Overview
DNS blacklists are a database that holds a list of IP address or URLs of spam emails and malicious websites and more. They are used to filter out spam and malicious websites from reaching end users. For example, they are usually used by ISPs or mail servers to prevent spam from getting to their users. There are hundreds of DNS blacklists that exist and spam is only one type of DNS blacklist. There are many types of DNS blacklists such as:
- Spam
- Image Spam
- Malware/Virus
- Phishing
- Botnet
- Compromised Machines
- Bogon
- etc
Some DNS blacklists are even country-based.
In this article, we will discuss how to use DNS blacklists and how they can improve the security of your network.
Type of DNSblacklists
How to use a DNS Blacklist
To check if the URL or IP address is found in the DNS Blacklist, we can use the host command on Kali Linux. This will allow us to access the database of the specified blacklist.
The command format is:
host <IP address is reverse>.<blacklist domain>For example, if we are checking IP address 123.456.789.000 against the dnsbl.sorbs.net blacklist, the command would be:
host 000.789.456.123.dnsbl.sorbs.netTesting against non-malicious websites:
Testing against google DNS server: (results: not found)
Testing against a non-malicious website: (results: not found)
Testing against malicious websites:
Testing against a malicious site 1: (results: found)
Testing against a malicious site 2: (results: found)
When an address is found in a blacklist, you may find another IP address at the end of the result. This is called a return code. In the example above, this is “127.0.0.2”. Depending on some blacklists, the return code may refer to a category that the malicious IP address falls under.
For example, these are the categories for the return codes from the Spamhuas DNS blacklists:
Find out more about Return Codes (for Spamhaus) here: https://www.spamhaus.org/faq/section/Spamhaus%20DBL#291:~:text=DBL%20USAGE%20QUESTIONS-,What%20do%20the%20127...*%20Return%20Codes%20mean%3F,-The%20DBL%20uses
Pydnsbl – Python DNS Blacklist Checker
As we want to be thorough when checking an IP address or URL, multiple DNS blacklists should be used. But this will be very tedious and time-consuming doing it manually. Thus, a solution is to use pydnsbl. pydnsbl is a python library (PyPI) that can help you check an IP address or a URL against multiple DNS blacklists.
Find out more about pydnsbl here: https://pypi.org/project/pydnsbl/
Other Ways to Implement DNS Database:
Another tool to check against multiple DNS blacklists is using Pi-hole.
Pi-hole website: https://pi-hole.net/
Pi-hole Source Repository (GitHub): https://github.com/pi-hole/pi-hole
Conclusion
In conclusion, DNS blacklists are useful to help us filter out unwanted traffic. This prevents both incoming spam and unwanted emails and prevents users from accessing/visiting malicious sites. Using DNS blacklists will add another layer of security. Thus, improving your overall network’s security.
DNS blacklist resources
Online DNS blacklist checker:
- https://www.dnsbl.info/
- https://mxtoolbox.com/DNSLookup.aspx
- https://dnschecker.org/ip-blacklist-checker.php
DNS Blacklist databases for (the URL to access the database – NOT A WEBSITE):
- Spam
- all.s5h.net
- dnsbl-1.uceprotect.net
- dnsbl-2.uceprotect.net
- dnsbl-3.uceprotect.net
- bad.virusfree.cz
- truncate.gbudb.net.
- combined.rbl.msrbl.net
- rbl.mailspike.org
- truncate.gbudb.net.
- Image Spam
- combined.rbl.msrbl.net
- Malware/Virus
- combined.rbl.msrbl.net
- b.barracudacentral.org
- combined.abuse.ch
- bad.virusfree.cz
- truncate.gbudb.net.
- Phishing
- combined.rbl.msrbl.net
- zen.spamhaus.org
- uribl.spfbl.net
- Botnet
- bad.virusfree.cz
- zen.spamhaus.org
- (DNS/download)
- Compromised Machines
- bad.virusfree.cz
- rbl.mailspike.org
- Bogon
- bogons.cymru.com
Find other DNS blacklist databases (Also a database comparison):
https://en.wikipedia.org/wiki/Comparison_of_DNS_blacklists
Related Articles
5 Popular Open Source Tools for Reconnaissance
How to use OWASP ZAP – Open Source Vulnerability Scanner