What is this?

This knowledgebase contains questions and answers about PRTG Network Monitor and network monitoring in general.

Learn more

PRTG Network Monitor

Intuitive to Use. Easy to manage.
More than 500,000 users rely on Paessler PRTG every day. Find out how you can reduce cost, increase QoS and ease planning, as well.

Free Download

Top Tags


View all Tags

Can I check an IP address against blacklist servers using DNSBL?

Votes:

0

I would like to check the IP address of a device in PRTG against blacklist servers like sbl-xbl.spamhaus.org, bl.spamcop.net, dnsbl.njabl.org, list.dsbl.org and multihop.dsbl.org.

I want to use this feature to be informed whenever my own IP address will be blacklisted.

blacklist dnsbl mail prtg smtp spam

Created on Jul 22, 2010 8:00:04 AM by Dirk Paessler [Founder Paessler AG] (11,025) 3 6

Last change on Jul 23, 2010 9:02:34 AM by Daniel Zobel [Product Manager]



9 Replies

Accepted Answer

Votes:

1

[UPDATE] Native sensor available: IP on DNS Blacklist Sensor

Important note: The following information is outdated. Please use the IP on DNS Blacklist sensor that PRTG includes out-of-the-box.

This is possible with the Custom Sensor: IPonDNSBL

IPonDNSBL checks a IP-Address against a number of blacklist servers and returns the number of DNS Blacklists the IP-Address is on.

IPonDNSBL -ip=mail.paessler.com [-bl=bl.spamcop.net]

Enter your hostname or IP-addres behind the "-ip=" parameter.

The "-bl=" parameter is optional. You can provide a comma seperated list of blacklist servers. If omitted, the following blacklist servers are used: sbl-xbl.spamhaus.org, bl.spamcop.net, dnsbl.njabl.org, list.dsbl.org and multihop.dsbl.org

The readme.txt (included in the download) provides a list of optional blacklist servers.

Created on Jul 22, 2010 8:25:28 AM

Last change on Aug 14, 2017 12:04:00 PM by Gerald Schoch [Paessler Support]



Votes:

0

Hello

These blacklist servers dont not work for me:

dnsbl.njabl.org, list.dsbl.org, multihop.dsbl.org

Don't you monitor them with PRTG ? ;-)

It seems that if one serveur does not answer, it doesn't go for the next one. It stops sayaing "Error checking BL Server, it contains ne entry for 127.0.0.2" which is of course not the IP I entered.

When I use the EXE without the -bl parameter it seems to only check with bl.spamcop.net.

And the link to download the EXE is down.

Created on May 16, 2017 3:28:53 PM



Votes:

0

Further to the above, we are trying to monitor some addresses on the Spamhaus XBL however their BL does not appear to work with this sensor anymore.

Using the .EXE itself and specifying the WAN IP to check we get:

IPonDNSBL.exe -ip=X.X.X.X -bl=sbl-xbl.spamhaus.org
15.2.1.4
Error checking sbl-xbl.spamhaus.org, it contains no entry for 127.0.0.2

Same result for these two:

  • Error checking zen.spamhaus.org, it contains no entry for 127.0.0.2
  • Error checking spam.dnsbl.sorbs, it contains no entry for 127.0.0.2

This seems to be a logic test to confirm the data being read is actually a BL and valid however the test is failing so the supplied WAN IP never gets checked.

Are there any plans to resolve these issues with the BL sensor?

Created on Nov 26, 2018 2:40:31 AM

Last change on Nov 26, 2018 5:54:57 AM by Luciano Lingnau [Paessler]



Votes:

0

Hello Nathan,
thank you for your inquiry.

As mentioned here the IP on DNS Blacklist sensor follows the RFC-5782 where IPv4-based DNSxLs (blacklists and whitelists) must contain an entry for 127.0.0.2 for testing purposes.

In earlier sensor versions the sensor did not check this, providing a false sense of security when using non (or no longer) existing DNS blacklist servers which always report that the IP is not listed.

An example of DNSBL that implements this is b.barracudacentral.org.

Best Regards,
Luciano Lingnau [Paessler Support]

Created on Nov 26, 2018 6:00:42 AM by Luciano Lingnau [Paessler]



Votes:

0

Understood Luciano, is there a list of supported DNS blocklists then? There is a link on the page you supplied however the vast majority of those do not work with this sensor.

Also when checking the blocklist manually I can seen Spamhaus does list 127.0.0.2 as would be expected:

127.0.0.2 is listed in the SBL, in the following records:

  • SBL2
  • SBL423869

127.0.0.2 is listed in the PBL, in the following records:

  • PBL000003

127.0.0.2 is listed in the XBL, because it appears in:

  • CBL

Are there any details on how this .exe is actually checking the BLs? It seems like the issue might be with the lookup rather than the lists themselves. For example the above shows that 127.0.0.2 is in the XBL/CBL for Spamhaus. Zen.spamhaus.org lookups include all DNS lists (Specifically including the XBL) however if I use the exe against this server, as before I get:

IPonDNSBL.exe -ip=X.X.X.X -bl=zen.spamhaus.org
15.2.1.4
Checking zen.spamhaus.org....
Error checking zen.spamhaus.org, it contains no entry for 127.0.0.2

Created on Nov 26, 2018 7:58:31 AM

Last change on Nov 26, 2018 9:32:30 AM by Luciano Lingnau [Paessler]



Votes:

0

Hello Nathan,
thank you for your reply.

There's no list at the present time since the sensor is generic and should work with any implementation.

You wrote: "...when checking the blocklist manually". - May I ask how exactly you've done this? I will try this out to see if I'm able to explain the behavior you're describing.

Best Regards,
Luciano Lingnau [Paessler Support]

Created on Nov 26, 2018 9:47:25 AM by Luciano Lingnau [Paessler]

Last change on Nov 26, 2018 9:47:34 AM by Luciano Lingnau [Paessler]



Votes:

1

Hi Luciano ,

I was just using their web portal lookup method: http://www.spamhaus.org/query/bl?ip=127.0.0.2

However when you mentioned that it prompted me to check it via NSLookup on the PRTG server itself and I found the record was not resolving. Turns out the PRTG host was using Google DNS (8.8.8.8) which does not work with Spamhaus DNS BL lookups.

I have changed the DNS servers in use on this system and the sensors now appear to work correctly (Hopefully this helps someone else in the same boat)

Thanks, Nathan

Created on Nov 27, 2018 2:38:58 AM



Votes:

0

Does it work for you? It looks like many black list server like zen.spamhaus.org can not be resolved in general?!?

Cannot attach a picture but check: https://mxtoolbox.com/SuperTool.aspx?action=mx%3azen.spamhaus.org&run=toolpage#

Danke und Grüße Christian

Created on Jan 23, 2019 11:17:50 AM



Votes:

0

See also here, since I had the same issue recently with another customer:
"Check what DNS resolvers you are using: If you are using a free "open DNS resolver" service such as the Google Public DNS (8.8.8.8) and others (eg. Alternate DNS, Comodo Secure, DNS.Watch, DynDNS, FreeDNS, Hurricane, NeuStar DNS Advantage, Norton ConnectSafe, OpenNIC, Puncat, Quad9, SafeDNS, Uncensored, Verisign, Yandex.DNS), or large cloud/outsourced public DNS servers, such as Level3's, Verizon's or AT&T's to resolve your DNSBL requests, in most cases you will receive a "not listed" (NXDOMAIN) reply from Spamhaus' public DNSBL servers. We recommend using your own DNS servers when doing DNSBL queries to Spamhaus. If this is not possible, contact us for other options."

Created on Jun 13, 2019 3:30:05 PM by Erhard Mikulik [Paessler Support]




Disclaimer: The information in the Paessler Knowledge Base comes without warranty of any kind. Use at your own risk. Before applying any instructions please exercise proper system administrator housekeeping. You must make sure that a proper backup of all your data is available.