Successfully accessing Spamhaus’ free blocklists using a public DNS

Why use a public recursive DNS?

There are many reasons why people choose to employ a public DNS resolver, such as Google Public DNS. Perhaps your Internet Service Provider’s (ISPs) recursive name server suffers from high latency due to it being overloaded. Let’s be honest, given the competitive nature of this marketplace, some providers have been known to ‘skimp’ in this area to reduce operating costs.

Also, let’s not forget its ease of use. If you’re setting up an address to use as your DNS resolver, then 8.8.8.8 (one of Google’s public DNS resolver IP addresses) is one of the simplest numbers to remember.

So why don’t Spamhaus’s free DNSBLs work through some public DNS resolvers?

Regrettably, we have had to block some public DNS resolvers because some users can exploit them to get more than their fair share of a free service.

Taking a step back

Back in 1998, when both the world wide web (w.w.w.) and Spamhaus were in their infancy, 3.1% of the global population utilized the internet, according to data from the International Telecommunication Union.

Fast forward 20 years, and now 48% of the world’s population uses the internet. That takes the numbers from 188 million users in 1998 to 3,663 million users in 2017. This means that not only are the number of global internet users increasing at a phenomenal rate, but the number of those using Spamhaus’s free public mirrors is also dramatically increasing.

Sharing is caring

We believe in providing the public with threat intelligence for free, helping small independent businesses, schools, and non-profit organizations safely filter their email at no cost.

With a network of over 80 public DNSs spread across 35 countries, this significant international DNS infrastructure serves billions of queries to the public every day for free.

But note the word ‘public’ in the above paragraph. This free service is intended to be available for those who are genuinely ‘the public,’ fulfilling all of the following criteria:

1. FAIR USE PRINCIPLES – You are not automatically entitled to the use of Spamhaus’ DNSBL Public Mirrors. Use of the DNSBL Public Mirrors via DNS queries to our public DNSBL servers is free of charge provided you meet all of the following criteria:
   1. The DNSBL Public Mirror is provided free of charge for non-commercial use by small and medium-sized organizations.
   2. Your DNSBL Public Mirror query volume must not exceed volumes reasonably expected in circumstances of non-commercial use.
   3. The network originating the DNS Query must be identifiable. This means you must query the Spamhaus DNSBL Public Mirrors from a recursive resolver run on your own network or from a public resolver that supports ECS.
   4. Queries originating from large shared hosting environments are not accepted. As a workaround, please apply for a free Datafeed Query Key from Spamhaus Technology.
2. COMMERCIAL USE – Use of the DNSBL Public Mirrors by companies, organizations, individuals, and networks with email traffic likely to breach or exceed the fair use principles set out above or by ISPs or commercial spam filter services will require a subscription to our Datafeed Service, a service designed for users with professional DNSBL requirements.

Spamhaus understands that anything free is difficult to resist. Therefore usage is monitored of these free DNSBLs to ensure this resource isn’t being exploited. If an IP address regularly exceeds the above criteria, it is suggested the user pays to use the commercial DNSBL Data Query Service (DQS).

Yes, but why block queries from public recursive name servers?

It’s simple – public recursive name servers act as an anonymizing service and enable large-scale users to hide behind them. Given the lack of transparency and inability to identify those who are abusing the free service, a difficult decision was made to add some public domain name servers to our access control list… ultimately blocking your query.

To quantify the issue, over a 24 hour period, Spamhaus receives approximately two billion queries from what could be argued the most popular public recursive DNS. This is roughly 20% of the total number of queries made over the same period.

But I want to use both a public recursive DNS and Spamhaus’s free blocklists.

Not a problem, as long as you meet the criteria detailed above. Spamhaus can provide you with free access to our DNSBL datafeed via our Data Query Service (DQS). Sign up for a low-volume free DQS account here. It’s straightforward and can be set up in a matter of minutes, and enables you to have access to our domain name server blocklists whilst still using a public DNS.

Additional benefits of using the FREE Data Query Service (DQS)

You can increase your catch rates with two additional blocklists that are included in this service,  at no additional cost:

1. Zero Reputation Domains (ZRD) – This lists newly registered domains for 24 hours. Domains that have just been registered are rarely used by legitimate organizations immediately; meanwhile, cybercriminals register and burn 100s of domains daily.

The Zero Reputation Domain (ZRD) blocklist helps to protect your users from clicking on links and visiting newly registered domains until it is established that they are not associated with zero-day attacks; phishing, bot-herding, spyware, and ransomware campaigns.

2. Auth Blocklist (Auth BL) – This is a subset of the XBL, listing IP addresses known to host bots using brute force or stolen SMTP_AUTH credentials to send email-borne threats.  This blocklist is available separately, so you can use it at SMTP Auth as a score to ensure someone isn’t trying to misuse a user’s account.

For a full comparison of functionality across Spamhaus’ DNSBL offerings, take a look at this table.

Any questions? Simply contact us.

Article updated 15/03/21