To see more of the DNSBL lookup, which is just a special case of a normal DNS lookup you can use this improved tcpdump command
Code:
tcpdump -nvv -i re0 -s512 host 192.168.222.10 and port domain
Normally tcpdump only captures 96 bytes. The
-s512 makes it capture the maximum size of an DNS UPD packet. (192.168.222.10 is my local resolving caching nameserver)
Doing the spamhaus query in your post
Code:
dig 80.152.123.222.zen.spamhaus.org.
; <<>> DiG 9.3.4 <<>> 80.152.123.222.zen.spamhaus.org.
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 21831
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;80.152.123.222.zen.spamhaus.org. IN A
;; ANSWER SECTION:
80.152.123.222.zen.spamhaus.org. 1800 IN A 127.0.0.10
;; Query time: 364 msec
;; SERVER: 192.168.222.10#53(192.168.222.10)
;; WHEN: Tue May 13 01:37:34 2008
;; MSG SIZE rcvd: 65
This produces in tcpdump (on an old OpenBSD amd64 snapshot)
Code:
01:44:52.518263 192.168.222.20.41027 > 192.168.222.10.53
54582+ A? 80.152.123.222.zen.spamhaus.org. (49) (ttl 64, id 24704, len 77
01:44:52.519029 192.168.222.10.53 > 192.168.222.20.41027: [udp sum ok]
54582 q: A? 80.152.123.222.zen.spamhaus.org. 1/0/0 80.152.123.222.zen.spamhaus.org. A 127.0.0.10 (65) (ttl 64, id 8814, len 93)
You now see the complete answer.
This answer in the 127/8 network means it is listed and thus should receive special treatment of your
sendmail.
A NXdomain answer means the address is not listed.
I posted a shell script at
http://daemonforums.org/showthread.php?t=302 that does the reversal of the IP address for this kind of DNSBL checks.