Wildcard DNS record
Encyclopedia
A wildcard DNS record is a record in a DNS zone
that will match requests for non-existent domain names. A wildcard DNS record is specified by using a "*" as the leftmost label (part) of a domain name, e.g. *.example.com. The exact rules for when a wild card will match are specified in RFC 1034, but the rules are neither intuitive nor clearly specified. This has resulted in incompatible implementations and unexpected results when they are used.
looks similar to this example:
*.example.com. 3600 IN MX 10 host1.example.com.
This wildcard DNS record will cause DNS lookups on domain names ending in example.com that do not exist to have MX records synthesized for them. So, a lookup for the MX record for somerandomname.example.com would return an MX record pointing to host1.example.com.
Wildcards in the DNS are much more limited than other wildcard character
s used in other computer systems. Wildcard DNS records have a single "*" (asterisk) as the leftmost DNS label, such as *.example.com. Asterisks at other places in the domain will not work as a wildcard, so neither *abc.example.com nor abc.*.example.com work as wildcard DNS records. Moreover, the wild card is matched only when a domain does not exist, not just when there are no matching records of the type that has been queried for. Even the definition of "does not exist" as defined in the search algorithm of RFC 1034 section 4.3.2 can result in the wild card not matching cases that you might expect with other types of wildcards.
The original definition of how a DNS wildcard behaves is specified in RFC 1034 sections 4.3.2 and 4.3.3, but only indirectly by certain steps in a search algorithm and as a result, the rules are neither intuitive nor clearly specified. As a result, 20 years later, RFC 4592, "The Role of Wildcards in the Domain Name System" was written to help clarify the rules.
To quote RFC 1912, "A common mistake is thinking that a wildcard MX for a zone will apply to all hosts in the zone. A wildcard MX will apply only to names in the zone which aren't listed in the DNS at all." That is, if there is a wild card MX for *.example.com, and an A record (but no MX record) for www.example.com, the correct response (as per RFC 1034) to an MX request for www.example.com is "no error, but no data"; this is in contrast to the possibly expected response of the MX record attached to *.example.com.
Say there is a DNS zone
with the following resource records:
A look at the domain names in a tree structure is helpful:
The following responses would be synthesized from one of the wildcards in the zone:
The following responses would not be synthesized from any of the wildcards in the zone:
The final example highlights one common misconception about wildcards. A wildcard "blocks itself" in the sense that a wildcard does not match its own subdomains. That is, *.example. does not match all names in the example. zone; it fails to match the names below *.example.. To cover names under *.example., another wildcard domain name is needed—*.*.example.—which covers all but its own subdomains.
s have, at various times, deployed wildcard records for the top-level domain
s, most notably VeriSign
for .com
and .net
with its (now removed) Site Finder
system. The .museum
TLD also had a wildcard record which has now been removed. Top-level domains using a wildcard A record, , include .cg
, .kr
, .mp
, .nu
, .ph
, .rw
, .st
, .tk
and .ws
.
It has also become common for ISPs to synthesize address records to redirect typos to their advertising sites, a practice called "Catchall" typosquatting, but these aren't true wild cards, but rather modified caching name servers.
DNS software that can be configured by system administrators to filter out wildcard DNS records from certain domains. Various developers have produced software patches for BIND
and for djbdns
.
Other DNS server programs have followed suit, providing the ability to ignore wildcard DNS records as configured.
DNS zone
A DNS zone is a portion of the global Domain Name System namespace for which administrative responsibility has been delegated.-Definition:...
that will match requests for non-existent domain names. A wildcard DNS record is specified by using a "*" as the leftmost label (part) of a domain name, e.g. *.example.com. The exact rules for when a wild card will match are specified in RFC 1034, but the rules are neither intuitive nor clearly specified. This has resulted in incompatible implementations and unexpected results when they are used.
Definitions of DNS wildcards
A wildcard DNS record in a zone fileZone file
A Domain Name System zone file is a text file that describes a DNS zone. A DNS zone is a subset, often a single domain, of the hierarchical domain name structure of the DNS. The zone file contains mappings between domain names and IP addresses and other resources, organized in the form of text...
looks similar to this example:
*.example.com. 3600 IN MX 10 host1.example.com.
This wildcard DNS record will cause DNS lookups on domain names ending in example.com that do not exist to have MX records synthesized for them. So, a lookup for the MX record for somerandomname.example.com would return an MX record pointing to host1.example.com.
Wildcards in the DNS are much more limited than other wildcard character
Wildcard character
-Telecommunication:In telecommunications, a wildcard character is a character that may be substituted for any of a defined subset of all possible characters....
s used in other computer systems. Wildcard DNS records have a single "*" (asterisk) as the leftmost DNS label, such as *.example.com. Asterisks at other places in the domain will not work as a wildcard, so neither *abc.example.com nor abc.*.example.com work as wildcard DNS records. Moreover, the wild card is matched only when a domain does not exist, not just when there are no matching records of the type that has been queried for. Even the definition of "does not exist" as defined in the search algorithm of RFC 1034 section 4.3.2 can result in the wild card not matching cases that you might expect with other types of wildcards.
The original definition of how a DNS wildcard behaves is specified in RFC 1034 sections 4.3.2 and 4.3.3, but only indirectly by certain steps in a search algorithm and as a result, the rules are neither intuitive nor clearly specified. As a result, 20 years later, RFC 4592, "The Role of Wildcards in the Domain Name System" was written to help clarify the rules.
To quote RFC 1912, "A common mistake is thinking that a wildcard MX for a zone will apply to all hosts in the zone. A wildcard MX will apply only to names in the zone which aren't listed in the DNS at all." That is, if there is a wild card MX for *.example.com, and an A record (but no MX record) for www.example.com, the correct response (as per RFC 1034) to an MX request for www.example.com is "no error, but no data"; this is in contrast to the possibly expected response of the MX record attached to *.example.com.
Example wildcard usages
The following example is from RFC 4592 section 2.2.1 and is useful in clarifying how wildcards work.Say there is a DNS zone
DNS zone
A DNS zone is a portion of the global Domain Name System namespace for which administrative responsibility has been delegated.-Definition:...
with the following resource records:
$ORIGIN example.
example. 3600 IN SOA
example. 3600 NS ns.example.com.
example. 3600 NS ns.example.net.
*.example. 3600 TXT "this is a wildcard"
*.example. 3600 MX 10 host1.example.
sub.*.example. 3600 TXT "this is not a wildcard"
host1.example. 3600 A 192.0.2.1
_ssh.tcp.host1.example. 3600 SRV
_ssh.tcp.host2.example. 3600 SRV
subdel.example. 3600 NS ns.example.com.
subdel.example. 3600 NS ns.example.net.
A look at the domain names in a tree structure is helpful:
|
-------------example------------
/ / \ \
/ / \ \
/ / \ \
* host1 host2 subdel
| | |
| | |
sub tcp tcp
| |
| |
_ssh _ssh
The following responses would be synthesized from one of the wildcards in the zone:
Queried Domain | Queried RR Type | Results |
---|---|---|
host3.example. | MX | the answer will be a "host3.example. IN MX ..." |
host3.example. | A | the answer will reflect "no error, but no data" because there is no A RR set at *.example. |
foo.bar.example. | TXT | the answer will be "foo.bar.example. IN TXT ..." because bar.example. does not exist, but the wildcard does. |
The following responses would not be synthesized from any of the wildcards in the zone:
Queried Domain | Queried RR Type | Results |
---|---|---|
host1.example. | MX | no wild card will match because host1.example. exists. Instead you will get an answer of "no error, but no data". The wildcard MX record does not provide MX records for domains that otherwise exist. |
sub.*.example. | MX | no wild card will match because sub.*.example. exists. The domain sub.*.example. will never act as a wild card, even though it has an asterisk in it. |
_telnet.tcp.host1.example. | SRV | no wild card will match because tcp.host1.example. exists (without data). |
host.subdel.example. | A | no wild card will match because subdel.example. exists and is a zone cut, putting host.subdel.example. into a different DNS zone DNS zone A DNS zone is a portion of the global Domain Name System namespace for which administrative responsibility has been delegated.-Definition:... . Even if host.subdel.example. does not exist in the other zone, a wild card will not be used from the parent zone. |
ghost.*.example. | MX | no wild card will match because *.example. exists, it is a wild card domain, but it still exists. |
The final example highlights one common misconception about wildcards. A wildcard "blocks itself" in the sense that a wildcard does not match its own subdomains. That is, *.example. does not match all names in the example. zone; it fails to match the names below *.example.. To cover names under *.example., another wildcard domain name is needed—*.*.example.—which covers all but its own subdomains.
Wildcards in practice
To quote from RFC 4592, many DNS implementations diverge, in different ways, from the original definition of wildcards. Some of the variations include:- With djbdnsDjbdnsThe djbdns software package is a DNS implementation created by Daniel J. Bernstein due to his frustrations with repeated BIND security holes. A $1000 prize for the first person to find a privilege escalation security hole in djbdns was awarded in March 2009 to Matthew Dempsky., djbdns's tinydns...
, in addition to checking for wildcards at the current level, the server checks for wildcards in all enclosing superdomains, all of the way up to the root. In the examples listed above, the query for _telnet._tcp.host1.example. for an MX record would match a wild card despite the domain _tcp.host1.example. existing. - Microsoft's DNS serverMicrosoft DNSMicrosoft DNS is the name given to the implementation of domain name system services provided in Microsoft Windows operating systems.- Overview :...
(if configured to do so) and MaraDNSMaraDNSMaraDNS is a security-aware Domain Name System implementation. Along with BIND, NSD, djbdns, and PowerDNS, it is one of a small number of DNS servers with published source code...
(by default) have wildcards also match all requests for empty resource record sets, i.e. domain names for which there are no records of the desired type. In the examples listed above, the query for sub.*.example. for an MX record would match, despite sub.*.example. explicitly existing with only an A record.
Registries/ISPs that employ wildcards
Several domain name registrarDomain name registrar
A domain name registrar is an organization or commercial entity, accredited by both ICANN and generic top-level domain registry to sell gTLDs and/or by a country code top-level domain registry to sell ccTLDs; to manage the reservation of Internet domain names in accordance with the guidelines of...
s have, at various times, deployed wildcard records for the top-level domain
Top-level domain
A top-level domain is one of the domains at the highest level in the hierarchical Domain Name System of the Internet. The top-level domain names are installed in the root zone of the name space. For all domains in lower levels, it is the last part of the domain name, that is, the last label of a...
s, most notably VeriSign
VeriSign
Verisign, Inc. is an American company based in Dulles, Virginia that operates a diverse array of network infrastructure, including two of the Internet's thirteen root nameservers, the authoritative registry for the .com, .net, and .name generic top-level domains and the .cc and .tv country-code...
for .com
.com
The domain name com is a generic top-level domain in the Domain Name System of the Internet. Its name is derived from commercial, indicating its original intended purpose for domains registered by commercial organizations...
and .net
.net
The domain name net is a generic top-level domain used in the Domain Name System of the Internet. The name is derived from network, indicating its originally intended purpose for organizations involved in networking technologies, such as Internet service providers and other infrastructure companies...
with its (now removed) Site Finder
Site Finder
Site Finder was a wildcard DNS record for all .com and .net unregistered domain names, run by .com and .net top-level domain operator VeriSign between 15 September 2003 and 4 October 2003.-Site Finder:...
system. The .museum
.museum
museum is a sponsored top-level domain in the Domain Name System of the Internet used exclusively by museums, museum associations, and individual members of the museum profession, as these groups are defined by the International Council of Museums .In joint action with the J...
TLD also had a wildcard record which has now been removed. Top-level domains using a wildcard A record, , include .cg
.cg
.cg is the Internet country code top-level domain for the Republic of the Congo. It is administered by ONPT Congo and Interpoint Switzerland. Citizens of the Republic of the Congo are entitled to one free domain registration, directly at the second level of .cg. Additional registrations, and...
, .kr
.kr
.kr is the Internet country code top-level domain for South Korea . Registrations are processed via registration agents....
, .mp
.mp
.mp is the Internet country code top-level domain for Northern Mariana Islands. There are a few sites related to the Northern Mariana Islands in this domain . The get.mp site allows users to register and manage .mp domains...
, .nu
.nu
.nu is the Internet country code top-level domain assigned to the island state of Niue. It was one of the first ccTLDs to be marketed to the Internet at large as an alternative to the gTLDs .com, .net, and .org...
, .ph
.ph
-Introduction:The official domain registry of the .ph domain is dotPH Domains Inc. dotPH holds and maintains the database of PH domain names, specifically .ph, .com.ph, .net.ph, .org.ph, and .i.ph...
, .rw
.rw
-2nd Level Domains:Registration is permitted directly at the second level, unlike some other ccTLDs where registrations are at the third level beneath categorized labels...
, .st
.st
.st is the Internet country code top-level domain for São Tomé and Príncipe. It is also being marketed worldwide as an abbreviation for various things.-Second-level domains:...
, .tk
.tk
.tk is the Internet country code top-level domain for Tokelau, a territory of New Zealand located in the South Pacific.-Overview:Tokelau allows any individual to register domain names. Users and small businesses may register up to 3 domain names free of charge...
and .ws
.ws
.ws is the Internet country code top-level domain for Samoa. It is administered by SamoaNIC, for the Ministry of Foreign Affairs of the Government of Samoa....
.
It has also become common for ISPs to synthesize address records to redirect typos to their advertising sites, a practice called "Catchall" typosquatting, but these aren't true wild cards, but rather modified caching name servers.
Ignoring wildcards employed by others
The Internet Software Consortium produced a version of the BINDBIND
BIND , or named , is the most widely used DNS software on the Internet.On Unix-like operating systems it is the de facto standard.Originally written by four graduate students at the Computer Systems Research Group at the University of California, Berkeley , the name originates as an acronym from...
DNS software that can be configured by system administrators to filter out wildcard DNS records from certain domains. Various developers have produced software patches for BIND
BIND
BIND , or named , is the most widely used DNS software on the Internet.On Unix-like operating systems it is the de facto standard.Originally written by four graduate students at the Computer Systems Research Group at the University of California, Berkeley , the name originates as an acronym from...
and for djbdns
Djbdns
The djbdns software package is a DNS implementation created by Daniel J. Bernstein due to his frustrations with repeated BIND security holes. A $1000 prize for the first person to find a privilege escalation security hole in djbdns was awarded in March 2009 to Matthew Dempsky., djbdns's tinydns...
.
Other DNS server programs have followed suit, providing the ability to ignore wildcard DNS records as configured.