The tcpdump snippet you posted does not do RBL lookups.
The first one (PTR?) is a reverse lookup (IP address -> name).
The second one (A?) asks for the IP address of mx.freeshell.org.
Third and last asks for the Mail eXchanger (MX?) or SMTP server for the sdf.lonestar.org. domain.
A RBL query for 192.94.73.19 at
zen.spamhaus.org looks like this
Code:
192.168.222.20.24544 > 192.168.222.10.53: 27286+ A? 19.73.94.192.zen.spamhaus.org. (47)
192.168.222.10.53 > 192.168.222.20.24544: 27286 NXDomain* 0/0/0 (47)
The IP address is reversed from 192.94.73.19 -> 19.73.94.192 and prefixed to the name of the black list, so it becomes: 19.73.94.192.zen.spamhaus.org. In this case the address is not listed at zen.spamhaus.
An example of an IP address that has been listed:
Code:
$ blcheck.sh 92.101.76.6
IP 92.101.76.6 NAME ip-006-076-101-092.pools.atnet.ru.
2008-10-29_00:39:49_UTC 6.76.101.92.cbl.abuseat.org. 127.0.0.2
2008-10-29_00:39:49_UTC 6.76.101.92.dnsbl.sorbs.net. 127.0.0.7
2008-10-29_00:39:49_UTC 6.76.101.92.bl.spamcop.net. 127.0.0.2
2008-10-29_00:39:49_UTC 6.76.101.92.zen.spamhaus.org. 127.0.0.11 127.0.0.4
2008-10-29_00:39:49_UTC 6.76.101.92.combined.njabl.org. ---
The tcpdump output:
Code:
sudo tcpdump -ni bge0 -s512 port 53
192.168.222.20.41580 > 192.168.222.10.53: 44311+ PTR? 6.76.101.92.in-addr.arpa. (42)
192.168.222.10.53 > 192.168.222.20.41580: 44311 1/0/0 PTR ip-006-076-101-092.pools.atnet.ru. (89)
192.168.222.20.11188 > 192.168.222.10.53: 39105+ A? 6.76.101.92.cbl.abuseat.org. (45)
192.168.222.10.53 > 192.168.222.20.11188: 39105 1/0/0 A 127.0.0.2 (61)
192.168.222.20.16514 > 192.168.222.10.53: 6322+ A? 6.76.101.92.dnsbl.sorbs.net. (45)
192.168.222.10.53 > 192.168.222.20.16514: 6322 1/0/0 A 127.0.0.7 (61)
192.168.222.20.1968 > 192.168.222.10.53: 16255+ A? 6.76.101.92.bl.spamcop.net. (44)
192.168.222.10.53 > 192.168.222.20.1968: 16255 1/0/0 A 127.0.0.2 (60)
192.168.222.20.6546 > 192.168.222.10.53: 55003+ A? 6.76.101.92.zen.spamhaus.org. (46)
192.168.222.10.53 > 192.168.222.20.6546: 55003 2/0/0 A 127.0.0.11, A 127.0.0.4 (78)
192.168.222.20.48966 > 192.168.222.10.53: 11236+ A? 6.76.101.92.combined.njabl.org. (48)
192.168.222.10.53 > 192.168.222.20.48966: 11236 NXDomain* 0/0/0 (48)
Note that I used '-s 512' to dump 512 bytes of each packet, instead of the default of 96. That way you can see the complete answer.