Access and Authentication¶
In the structure of a DNSBL (or a DNSWL) lookup, there are two clearly separate components:
- the resource to be queried, usually an IP or an hostname
- the DNSBL/DNSWL zone to be queried, like in zen.spamhaus.org
The main difference between a “generic” DNSBL and Spamhaus DQS is in the structure of the zone to be queried.
DQS domain zones are in fact called
<name> is the zone name and can be sbl, xbl, sbl-xbl, pbl, zen, dbl or zrd (see table below), while
<key> is a 26-character code specific to each customer.
Keys corresponding to terminated contracts no longer work.
Also, IP and domain services can be individually turned on and off for a certain key, meaning that a certain key can be allowed to query IP lists (such as ZEN and its components) but not hostname resources (such as DBL) if the customer’s subscription is limited to a specific type of data.
If a service is off, a DNS “refused” answer packet is returned, resulting in a
SERVFAIL DNS answer provided by the resolver.