Your DNSBL blocks the whole Internet!
Back
Your DNSBL blocks the whole Internet!
There can be several reasons why a DNSBL can appear to list all IPv4 addresses (when it really doesn’t):
MOST COMMON: Using Amazon, Quad9, Google, Cloudflare or some other public/open DNS resolver – OR your network is querying our data using an IP that has generic, unattributable rDNS. READ THIS FIRST.
-
- Frequent: the zone name is spelled incorrectly.
- If an incorrect domain such as ‘spamhous.org‘ or ‘spamhouse.com‘ is entered, the queries will go to some unrelated place which can answer queries with a valid A record containing an IP address (this is often done by typosquatters to catch web traffic).
- Even if the IP is not a conventional Spamhaus DNSBL answer in the 127.0.0.x range, a mail server may still interpret it as a “listed” answer, and block the mail.
- There are ISPs that can “hijack” some DNS replies. This is done to monetize website traffic
- Instead of returning an NXDOMAIN (“not found”) answer for a DNS request that cannot be found (resolved), a pointer to an advertising page or search page is given.
- Many public or “open” resolvers, as well as some secure resolvers on cloud-based or wide area networks, use NXDOMAIN hijacking.
- Since the Spamhaus “not listed in our zone” replies are the same as a “webpage not found” reply, users affected by this kind of scheme will always see an IP address returned rather than the correct NXDOMAIN DNS answer.
- Instead of returning an NXDOMAIN (“not found”) answer for a DNS request that cannot be found (resolved), a pointer to an advertising page or search page is given.
- Frequent: the zone name is spelled incorrectly.
If DNS hijacking is the issue, there are three possible ways to resolve it:
-
-
- Set up your own DNS resolver (the best solution from a technical perspective).
- Instruct the mail server to ignore all response codes that are not in 127.0.0.0/8, because they come from a “man in the middle” hijacking, not from Spamhaus.
- Contact your ISP or DNS provider to see if you can opt out of the DNS hijacking; if that fails, change DNS resolvers.
-
Finally, erroneously using DBL as an IP list rather than as a domain list may also have the effect of blocking all mail: see the DBL FAQs.
Back