A wildcard DNS record is a record in a
DNS zone that will match requests for non-existent domain names. A wildcard DNS record is specified by using a
*
as the leftmost label (part) of a domain name, e.g.
*.example.com
. The exact rules for when a wildcard will match are specified in , but the rules are neither intuitive nor clearly specified. This has resulted in incompatible implementations and unexpected results when they are used.
Definitions of DNS wildcards
A wildcard DNS record in a
zone file looks similar to this example:
*.example.com. 3600 IN MX 10 host1.example.com.
This wildcard DNS record will cause DNS lookups on domain names ending in
example.com
that do not exist to have MX records synthesized for them. So, a lookup for the MX record for
somerandomname.example.com
would return an MX record pointing to
host1.example.com
.
Wildcards in the DNS are much more limited than other
wildcard characters used in other computer systems. Wildcard DNS records have a single
*
(asterisk) as the leftmost
DNS label, such as
*.example.com
. Asterisks at other places in the domain will not work as a wildcard, so neither
*abc.example.com
nor
abc.*.example.com
work as wildcard DNS records. Moreover, the wildcard is matched only when a domain does not exist, not just when there are no matching records of the type that has been queried for. Even the definition of "does not exist" as defined in the search algorithm of section 4.3.3 can result in the wildcard not matching cases that one might expect with other types of wildcards.
The original definition of how a DNS wildcard behaves is specified in sections 4.3.2 and 4.3.3, but only indirectly by certain steps in a search algorithm and as a result, the rules are neither intuitive nor clearly specified. As a result, 20 years later, , "The Role of Wildcards in the Domain Name System" was written to help clarify the rules.
To quote , "A common mistake is thinking that a wildcard MX for a zone will apply to all hosts in the zone. A wildcard MX will apply only to names in the zone which aren't listed in the DNS at all." That is, if there is a wildcard MX for
*.example.com
, and an A record (but no MX record) for
www.example.com
, the correct response (as per ) to an MX request for
www.example.com
is "no error, but no data"; this is in contrast to the possibly expected response of the MX record attached to
*.example.com
.
Example usages
The following example is from section 2.2.1 and is useful in clarifying how wildcards work.
Say there is a
DNS zone with the following resource records:
$ORIGIN example.
example. 3600 IN SOA
example. 3600 NS ns.example.com.
example. 3600 NS ns.example.net.
*.example. 3600 TXT "this is a wildcard"
*.example. 3600 MX 10 host1.example.
sub.*.example. 3600 TXT "this is not a wildcard"
host1.example. 3600 A 192.0.2.1
_ssh._tcp.host1.example. 3600 SRV
_ssh._tcp.host2.example. 3600 SRV
subdel.example. 3600 NS ns.example.com.
subdel.example. 3600 NS ns.example.net.
A look at the domain names in a tree structure is helpful:
example
├─ *
│ └─ sub
├─ host1
│ └─ _tcp
│ └─ _ssh
├─ host2
│ └─ _tcp
│ └─ _ssh
└─ subdel
The following responses would be synthesized from one of the wildcards in the zone:
The following responses would not be synthesized from any of the wildcards in the zone:
The final example highlights one common misconception about wildcards. A wildcard "blocks itself" in the sense that a wildcard does not match its own subdomains. That is, *.example.
does not match all names in the example.
zone; it fails to match the names below *.example.
. To cover names under *.example.
, another wildcard domain name is needed—*.*.example.
—which covers all but its own subdomains.
In practice
To quote from , many DNS implementations diverge, in different ways, from the original definition of wildcards. Some of the variations include:
* With djbdns
The djbdns software package is a DNS implementation. It was created by Daniel J. Bernstein in response to his frustrations with repeated security holes in the widely used BIND DNS software. As a challenge, Bernstein offered a $1000 prize for the ...
, in addition to checking for wildcards at the current level, the server checks for wildcards in all enclosing superdomains, all of the way up to the root. In the examples listed above, the query for _telnet._tcp.host1.example
for an MX record would match a wildcard despite the domain _tcp.host1.example
existing.
* Microsoft's DNS server (if configured to do so) and MaraDNS
MaraDNS is an open-source (BSD licensed) Domain Name System (DNS) implementation, which acts as either a caching, recursive, or authoritative nameserver.
Features
MaraDNS has a string library, which is buffer overflow resistant and has its own r ...
(by default) have wildcards also match all requests for empty resource record sets; i.e., domain names for which there are no records ''of the desired type''. In the examples listed above, the query for sub.*.example
for an MX record would match *.example
, despite sub.*.example
explicitly existing with only a TXT Record.
Registrants
Wildcard domains are widely used by blogging websites that allow users to create sub-domains upon demand; e.g., sites such as WordPress
WordPress (WP or WordPress.org) is a free and open-source content management system (CMS) written in hypertext preprocessor language and paired with a MySQL or MariaDB database with supported HTTPS. Features include a plugin architectu ...
or Blogspot. Another popular use is by Free Dynamic DNS websites that allow users to create a DNS name that changes to match their host IP as the IP address is changed periodically by their ISP's DHCP server.
New TLDs
New gTLD
Generic top-level domains (gTLDs) are one of the categories of top-level domains (TLDs) maintained by the Internet Assigned Numbers Authority (IANA) for use in the Domain Name System of the Internet. A top-level domain is the last level of eve ...
s are prohibited from publishing wildcards (or using equivalent name server mechanisms) b
specification 6
of the ICANN
The Internet Corporation for Assigned Names and Numbers (ICANN ) is an American multistakeholder group and nonprofit organization responsible for coordinating the maintenance and procedures of several databases related to the namespaces ...
New gTLD Base Registry agreement. However, ICANN'
Name Collision Occurrence Management Framework(PDF
, explicitly requires new gTLDs to publish (for at least 90 days) special MX, SRV, TXT, and 127.0.53.53 A record wildcards that warn of potential name collisions due to use of relative domain names with domain search paths.
Registries/ISPs
Several domain name registrar
A domain name registrar is a company that manages the reservation of Internet domain names. A domain name registrar must be accredited by a generic top-level domain (gTLD) Domain name registry, registry or a country code top-level domain (ccTLD) ...
s have, at various times, deployed wildcard records for the top-level domain
A top-level domain (TLD) is one of the domains at the highest level in the hierarchical Domain Name System of the Internet after the root domain. The top-level domain names are installed in the root zone of the name space. For all domains in ...
s to provide a platform for advertising, most notably VeriSign for .com
The domain name .com is a top-level domain (TLD) in the Domain Name System (DNS) of the Internet. Added at the beginning of 1985, its name is derived from the word ''commercial'', indicating its original intended purpose for domains registere ...
and .net with its (now removed) Site Finder system. The .museum
museum is a sponsored top-level domain (sTLD) in the Domain Name System of the Internet used exclusively by museums, museum associations, and individual members of the museum profession, as these groups are defined by the International Council ...
TLD also had a wildcard record which has now been removed. , top-level domains using a wildcard A record (other than 127.0.53.53) are .fm, .la
.la is the Internet country code top-level domain (ccTLD) for Laos.
Although the .la domain is officially assigned to the country of Laos, subdomains have been delegated to some organizations outside Laos.
History
The LA Names Corporation, b ...
, .ph
.ph is the Internet country code top-level domain (ccTLD) for the Philippines.
The official domain registry of the .ph domain is dotPH Domains Inc. , .pw
.pw is the country code top-level domain for the Republic of Palau
Palau,, officially the Republic of Palau and historically ''Belau'', ''Palaos'' or ''Pelew'', is an island country and microstate in the western Pacific. The nation ...
, .vg
.vg is the Internet country code top-level domain (ccTLD) for the British Virgin Islands. Because it allows registration at the second level, and does not require the registrant to be associated with the British Virgin Islands, it has also been u ...
and .ws
.ws is the Internet country code top-level domain (ccTLD) for Samoa. It is administered by SamoaNIC, for the Ministry of Foreign Affairs of the Government of Samoa.
The .ws domain is an abbreviation for "Western Samoa", which was the nation' ...
. The internationalized TLDs .中国 ( or for "China") and .გე ( for the Georgian letters for the Georgian country code "GE") also have wildcard A records. The *.中国
wildcard resolves to ibaidu.com
(flagged by Chrome as unsafe), and the *.გე
wildcard resolves to a website of the .ge
.ge is the country code top-level domain (ccTLD) for Georgia. .ge top-level domain names are available for direct registration for individuals and companies worldwide, without any restriction on citizenship or residence. Second-level domain name ...
TLD.
It has also become common for ISPs to synthesize address records for typos, for the same person, a practice called "catchall" typosquatting, but these aren't true wildcards, but rather modified caching name servers.When Monetizing ISP Traffic Goes Horribly Wrong - Security Fix - From wayback machine
/ref>
Ignoring wildcards from others
The Internet Software Consortium produced a version of the BIND DNS software that can be configured to filter out wildcard DNS records from specific domains. Various developers have produced software patch
A patch is a set of changes to a computer program or its supporting data designed to update, fix, or improve it. This includes fixing security vulnerabilities and other bugs, with such patches usually being called bugfixes or bug fixes. Patche ...
es for BIND and for djbdns
The djbdns software package is a DNS implementation. It was created by Daniel J. Bernstein in response to his frustrations with repeated security holes in the widely used BIND DNS software. As a challenge, Bernstein offered a $1000 prize for the ...
.
Other DNS server programs have followed suit, providing the ability to ignore wildcard DNS records as configured.
References
{{reflist
External links
IAB Commentary: Architectural Concerns on the use of DNS Wildcards
Domain Name System