up this name in the DNS as a domain name ("A" record). This will return either an address, indicating that the client is listed; or an "NXDOMAIN" ("No such domain") code, indicating that the client is not.
  4. Optionally, if the client is listed, look up the name as a text record ("TXT" record). Most DNSBLs publish information about why a client is listed as TXT records.

DNSBL Policies

Different DNSBLs have different policies. DNSBL policies differ from one another on three fronts:

  • Goals. What does the DNSBL seek to list? Is it a list of open-relay mail servers or open proxies -- or of IP addresses known to send spam -- or perhaps of IP addresses belonging to ISPs that harbor spammers?
  • Nomination. How does the DNSBL discover addresses to list? Does it use nominations submitted by users? Spam-trap addresses or honeypots?
  • Listing lifetime. How long does a listing last? Are they automatically expired, or only removed manually? What can the operator of a listed host do, to have it delisted?

Terminology

The proprietary term RBL is sometimes erroneously used in place of the generic DNSBL. RBL is a service mark of MAPS LLC. Some pieces of mail software have configuration parameters for the use of "RBLs" or "RBL domains", used to set the DNSBLs that the software should use. This may be trademark dilution.

An RHSBL or Right-Hand-Side Blackhole List is a DNSBL which lists domain names rather than IP addresses. The term comes from the "right-hand side" of an email address -- the part after the @ sign -- which clients look up in the RHSBL.