DNS Blacklisting Explained
Blacklisting in computing refers to the access control system that denies entry to a specific list of IP addresses, email addresses, users and/or programs that are originating from known spammers. Most email applications support filtering capabilities so individuals and enterprises can use blacklists to filter out unwanted emails.
How are Blacklists used?
Companies like Google and Symantec keep internal blacklists so they can block sites that malware originate from. They will also display a message, warning a user of the suspected content before the user is allowed to continue. Your email spam filter contains a list of blacklisted addresses. Any mail sent from these addresses wouldn’t be allowed to reach its intended target. Firewalls incorporate Intrusion Detection Systems that use blacklists to block certain IP addresses and/or networks. Even your web browser is equipped to deal with fraudulent sites. Web browsers have the ability to review anti-phishing blacklists so they can warn the unsuspecting user who navigates to a rogue website.
DNS Blacklists are the most common blacklists used by IT administrators. DNS Blacklists are based on the Internet’s DNS which converts IP addresses to human readable network addresses. An example would be the IP address of 18.104.22.168 being converted to the web address of google.com, making it easier to search and use. Often times DNS Blacklists will also do what is called a “zombie check”. A zombie is any computer connected to the internet that has been compromised by a hacker, computer virus or Trojan horse, that can be used in a malicious attack while under remote control. DNS Blacklists check the addresses of zombie computers, the addresses of ISPs willing to host spammers and addresses which have sent spam to a honeypot system. A honeypot is a computer system on the Internet that is expressly set up to attract and “trap” people who attempt to penetrate other people’s computer systems.
Organizations such as SORBS (Spam and Open Relay Blocking System) and SpamHaus create and maintain the lists that many anti-spam software programs use to control spam, by blocking any emails that originate from domains contained in these DNS Blacklists.
The nuts and bolts behind DNS Blacklisting
There are three basic components necessary for DNS blacklisting. Those components are:
- A domain to host the Blacklist under.
- A name server to host that domain.
- A list of addresses to publish.
There are four steps a mail server performs to check an email sender against a DNS Blacklist:
- The receiving mail server reverses the octets of the senders mail server IP address. For example if your mail server address is 22.214.171.124 the reverse order of the octets is 10.154.45.174.
- The receiving mail server then appends the DNS Blacklists domain name. Continuing the example would yield 10.154.45.174.dnsbl.example.org.
- The receiving mail server then looks up this name in the DNS as a domain name. The result will either be an IP address indicating that the server is listed; or an “NXDOMAIN” (“No such domain”) code, indicating the sender is not on the list.
- If the sending mail server is blacklisted, the mail server will take the action configured in the mail server or anti-spam software.
In some instances the blacklist can be so restrictive that it’s difficult to send emails without them getting blocked by the spam filters or for a user to access certain systems. It’s important that an administrator carefully consider the needs of their employees before creating an Access Control List that it is too restrictive to the end users.