Editing Domain Name System blocklist (section)

== Principle ==
To operate a DNSBL requires three things: a domain to host it under, a nameserver for that domain, and a list of addresses to publish.

It is possible to serve a DNSBL using any general-purpose [[Comparison of DNS server software|DNS server software]]. However this is typically inefficient for zones containing large numbers of addresses, particularly DNSBLs which list entire Classless Inter-Domain Routing netblocks. For the large resource consumption when using software designed as the role of a Domain Name Server, there are role-specific software applications designed specifically for servers with a role of a DNS blacklist.

The hard part of operating a DNSBL is populating it with addresses. DNSBLs intended for public use usually have specific, published policies as to what a listing means, and must be operated accordingly to attain or sustain public confidence.

=== DNSBL queries ===
When a mail server receives a connection from a client, and wishes to check that client against a DNSBL (let's say, ''dnsbl.example.net''), it does more or less the following:

# Take the client's IP address—say, ''192.168.42.23''—and reverse the order of octets, yielding ''23.42.168.192''.
# Append the DNSBL's domain name: ''23.42.168.192.dnsbl.example.net''.
# Look up this name in the DNS as a domain name ("A" record). This will return either an address, indicating that the client is listed; or an "NXDOMAIN" ("No such domain") code, indicating that the client is not.
# Optionally, if the client is listed, look up the name as a text record ("TXT" record). Most DNSBLs publish information about why a client is listed as TXT records.

Looking up an address in a DNSBL is thus similar to looking it up in reverse-DNS. The differences are that a DNSBL lookup uses the "A" rather than "PTR" record type, and uses a forward domain (such as ''dnsbl.example.net'' above) rather than the special reverse domain ''in-addr.arpa''.

There is an informal protocol for the addresses returned by DNSBL queries which match. Most DNSBLs return an address in the 127.0.0.0/8 IP [[loopback]] network. The address 127.0.0.2 indicates a generic listing. Other addresses in this block may indicate something specific about the listing—that it indicates an open relay, proxy, spammer-owned host, etc. For details see RFC 5782.

=== URI DNSBL ===
A URI DNSBL query (and an RHSBL query) is fairly straightforward. The domain name to query is prepended to the DNS list host as follows:

 example.net.dnslist.example.com

where ''dnslist.example.com'' is the DNS list host and ''example.net'' is the queried domain. Generally if an A record is returned the name is listed.

=== DNSBL policies ===
Different DNSBLs have different policies. DNSBL policies differ from one another on three fronts:
* '''Goals.''' What does the DNSBL ''seek'' to list? Is it a list of open-relay mail servers or open proxies—or of IP addresses known to send spam—or perhaps of IP addresses belonging to ISPs that harbor spammers?
* '''Nomination.''' How does the DNSBL ''discover'' addresses to list? Does it use nominations submitted by users? Spam-trap addresses or [[honeypot (computing)|honeypot]]s?
* '''Listing lifetime.''' How long does a listing ''last''? Are they automatically expired, or only removed manually? What can the operator of a listed host do to have it delisted?