DNS Configuration

For the moment I use my registrars DNS service and add records using their web form. This is fine, but requires some manual work when it comes time to advertize DKIM records, since best practice says they should be rotated periodically.

Eventually we may run bind, make the machine DNS primary for all domains, then automate DKIM rotation. Some caution is needed though, because if the machine is ever compromised, an attacker can publish bad zones. DNSSEC would help because we could build and sign zones on a separate machine, copy to the primary via scp or something, then regular AXFR out to the secondaries. If the signing machine is otherwise inaccessible, an attacker would not be able to modify anything. Future work.

Records

You will need address records for the domain root and the mail server, and a MX record that points to the mail server. Set the reverse DNS to point to the mail server address. When running email for several virtual domains, pick one as the root, say mail.example.com, and then have the MX records for the other domains point to it. 

@	IN      A 	11.22.33.44
mail	IN      A 	11.22.33.44

@	IN	MX	10	mail.example.com.

www	IN     CNAME	example.com.

It is not required, but a good idea to add a CAA record that declares your certificate authority in DNS.

example.com. CAA 1 issue "letsencrypt.org"
example.com. CAA 1 iodef "mailto:security@example.com"

If you are using DKIM signing, you need a record for each selector that you are using. I recommend using a date based selector to make it simpler to move to a new one.

202002._domainkey IN TXT ( "v=DKIM1; k=rsa; p=longhexstring" );

Create simple SPF record that says all mail must come from our MX and to ignore anything else. Add a DMARC entry that says quarantine anything that doesn't pass relaxed DKIM or SPF checks. Note that SPF records do not cover subdomains, so when sending from a subdomain like "mail", you should add a record to cover that.

example.com.  IN TXT "v=spf1 mx a -all"
mail.example.com.  IN TXT "v=spf1 mx a -all"
_DMARC.example.com IN TXT "v=DMARC1; p=quarantine; rua=mailto:postmaster@example.com;"

DNS entries can be used to tell mail clients how to configure themselves, but I'm not sure how many look at this. This is documented in RFC 6186. The listings below say use imaps, and that imap, pop3, and pop3s are not supported. 

_imap._tcp     SRV  0 0 0   .
_imaps._tcp    SRV  0 1 993 mail.example.com.
_pop3._tcp     SRV  0 0 0   .
_pop3s._tcp    SRV  0 0 0   .

 _submission._tcp     SRV  0 1 587 mail.example.com.

Secondaries

We will probably use Linode's and BuddyNS nameservers as secondaries. For Linode, you need to go into their domain manager and add each domain as a secondary, pointing it to the primary. Allow AXFR/IXFR from ns1-ns5.linode.com and add them to your domain's authoritative nameservers. Configure notifies for ns1-ns5.linode.com

In order for Linode’s DNS servers to function as secondaries, your DNS primary must notify and allow AXFR requests from the following IP addresses: 

    104.237.137.10
    65.19.178.10
    75.127.96.10
    207.192.70.10
    109.74.194.10
    2600:3c00::a
    2600:3c01::a
    2600:3c02::a
    2600:3c03::a
    2a01:7e00::a

Buddy instructions are at https://www.buddyns.com/support/setup/zone-transfer/

Configuration

Linode machines run a network helper at each boot to set up /etc/network/interfaces and /etc/resolv.conf for the machine. It sets the resolv.conf for the Linode DNS servers, but if we want to use our own local DNS, we have to turn off that network helper for the machine. Then we can can configure theirs as the forward address and use our local one.

https://www.linode.com/docs/platform/network-helper/

Monitor World-Wide Propagation

DNS propogation may take up to 48 hours. This can be monitored and checked on www.whatsmydns.net, dnschecker.org.

DNSSEC

I would like to do DNSSEC, but it is difficult to find anyone that will act as secondary DNS with DNSSEC. DNSMadeEasy ($30/yr), BuddyNS ($18/mo), and the Bulgarian CloudNS claim to do it, but they do not even have it configured properly for their own domains. Google Cloud DNS and Cloudflare can do DNSSEC, but they generate the keys and do all of the signing, no AXFR of an already signed zone.

At the moment, the choice seems to be DNSSEC and run your own one or two servers that could be DDOSed, or none and use broadly available secondaries. It also seems that key rotation is a big problem. Mail in a box has probably the best setup and even they do not do it because of the potential for DNS outages.

Arpanet 1978
In 1978, a printed list of computers on the Arpanet was four pages long and mostly PDP-9's, PDP-10's, and PDP-11's. It was all downhill from there.

Copyright © 2020-2023 David Loffredo, licensed under CC BY-SA 4.0.