FREQUENTLY ASKED QUESTIONS

dnsbl.io is an IPv6-first DNS-based blacklist (DNSBL) service that tracks and reports malicious IP addresses involved in spam, attacks, and other abusive behavior. It provides both DNS and REST API interfaces for querying blacklist status.

Yes, this service is completely free for all users. API keys are provided to cybersecurity professionals for advanced features including programmatic access, bulk lookups, and automated reporting.

We are IPv6-first, supporting both IPv4 and IPv6 addresses natively. We also provide modern REST APIs, X-ARF report acceptance, comprehensive statistics, and transparent delist processes.

You can use DNS queries (dig, host, nslookup), our web lookup tool at /lookup, or the REST API at /api/lookup. See the DNS instructions page for detailed examples.

127.0.0.2 = Low severity, 127.0.0.3 = Medium, 127.0.0.4 = High, 127.0.0.5 = Critical. NXDOMAIN means the IP is not listed (clean).

The blacklist is updated in real-time as new reports are processed. DNS responses are cached for 5 minutes.

Yes, our system automatically checks if an IP falls within any blacklisted subnet ranges.

Use our web form at /report, send X-ARF formatted reports to our API at /api/xarf, or integrate with Fail2Ban to automatically report attacks.

Include the IP address, category of abuse (spam, SSH attack, DDoS, etc.), evidence or logs, and your contact information. More detail helps us verify and process reports faster.

Your email and personal information are kept confidential and not publicly disclosed. However, your organization name may be shown as the reporter.

Most reports are processed within 1 hour. Complex cases requiring verification may take up to 24 hours.

Submit a delist request at /delist with details about the remediation steps you've taken. Requests are reviewed within 48 hours.

You must demonstrate that: (1) the security issue has been resolved, (2) appropriate security measures are in place, (3) no recent malicious activity is detected, and (4) you have valid ownership of the IP.

Yes, if new abuse is detected from your IP, it will be relisted. Repeated violations may result in permanent listing.

Listings remain active until a successful delist request is processed or until no activity is detected for 90 days (automatic expiration).

Request an API key at /api-key. Free tier keys are issued immediately. Higher tier keys require approval.

The service provides generous rate limits: 50,000 API requests/day, 100 requests/minute, unlimited DNS queries, and full access to all features. If you need higher limits for large-scale operations, contact us to discuss your use case.

Yes, we support Postfix, Exim, Sendmail, and other mail servers. See /dns for configuration examples.

Yes, you can configure Fail2Ban to automatically report banned IPs to our service. See the DNS instructions page for integration examples.

X-ARF (eXtended Abuse Reporting Format) is an RFC 5965 compliant standard for reporting abuse. We accept X-ARF formatted reports at /api/xarf.

Yes, we are IPv6-first and fully support both IPv4 and IPv6 addresses and subnets.

Use nibble-reversed notation. For example, 2001:db8::1 becomes 1.0.0.0...8.b.d.0.1.0.0.2.dnsbl.io. See /dns for detailed examples.

Yes, query TXT records to get category, severity, report count, first seen date, and a URL for more details.

Our DNS zone is dnsbl.io. Query format: <reversed-ip>.dnsbl.io

We collect IP addresses making queries, reported IP addresses, reporter contact information, and usage statistics. See our Privacy Policy for details.

Yes, we use TLS encryption, secure database storage, and industry-standard security practices. Reporter information is kept confidential.

Yes, we support GPG encryption for sensitive reports. Use the 'Encrypt with GPG' option on the report and contact forms.

No, we do not sell user data. Blacklist data is publicly accessible (that's the purpose), but reporter information remains confidential.