DNS hijacking (Prevention) Guide 3

Here’s a full configuration that includes SSL/TLS settings, HTTP security headers, and email security protocols like SPF, DKIM, and DMARC to enhance security across both web and email:

NGINX Web Server Configuration with Email Security Setup

server {
    listen 443 ssl;
    server_name example.com;

    # SSL/TLS Configuration
    ssl_certificate /path/to/certificate.crt;
    ssl_certificate_key /path/to/private.key;
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384";
    ssl_prefer_server_ciphers on;

    # HSTS (HTTP Strict Transport Security)
    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;

    # X-Content-Type-Options to prevent MIME-type sniffing
    add_header X-Content-Type-Options "nosniff" always;

    # X-Frame-Options to prevent clickjacking
    add_header X-Frame-Options "DENY" always;

    # X-XSS-Protection to enable XSS filtering
    add_header X-XSS-Protection "1; mode=block" always;

    # Content Security Policy (CSP) - Adjust as needed
    add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline'; object-src 'none'" always;

    # Additional server configurations
    root /var/www/example.com;
    index index.html index.htm;

    location / {
        try_files $uri $uri/ =404;
    }
}

# Email Security Protocols: SPF, DKIM, and DMARC (DNS Configuration)

# In DNS settings for your domain (typically managed in your DNS provider’s dashboard), add the following:

# SPF Record
# Add a TXT record in DNS for SPF:
# Record Type: TXT
# Name: @
# Value: "v=spf1 include:_spf.example.com -all"

# DKIM Record
# Generate a DKIM key pair and publish the public key in DNS. The DNS TXT record will look like:
# Record Type: TXT
# Name: selector._domainkey.example.com
# Value: "v=DKIM1; k=rsa; p=public_key_here"

# DMARC Record
# Add a TXT record in DNS for DMARC:
# Record Type: TXT
# Name: _dmarc.example.com
# Value: "v=DMARC1; p=reject; rua=mailto:[email protected]; ruf=mailto:[email protected]; adkim=s; aspf=s"

Explanation of Security Layers

1. SSL/TLS Settings: Configures secure connections with strong protocols and ciphers, ensuring encrypted data transmission.
2. HTTP Security Headers:
   • HSTS: Enforces HTTPS connections.
   • X-Content-Type-Options: Prevents MIME-type sniffing.
   • X-Frame-Options: Prevents clickjacking.
   • X-XSS-Protection: Enables XSS filtering.
   • CSP: Restricts the sources from which content can load, reducing XSS risk.
3. Email Security Protocols (DNS Configuration):
   • SPF: Specifies authorized IP addresses to send emails for the domain.
   • DKIM: Digitally signs emails to verify sender identity and integrity.
   • DMARC: Aligns SPF and DKIM results, setting a policy for handling unauthorized emails and reporting.

After configuring, apply the changes by restarting the NGINX server:

sudo systemctl restart nginx

For email security, ensure that DNS records are accurately configured with your domain provider. This setup adds layers of security to protect against unauthorized access, spoofing, and data interception.