256-bit SSL HTTP/1.1 IPv4  

DNS Blacklists

I operate several DNS blacklists which are available for anyone to use. They are safe and secure, running from several diverse nameservers in multiple locations. These DNS blacklists are also reachable via IPv6.

NOTE: The DNS blacklists are now DNSSEC signed with a full chain from root to individual entries.

There are no query limits on this service, and they are used by many people already including several IRC networks.

    This DNS blacklist contains ALL tor nodes (entry, transit and exit nodes) - think carefully before choosing to use this list for blocking purposes.

    This DNS blacklist contains only tor EXIT nodes

  The tor nodelist is updated every 30 minutes automatically from the live tor network.
  There is no complaint procedure to have an IP address removed from this list as it will be
  automatically removed once the tor node ceases to run (with a maximum of 1 hour delay).

Details on how to use them
    To query the DNS blacklist, you must first reverse the IP address. This is called inverse
    e.g. if the IP was, you reverse it to and add on the dns blacklist you require.


    To query an IPv6 address, you must expand it, then reverse it into "nibble" format.
    e.g. if the IP was 2001:db8::1, you expand it to 2001:0db8:0000:0000:0000:0000:0000:0001 and reverse it.
    In nibble format it is and add on the dns blacklist you require.


    If the IP has a match, the DNS server will respond with an "A" record of
    It will also respond with a "TXT" record with extra information as per below:


    port1 is the OR (onion router) port, port2 (if specified) is the DR (directory) port.
    Flags are defined as follows:

        E     Exit
        X     Hidden Exit
        A     Authority
        B     BadExit
        C     NoEdConsensus
        D     V2Dir
        F     Fast
        G     Guard
        H     HSDir
        N     Named
        R     Running
        S     Stable
        U     Unnamed
        V     Valid

NOTE: Hidden Exits are based on exit policies of the node. Any node that permits one or more ports to exit (while not advertising the 'Exit' flag) is considered a hidden exit node.

Zone Transfers
    If you believe you will be making thousands of queries per hour, I may let you transfer the
    zonefiles for a locally cached version of these DNSBLs. I will review these on a case-by-case basis,
    contact me via the About Me page.


Two-Factor Authentication Required
Please enter the code from your Google Authenticator Mobile App/Plugin: