DNS black listing can apply to multiple different types of situations and each implementation is different depending on what type. Some of the types of DNS black listing include preventing client computers from correctly resolving certain names through any or all of locally on the PC in the hosts file, an onsite or offsite DNS server/forwarder/cache. Then there are the reverse DNS blacklists for things like email servers to block bad email servers from sending them email.

DNS Blacklist for Clients

Your diagram matches the concept of blocking a client from accessing a host through the use of an offsite DNS server/forwarder such as http://www.opendns.com

You should note that the firewall has nothing to do with the actual filtering. Though, most homes typically have a single device that functions as modem/firewall/router/Wifi/DHCP server/DNS forwarder (henceforth called 'home router') and it typically tells its clients to use itself as the DNS server. This means that configuring that device to use the DNS server/forwarder, such as OpenDNS describes, will "protect" all clients of that device. The way this happens is that the client makes a dns request to the home router which then forwards the request along to the opendns server, which then checks the name against its blacklists and if it matches it returns an incorrect IP address.

While I've not checked OpenDNS on what they specifically return, typically this sort of service returns the IP address of one of the DNS service's web servers. So if someone using their service tries to visit a web page on their list the client will instead be shown the DNS services website instead, explaining what just happened.

You can of course do this with your own, on-site DNS server, or even just on your local computer through your hosts file, having it return the address 127.0.0.1 so that any web requests to bad names will instead try and read your own computer to see if it is serving web pages, which it usually isn't so you will get an error instead of a bad website.

This sort of black listing also works for different types of traffic besides web browsing, such as chat programs, games, and more.

DNS Blacklisting for Email Servers Receiving Mail

This is trickier and is handled by the email server receiving an email. Receiving email is a tricky business and many methods are used to try and sort the spam from the ham. Two of the checks are

• The sending server makes a claim to a name as who they are, such as smtp.example-company.com who the receiver then checks with its own DNS server to confirm if the public DNS record for that name matches the IP address that has connected to it.
• The receiving server also does a reverse DNS lookup on the IP address that connected to it and may get back something like client42.adsl.example-isp.com, then it will do a DNS lookup on the name client42.adsl.example-isp.com and check to see that the IP it gets back matches the one that has established the connection to it.

The DNS blacklist check part comes in if any of the above names match an entry in the black list then the email server can consider the incoming email more likely to be spam or reject the email, or just close the connection.

Email servers also use many other checks such as SPF, DKIM, and many more to identify what is spam.