dnsbl.io

DOCUMENTATION

Comprehensive technical documentation for integrating and utilizing the DNSBL Reporting Service.

GETTING STARTED

SERVICE OVERVIEW

The DNSBL Reporting Service provides a comprehensive IPv6-first blacklist management system for tracking and reporting malicious IP addresses. The service supports multiple reporting methods including web forms, email ingestion, and X-ARF formatted reports.

KEY FEATURES

  • • Native IPv6 and IPv4 address support
  • • CIDR subnet notation for network ranges
  • • Real-time IP lookup API
  • • Automated email report processing
  • • X-ARF standard compliance (RFC 5965)
  • • Fail2Ban integration support

IP ADDRESS LOOKUP

WEB INTERFACE

Access the lookup tool at /lookup to query individual IP addresses or subnets.

Supported formats:

IPv4: 192.0.2.100

IPv6: 2001:db8::1

CIDR: 192.0.2.0/24 or 2001:db8::/32

QUERY RESULTS

Results include IP address, category, severity classification, reason for listing, reporter information, first and last report timestamps, and total report count.

SUBMITTING REPORTS

WEB FORM SUBMISSION

Use the web interface at /report for manual report submission.

Required fields:

  • • Reporter email address
  • • IP address or subnet
  • • Category classification
  • • Severity level
  • • Detailed reason

EMAIL REPORTING

Send automated reports to:

abuse@api.dnsbl.io

Email format:

  • • Subject: Include category
  • • Body: IP address and description
  • • Automated parsing enabled

X-ARF INTEGRATION

ENDPOINT

POST

https://api.dnsbl.io/api/xarf

Content-Type: application/json

EXAMPLE REQUEST

{
  "Report-ID": "XARF-2025-001",
  "Report-Type": "abuse",
  "Category": "spam",
  "Report-Date": "2025-01-15T10:30:00Z",
  "Reported-From": "security@example.com",
  "Date": "2025-01-15T10:00:00Z",
  "Source-IP": "2001:db8::bad:1",
  "Source-Port": 25,
  "Protocol": "SMTP"
}

Full X-ARF documentation and testing interface available at /xarf

FAIL2BAN INTEGRATION

ACTION SCRIPT

Configure Fail2Ban to automatically report banned IPs to the DNSBL service.

[Definition]
actionban = curl -X POST https://api.dnsbl.io/api/xarf \
  -H "Content-Type: application/json" \
  -d '{
    "Report-ID": "F2B-<ip>-<time>",
    "Report-Type": "abuse",
    "Category": "<category>",
    "Report-Date": "<date>",
    "Reported-From": "fail2ban@yourdomain.com",
    "Date": "<date>",
    "Source-IP": "<ip>"
  }'

CONFIGURATION

Add the action script to /etc/fail2ban/action.d/ and reference it in your jail configuration. Supports both IPv4 and IPv6 addresses automatically.

CATEGORY CLASSIFICATIONS

SUPPORTED CATEGORIES

  • • SPAM - Unsolicited email distribution
  • • SSH-ATTACK - SSH brute force attempts
  • • PORT-SCAN - Network port scanning
  • • DDOS - Distributed denial of service
  • • BOTNET - Botnet activity
  • • MALWARE - Malware distribution
  • • PHISHING - Phishing campaigns
  • • BRUTE-FORCE - Authentication attacks
  • • OTHER - Miscellaneous abuse

SEVERITY LEVELS

  • • LOW - Minor infractions
  • • MEDIUM - Moderate threat level
  • • HIGH - Significant security concern
  • • CRITICAL - Immediate action required