Your DNSBL blocks the whole Internet
Back
Your DNSBL blocks the whole Internet
There can be several reasons why a DNSBL can appear to list all IPv4 addresses (when it really doesn’t):
MOST COMMON: Using Amazon, Quad9, Google, Cloudflare or some other public/open DNS resolver – OR your network is querying our data using an IP that has generic rDNS. READ THIS FIRST.
If a wrong domain such as ‘spamhous.org‘ or ‘spamhouse.com‘ is entered, the queries will go to some unrelated place which can answer queries with a valid A record containing an IP address (this is often done by typosquatters to catch web traffic).
- Even if the IP is not a conventional Spamhaus DNSBL answer in the 127.0.0.x range, a mail server may still interpret it as a “listed” answer, and block the mailMost common: the zone name is spelled incorrectly.
There are ISPs that can “hijack” some DNS replies. This is done to monetize website traffic:
- Instead of returning an NXDOMAIN (“not found”) answer for a DNS request that cannot be found (resolved), a pointer to an advertising page or search page is given.
- Many public or “open” resolvers, as well as some secure resolvers on cloud-based or wide area networks, use NXDOMAIN hijacking.
- Since the Spamhaus “not listed in our zone” replies are the same as a “webpage not found” reply, users affected by this kind of scheme will always see an IP address returned rather than the correct NXDOMAIN DNS answer.
If DNS hijacking is the issue, there are three possible ways to resolve it:
- Set up your own DNS resolver (the best solution from a technical perspective).
- Instruct the mail server to ignore all response codes that are not in 127.0.0.0/8, because they come from a “man in the middle” hijacking, not from Spamhaus.
- Contact your ISP or DNS provider to see if you can opt out of the DNS hijacking; if that fails, change DNS resolvers.
- Finally, erroneously using DBL as an IP list rather than as a domain list may also have the effect of blocking all mail: see the DBL FAQs.