DigitalOcean

Report this

What is the reason for this report?
Question

How to query Spamhaus DNS blacklist from a droplet?

Posted on March 13, 2015
Email
DNS
Ubuntu
jks

By jks

I want to set up a small mail server. I have got Postfix on Ubuntu working, but now I want to add some level of spam filtering using the zen.spamhaus.org DNS blacklist, and this is not working. The Spamhaus instructions suggest trying this command:

dig +short 2.0.0.127.zen.spamhaus.org

and if I run it on my droplet I get no answer. At home, using my ISP’s DNS server, I do get a reply, so Spamhaus is working fine, it’s the droplet’s resolver that’s not returning anything. The /etc/resolv.conf file includes Google’s public name servers:

# Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8)
#     DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN
nameserver 2001:4860:4860::8844
nameserver 2001:4860:4860::8888
nameserver 8.8.8.8

The Spamhaus instructions mention:

Check what DNS resolvers you are using: If you are using a free “open DNS resolver” service such as the Google Public DNS […] in most cases you will receive a “not listed” (NXDOMAIN) reply […] We recommend using your own DNS servers when doing DNSBL queries to Spamhaus.

Can I configure my droplet to use some DNS server that does return replies from zen.spamhaus.org?



This textbox defaults to using Markdown to format your answer.

You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!

Sign In or Sign Up to Answer
These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.
0
altj
altj
July 13, 2015

I’m running into the same problem. Is there any chance that DigitalOcean runs (or will run) internal DNS servers for droplets or will they continue to farm out DNS to Google’s servers?

0
altj
altj
July 13, 2015

It turns out it isn’t rate limiting by Google, they just don’t respond properly to the spamhaus queries. I ended up switching my DNS servers to use opendns and the RBL queries are working properly now. They are 208.67.222.222 and 208.67.220.220

0
Andreas Olsson
Andreas Olsson
March 13, 2015

Yes, this very much looks like a matter of Google’s resolvers being rate limited

andreas@leto:~$ dig +short @8.8.8.8 2.0.0.127.zen.spamhaus.org
andreas@leto:~$

vs.

andreas@leto:~$ dig +short @127.0.0.53 2.0.0.127.zen.spamhaus.org
127.0.0.2
127.0.0.10
127.0.0.4
andreas@leto:~$

If you want to be querying blacklists, I recommend that you too run your own resolver.

Become a contributor for community

Get paid to write technical tutorials and select a tech-focused charity to receive a matching donation.

Sign Up

DigitalOcean Documentation

Full documentation for every DigitalOcean product.

Learn more

Resources for startups and SMBs

The Wave has everything you need to know about building a business, from raising funding to marketing your product.

Learn more

Get our newsletter

Stay up to date by signing up for DigitalOcean’s Infrastructure as a Newsletter.

New accounts only. By submitting your email you agree to our Privacy Policy

The developer cloud

Scale up as you grow — whether you're running one virtual machine or ten thousand.

Get started for free

Sign up and get $200 in credit for your first 60 days with DigitalOcean.*

*This promotional offer applies to new accounts only.

© 2025 DigitalOcean, LLC.Sitemap.