A terraform module to set up DNS records to harden the parked(unused) domain using Cloudflare DNS.
Domains should be protected for email spoofing even if they are not intended to be actively used. This module configures DNS records to protect such domain based on M3AAWG Protecting Parked Domains Best Common Practices.
This module creates the following DNS records.
- Null MX record(RFC 7505) to indicate the domain does not accept any email.
- SPF record to indicate no IP is authorized to send email on behalf of this domain.
- DMARC record to enforce receiving domains to reject any email forging this domain.
- Optionally adds
ruatag in the DMARC record to receive aggregate feedback reports via email. - Optionally creates Null MX and DMARC records for wildcard subdomains as well as the root domain(enabled by default).
provider "cloudflare" {
}
data "cloudflare_zone" "this" {
name = "example.com"
}
module "parked_domain" {
source = "nozaq/parked-domain-baseline/cloudflare"
zone_id = data.cloudflare_zone.this.id
ttl = 86400
include_subdomains = true
}| Name | Version |
|---|---|
| terraform | >= 1.3 |
| cloudflare | >= 3.29 |
| Name | Version |
|---|---|
| cloudflare | >= 3.29 |
| Name | Description | Type | Required |
|---|---|---|---|
| zone_id | The DNS zone ID to add the records to. Either zone_name or zone_id need to be given. | string |
yes |
| aggregate_feedback_email | The email address to which aggregate feedback is to be sent. | string |
no |
| include_subdomains | Configure all subdomains as well as the root domain. | bool |
no |
| ttl | The TTL of the DNS records. | number |
no |
No outputs.
- terraform-aws-parked-domain-baseline: The module to accomplish same outcome with AWS Route53 instead of Cloudflare DNS.
- terraform-google-parked-domain-baseline: The module to accomplish same outcome with GCP Cloud DNS instead of Cloudflare DNS.