Wildcard DNS Record

A wildcard DNS record is a record in a DNS zone that will match requests for non-existent domain names. A wildcard DNS record is specified by using a * as the leftmost label (part) of a domain name, e.g. *.example.com. The exact rules for when a wildcard will match are specified in , but the rules are neither intuitive nor clearly specified. This has resulted in incompatible implementations and unexpected results when they are used.

Definitions of DNS wildcards

A wildcard DNS record in a zone file looks similar to this example:

*.example.com. 3600 IN MX 10 host1.example.com.

This wildcard DNS record will cause DNS lookups on domain names ending in example.com that do not exist to have MX records synthesized for them. So, a lookup for the MX record for somerandomname.example.com would return an MX record pointing to host1.example.com.

Wildcards in the DNS are much more limited than other wildcard characters used in other computer systems. Wildcard DNS records have a single * (asterisk) as the leftmost DNS label, such as *.example.com. Asterisks at other places in the domain will not work as a wildcard, so neither *abc.example.com nor abc.*.example.com work as wildcard DNS records. Moreover, the wildcard is matched only when a domain does not exist, not just when there are no matching records of the type that has been queried for. Even the definition of "does not exist" as defined in the search algorithm of section 4.3.3 can result in the wildcard not matching cases that one might expect with other types of wildcards.

The original definition of how a DNS wildcard behaves is specified in sections 4.3.2 and 4.3.3, but only indirectly by certain steps in a search algorithm and as a result, the rules are neither intuitive nor clearly specified. As a result, 20 years later, , "The Role of Wildcards in the Domain Name System" was written to help clarify the rules.

To quote , "A common mistake is thinking that a wildcard MX for a zone will apply to all hosts in the zone. A wildcard MX will apply only to names in the zone which aren't listed in the DNS at all." That is, if there is a wildcard MX for *.example.com, and an A record (but no MX record) for www.example.com, the correct response (as per ) to an MX request for www.example.com is "no error, but no data"; this is in contrast to the possibly expected response of the MX record attached to *.example.com.

Example usages

The following example is from section 2.2.1 and is useful in clarifying how wildcards work.

Say there is a DNS zone with the following resource records:
$ORIGIN example.
example. 3600 IN SOA
example. 3600 NS ns.example.com.
example. 3600 NS ns.example.net.
*.example. 3600 TXT "this is a wildcard"
*.example. 3600 MX 10 host1.example.
sub.*.example. 3600 TXT "this is not a wildcard"
host1.example. 3600 A 192.0.2.1
_ssh._tcp.host1.example. 3600 SRV
_ssh._tcp.host2.example. 3600 SRV
subdel.example. 3600 NS ns.example.com.
subdel.example. 3600 NS ns.example.net.

A look at the domain names in a tree structure is helpful:

example
├─ *
│ └─ sub
├─ host1
│ └─ _tcp
│ └─ _ssh
├─ host2
│ └─ _tcp
│ └─ _ssh
└─ subdel

The following responses would be synthesized from one of the wildcards in the zone:

The following responses would not be synthesized from any of the wildcards in the zone:

The final example highlights one common misconception about wildcards. A wildcard "blocks itself" in the sense that a wildcard does not match its own subdomains. That is, *.example. does not match all names in the example. zone; it fails to match the names below *.example.. To cover names under *.example., another wildcard domain name is needed—*.*.example.—which covers all but its own subdomains.

In practice

To quote from , many DNS implementations diverge, in different ways, from the original definition of wildcards. Some of the variations include:

* With djbdns, in addition to checking for wildcards at the current level, the server checks for wildcards in all enclosing superdomains, all of the way up to the root. In the examples listed above, the query for _telnet._tcp.host1.example for an MX record would match a wildcard despite the domain _tcp.host1.example existing.
* Microsoft's DNS server (if configured to do so) and MaraDNS (by default) have wildcards also match all requests for empty resource record sets; i.e., domain names for which there are no records ''of the desired type''. In the examples listed above, the query for sub.*.example for an MX record would match *.example, despite sub.*.example explicitly existing with only a TXT Record.

Registrants

Wildcard domains are widely used by blogging websites that allow users to create sub-domains upon demand; e.g., sites such as WordPress or Blogspot. Another popular use is by Free Dynamic DNS websites that allow users to create a DNS name that changes to match their host IP as the IP address is changed periodically by their ISP's DHCP server.

New TLDs

New gTLDs are prohibited from publishing wildcards (or using equivalent name server mechanisms) b
specification 6
of the ICANN New gTLD Base Registry agreement. However, ICANN'
Name Collision Occurrence Management Framework(PDF
, explicitly requires new gTLDs to publish (for at least 90 days) special MX, SRV, TXT, and 127.0.53.53 A record wildcards that warn of potential name collisions due to use of relative domain names with domain search paths.

Registries/ISPs

Several domain name registrars have, at various times, deployed wildcard records for the top-level domains to provide a platform for advertising, most notably VeriSign for .com and .net with its (now removed) Site Finder system. The .museum TLD also had a wildcard record which has now been removed. , top-level domains using a wildcard A record (other than 127.0.53.53) are .fm, .la, .ph, .pw, .vg and .ws. The internationalized TLDs .中国 ( or for "China") and .გე ( for the Georgian letters for the Georgian country code "GE") also have wildcard A records. The *.中国 wildcard resolves to ibaidu.com (flagged by Chrome as unsafe), and the *.გე wildcard resolves to a website of the .ge TLD.

It has also become common for ISPs to synthesize address records for typos, for the same person, a practice called "catchall" typosquatting, but these aren't true wildcards, but rather modified caching name servers.When Monetizing ISP Traffic Goes Horribly Wrong - Security Fix - From wayback machine
/ref>

Ignoring wildcards from others

The Internet Software Consortium produced a version of the BIND DNS software that can be configured to filter out wildcard DNS records from specific domains. Various developers have produced software patches for BIND and for djbdns.

Other DNS server programs have followed suit, providing the ability to ignore wildcard DNS records as configured.

References

{{reflist

External links

IAB Commentary: Architectural Concerns on the use of DNS Wildcards

Domain Name System