Open main menu

CDOT Wiki β

Changes

OPS535-lab-spf

2,245 bytes added, 14:48, 6 November 2019
Investigation 3:: - initial content for investigation 3
</ol>
==Investigation 3: Configuring DNS to Provide SPF Records==Perform the following steps as root on your VM1<ol> <li>SPF depends on the DNS server providing information about which machines are supposed to be sending mail for that domain. </li> <li>Each spf record (a specially formatted TXT record) identifies which machines can send mail for the domain, and the machines in that domain, and which machines can not. </li> <li>Add the following record to your DNS zone:<source>@ IN TXT "v=spf1 mx -all"</source>*This specifies that for your domain (@), machines with MX records are allowed to send email, but no other machines should (-all). </li> <li>Now try to send email to your server, claiming to be host.<yourdomain>.ops sending mail from root@<yourdomain>.ops*It should now fail, because SPF sees that it doesn’t match. </li> <li>Try to send that email again, this time claiming to be from root@host.<yourdomain>.ops*This gets through the check because the record you added in step three is only for the domain, not the individual machines in it.*To properly secure mail, you need an spf record for every machine too.*So add an spf record like the one above for every machine in your domain, replacing the @ with the hostname.**If you remember how to use white-space at the beginning of records, you can save yourself some typing.*Now try to send the email claiming to be root@host.<yourdomain>.ops again. This time it should fail. </li> <li>There is one more SPF record needed to stop someone from spoofing our mail. We need a record for the machines that don’t exist, otherwise someone can just claim to be sending mail from a machine name you don’t have, or a sub-domain.*First, send yet another email, this time claiming to be from root@.void<yourdomain>.ops (or some other machine that doesn’t exist).*Now add the following record to your zone:<source>*.<yourdomain>.ops. IN TXT "v=spf1 mx:<yourdomain>.ops -all"</source>*This acts as a wildcard and says that any machine in your domain that doesn’t have a record, and any sub-domain that doesn’t have a record should only be sending email from one of your mail servers with the MX records.*Try sending your spoofed email again. It should no longer work. </li></ol> 
==Completing the Lab ==
Your DNS and email servers are now cooperating to filter email and prevent malicious email from being sent to your users. They are also providing information making it difficult for others to impersonate your domain.
932
edits