DNS blocklist monitoring

Coming soon: DNS blocklist monitoring is currently in development and will be available shortly.

Our DNS blocklist monitoring checks if your domain or IP address has been listed on security blocklists or blocked by content filtering DNS services. Being listed can affect your email deliverability, damage your reputation, prevent some users from accessing your site, and in some cases indicate that your server has been compromised.

Check frequency #

These checks run every 6 hours by default. Blocklist changes don't happen frequently, and the blocklist providers themselves update at varying intervals, so checking more often provides little benefit.

Two types of blocklists #

We monitor two distinct categories of blocklists, each with different impacts on your online presence:

Security & Email Blocklists (RBLs)

DNS blocklists (also known as DNSBLs or RBLs - Real-time Blackhole Lists) are databases of IP addresses and domains that have been associated with spam, malware, or other malicious activity.

Email servers, firewalls, and security services query these blocklists to determine if they should accept connections from a particular IP or domain. If you're listed, your emails might be rejected or your site might be flagged as dangerous.

Impact: Critical - affects email deliverability and website reputation.

Content Filtering DNS Services

Content filtering DNS services (like Quad9, Cloudflare Family, OpenDNS) block access to domains they deem dangerous or inappropriate. These are used by consumers, schools, and organizations who want to protect their networks from malware and inappropriate content.

Impact: Informational - users who use these DNS services cannot access your site.

Security blocklists we monitor #

Spamhaus ZEN (IP-based)

Spamhaus is one of the most widely used blocklists. ZEN is their combined list that includes:

• SBL (Spamhaus Block List) - Known spam sources
• XBL (Exploits Block List) - Hijacked PCs and servers running malware
• PBL (Policy Block List) - Dynamic IP ranges that shouldn't send email directly

Spamhaus DBL (Domain-based)

The Domain Block List identifies domains associated with:

• Spam campaigns
• Phishing sites
• Malware distribution
• Botnet command & control servers

SURBL (Domain-based)

SURBL tracks domains that appear in unsolicited messages. They categorize listings by type:

• SpamCop data
• Web spam
• Phishing
• Malware
• Abuse

Barracuda (IP-based)

Barracuda maintains their own IP reputation list based on their email security network data.

URLhaus (Domain-based)

URLhaus, operated by abuse.ch, specifically tracks domains and URLs associated with malware distribution.

SpamCop (IP-based)

SpamCop is an email-based spam reporting service. When enough users report spam from an IP address, it gets listed. Listings typically expire automatically within 24-48 hours if no new spam is reported.

Content filtering services we monitor #

Quad9

A free DNS service that blocks domains associated with malware and phishing. Used by millions of users worldwide for protection against cyber threats.

Cloudflare Family

Cloudflare's family-safe DNS that blocks malware and adult content. Widely used by families and organizations wanting to protect users from harmful content.

OpenDNS

Cisco's OpenDNS blocks malware and phishing domains based on their extensive threat intelligence network.

OpenDNS Family

OpenDNS's family-safe variant that additionally blocks adult content.

AdGuard DNS

AdGuard DNS blocks ads, trackers, and malware domains. Popular among privacy-conscious users.

AdGuard Family

AdGuard's family-safe DNS that additionally blocks adult content.

CleanBrowsing Security

CleanBrowsing's security filter that blocks malware, phishing, and other dangerous sites.

How we check blocklists #

Security blocklists

We perform DNS lookups against each blocklist. For IP-based lists, we reverse your server's IP address and query the blocklist's DNS zone. For domain-based lists, we query directly with your domain.

If the blocklist returns a result, you're listed. The return code often indicates the reason for listing:

• Spamhaus ZEN 127.0.0.2 - Listed in SBL (spam source)
• Spamhaus ZEN 127.0.0.4-7 - Listed in XBL (compromised host)
• Spamhaus DBL 127.0.1.2 - Spam domain
• Spamhaus DBL 127.0.1.4 - Phishing domain
• Spamhaus DBL 127.0.1.5 - Malware domain

Content filtering services

We resolve your domain through each content filtering DNS server. If the DNS server returns no result (NXDOMAIN) or returns a known block page IP address, your domain is blocked by that service.

Configuring blocklist monitoring #

To enable DNS blocklist monitoring:

1. Go to your monitor's settings page
2. Find the "DNS Blocklist" section
3. Select which security blocklists you want to monitor
4. Optionally enable content filtering services to monitor
5. Configure notification preferences for each category
6. Save your settings

By default, we recommend monitoring Spamhaus ZEN, Spamhaus DBL, and Barracuda for security blocklists. Content filter monitoring is optional and disabled by default since it's informational rather than critical.

What to do if you're listed #

Security blocklists

If you receive a notification that you're listed on a security blocklist:

1. Identify the cause

Check if your server has been compromised, if there's been a spam outbreak from your IP, or if you're on a shared IP that someone else has abused.

2. Fix the underlying issue

• Scan for and remove any malware
• Secure compromised accounts
• Review your email sending practices
• Check for open relays or misconfigured services

3. Request delisting

Each blocklist has its own delisting procedure:

• Spamhaus: Visit spamhaus.org and follow their removal process
• Barracuda: Use their removal request form
• SURBL: Contact them through their website
• URLhaus: Report the issue resolved to abuse.ch
• SpamCop: Listings expire automatically within 24-48 hours; address the source of spam

Content filtering services

If you're blocked by a content filtering service:

1. Check your site

Ensure your site doesn't contain malware, phishing content, or material that could be flagged as inappropriate.

2. Report a false positive

Each service has a process for reporting false positives:

• Quad9: Submit a report at quad9.net/support/contact/
• Cloudflare Family: Use radar.cloudflare.com/domains/feedback
• OpenDNS: Contact support.opendns.com
• AdGuard: Submit at reports.adguard.com/new_issue.html
• CleanBrowsing: Contact through cleanbrowsing.org/contact/

Why being listed matters #

Email deliverability (Security blocklists)

Many email providers check blocklists before accepting mail. If you're listed, your emails may:

• Be rejected outright
• Land in spam folders
• Be delayed significantly

Website reputation (Security blocklists)

Security services and browsers may warn users about visiting your site if you're on a malware or phishing blocklist.

User accessibility (Content filters)

Users who have configured their devices or networks to use content filtering DNS services won't be able to access your site. This can include:

• Families using parental controls
• Schools and libraries
• Corporate networks with security policies
• Privacy-conscious users

SEO impact

Being associated with malicious activity can negatively impact your search engine rankings.

Notifications #

You'll receive notifications based on your configuration:

Security blocklist notifications (enabled by default)

1. You're listed - We detect your domain or IP on one or more security blocklists
2. You're delisted - Your domain or IP has been removed from security blocklists

Content filter notifications (disabled by default)

1. You're blocked - We detect your domain is blocked by content filtering services
2. You're unblocked - Your domain is no longer blocked

The notification will include which blocklist(s) you're on and the reason code when available.