Access and Authentication

In the structure of a DNSBL (or a DNSWL) lookup, there are two clearly separate components:

  • the resource to be queried, usually an IP or an hostname
  • the DNSBL/DNSWL zone to be queried, like in zen.spamhaus.org

The main difference between a “generic” DNSBL and Spamhaus DQS is in the structure of the zone to be queried.

DQS domain zones are in fact called <key>.<name>.dq.spamhaus.net, where <name> is the zone name and can be sbl, xbl, sbl-xbl, pbl, zen, dbl or zrd (see table below), while <key> is a 26-character code specific to each customer.

Keys corresponding to terminated contracts no longer work.

Also, IP and domain services can be individually turned on and off for a certain key, meaning that a certain key can be allowed to query IP lists (such as ZEN and its components) but not hostname resources (such as DBL) if the customer’s subscription is limited to a specific type of data.

If a service is off, a DNS “refused” answer packet is returned, resulting in a SERVFAIL DNS answer provided by the resolver.