How to implement SPF Macros? - dns

I created SPF record for my domain like:
v=spf1 include:%{i}._ip.%{h}._ehlo.%{d}._spf.example.com ~all
Now I want to send mail from ip: 192.0.2.123 and 198.51.100.234, and domain xyz.example
My SPF record will work like this:
192.0.2.123._ip.ehlo._ehlo.xyz.example._spf.example.com
198.51.100.234._ip.ehlo._ehlo.xyz.example._spf.example.com
Will I need to create 2(multiple) different DNS records in example.com or it will work in a single DNS?
If it works in a 1 DNS record lookup then please let me know how.

Since your macros generate DNS names that are used for include, yes, each will need a corresponding TXT record. You could possibly match a single record by using a wildcard, along the lines of *._ip.ehlo._ehlo.xyz.example._spf.example.com, but that would undermine the point of having the macro in the first place. I'm curious why you would need such a fine-grained structure that can't be generalised.

Related

Multiple SPF Record Format Validation Not Working

I am trying to validate multiple SPF record but it is not validating.
v=spf1 include:mailgun.org +a +mx include:marketheroSPF.smtp.com ?all
I tested it with mxtoolbox and it gives me passed status
v version spf1 The SPF record version
+ include mailgun.org Pass The specified domain is searched for an 'allow'.
+ a Pass Match if IP has a DNS 'A' record in given domain
+ mx Pass Match if IP is one of the MX hosts for given domain name
+ include marketheroSPF.smtp.com Pass The specified domain is searched for an 'allow'.
? all Neutral Always matches. It goes at the end of your record.
However the platform told me that my SPF record is not valid so I am wondering if my TXT record is in wrong format or they platform just does not know how to read multiple SPF format.
Following the official syntax guideline, try this one out.
v=spf1 a mx include:mailgun.org include:marketheroSPF.smtp.com ?all
The order matters and maybe the included records are malformed (expecially the second one). If this linked record have a leading 0, this could be one of the issues.
Depending on the parser the + in front of a and mx may cause errors since the default qualifier is already "+", i.e. "Pass".
Otherwise please provide more details. Hope that helps :)

DNS domain name format for a valid DNS query

I was told that in order for my DNS query to work, I have to convert the domain name.
i.e. rit.edu -> rit3edu ; www.google.com to 3www6google3com
I cannot find where in the RFC https://www.ietf.org/rfc/rfc1035.txt that this is discussed, as I even tried performing a find. In my packets that I send to the DNS server. I keep the '.' domain name, and I am getting 'unknown extended label'. I cannot find any helpful threads either. I found a function on GitHub, but there is no discussion on the format. Does anyone have experience with this?
Thanks in advance
You may refer to this:
http://www.keyboardbanger.com/dns-message-format-name-compression/#Data_label
And in RFC1035 you attached:
4.1.2. Question section format
QNAME
a domain name represented as a sequence of labels, where
each label consists of a length octet followed by that
number of octets. The domain name terminates with the
zero length octet for the null label of the root....
In a DNS query, each label of the domain name should be preceded by a number that indicates length of the label. So if facebook.com is the question, the actual qname in the DNS query should be 8facebook3com.

How to list all DNS records including DANE TLSA

I would like to list all/any DNS records including the DANE TLSA.
With
dig mailbox.org ANY
I get all records including DNSSEC etc. but nothing about DANE. Why?
With
dig _443._tcp.mailbox.org. ANY
I get the DANE TLSA records.
I've read the question where someone wants to query all subdomains
How can I list ALL DNS records?
and am aware that this is only possible with a zone transfer.
But '_443._tcp.' isn't a real subdomain, is it? I thought it is just an SRV record. So how can I query ANYthing including DANE TLSA?
The command dig mailbox.org ANY asks for all records for the name mailbox.org..
The command dig _443._tcp.mailbox.org. ANY asks for all records for the name _443._tcp.mailbox.org..
mailbox.org. is not the same name as _443._tcp.mailbox.org..
Asking for all the records for one of them will not show any records for the other one. If it helps, you can think of (fully qualified) names in DNS as primary keys in a database (because that is in practice exactly what they are). If you ask the database for data for the key FOO it will not give you any data for the key FOOBAR (unless it is very badly broken). Exactly the same thing is happening here. You ask for one thing, and you do not get answers for another, different, thing.
You'd find the answer in Section 3 of RFC 6698:
TLSA resource records are stored at a prefixed DNS domain name. The prefix is prepared in the following manner:
The decimal representation of the port number on which a TLS-based service is assumed to exist is prepended with an underscore character ("_") to become the left-most label in the prepared domain name. This number has no leading zeros.
The protocol name of the transport on which a TLS-based service is assumed to exist is prepended with an underscore character ("_") to become the second left-most label in the prepared domain name. The transport names defined for this protocol are "tcp", "udp", and "sctp".
The base domain name is appended to the result of step 2 to complete the prepared domain name. The base domain name is the fully qualified DNS domain name [RFC1035] of the TLS server, with the additional restriction that every label MUST meet the rules of [RFC0952]. The latter restriction means that, if the query is for an internationalized domain name, it MUST use the A-label form as defined in [RFC5890].
Basically since you can have different "TLS-Based service" (e.g., DTLS) on different ports and this data is not included in the TLSA record set, the naming convention is there to find the correct information for the desired protocol/port combination.

Do MX Records interfere with wildcard CNAME records?

I've got a wildcard CNAME record defined on my domain (*.mydomain.com)
So, a user at foo.mydomain.com would resolve correctly.
I then went and defined a specific MX record: foo.mydomain.com and pointed that to a mail server
This seems to have caused the wildcard CNAME to break for that domain and not resolve. I would assume that CNAME wildcards are isolated from MX Records, but my test appears to show otherwise.
Do MX Records cause wildcard CNAME queries with the same subdomain to not get resolved?
The record types involved actually don't matter here. What does matter is that if a name explicitly exists, a wildcard record will not be looked for. One way, and by far the most common way, for a name to explicitly exist is for it to have a record of some kind. An MX record, for example. Once that record is there, any queries for that name will either get a response with the MX record (possibly with accompanying DNSSEC records, but let's ignore that for now) in question, or a response saying "The name exists, but it doesn't have a record of the type you asked for".
A wildcard entry is only used for names that do not exist at all. What you want here, to have a wildcard record "fill in" records in existing names, is not ordinarily possible in DNS. It wouldn't be impossible to write a specific name server software that did it, of course, but the resulting semantics would be rather hideous.

DNS: How to resolve multiple records from DNS NAPTR RR

Please help me in understanding the below DNS issue. This is regarding SIP interaction with DNS.
When a DNS query is made to a domain (say abc.com) and we are returned two NAPTR RR responses.
abc.com IN NAPTR 20 30 "s" "SIP+D2U" "" _sip._udp.myabc
abc.com IN NAPTR 20 20 "s" "SIP+D2U" "" _sip._udp.myxyz
Now one of the record will be given preference and selected. If the record which is selected (say _sip._udp.myabc) has failed (network not reachable) then should the second record also be tried? Or we will look for the backup of the first one?
RR - Resource Record.
Please answer and/or share the link which has any information regarding this.
Below is the answer I have received from an off forum discussion (with colleague).
The DNS discovery proceeds as -
1 - First one of the NAPTR record will be selected (based on preference rules).
2 - For this NAPTR record we will do an SRV query.
3 - Now each record in the SRV response will be tried one by one untill we receives a positive response.
Please correct if wrong.

Resources