Is a wildcard DNS record bad practice?

Question

I asked my hoster to add three subdomains all pointing to the IP of the A record. It seems he simply added a wildcard DNS record because any random subdomain resolves to my IP now. This is OK for me from a technical point of view, since there are no subdomains pointing anywhere else. Then again I don't like him not doing what I asked for. And so I wonder whether there are other reasons to tell him to change that. Are there any?

The only negative I found is that someone could link to my site using http://i.dont.like.your.website.mywebsite.tld.

score 25 · Accepted Answer · answered Mar 01 '13 at 01:53

If you ever put a computer in that domain, you will get bizarre DNS failures, where when you attempt to visit some random site on the Internet, you arrive at yours instead.

Consider: You own the domain example.com. You set up your workstation and name it. ... let's say, yukon.example.com. Now you will notice in its /etc/resolv.conf it has the line:

search example.com

This is convenient because it means you can do hostname lookups for, e.g. www which will then search for www.example.com automatically for you. But it has a dark side: If you visit, say, Google, then it will search for www.google.com.example.com, and if you have wildcard DNS, then that will resolve to your site, and instead of reaching Google you will wind up on your own site.

This applies equally to the server on which you're running your web site! If it ever has to call external services, then the hostname lookups can fail in the same way. So api.twitter.com for example suddenly becomes api.twitter.com.example.com, routes directly back to your site, and of course fails.

This is why I never use wildcard DNS.

score 20 · Answer 2 · answered Mar 01 '13 at 01:26

Is a wildcard DNS record bad practice?

Personally, I don't like it. Especially when there are machines in that domain. Typos go unchecked, errors are less obvious... but there's nothing fundamentally wrong with it.

The only negative I found is that someone could link to my site using http://i.dont.like.your.website.mywebsite.tld.

Have your http server redirect all such requests to the proper, canonical addresses, or not respond at all. For nginx that would be something like:

server {
    listen 80;
    server_name *.mywebsite.tld;
    return 301 $scheme://mywebsite.tld$request_uri;
    }

and then the regular

server {
    listen  80;
    server_name mywebsite.tld;
    [...]
    }

Pedro Moreira · Answer 3 · 2014-07-23T19:13:46.070

It's all a matter of opinion. For me it's not bad practice.

I'm creating a multi-tenant app which uses a database per tenant. It then selects the database to be used based on the subdomain.

For example milkman.example.com will use the tenant_milkman database.

Like this I have separated tables for each tenant, like, tenant_milkman.users, tenant_fisherman.users, tenant_bobs_garage.users, which in my opinion is a huge lot easier to maintain for this specific app, instead of having all users from all companies in the same table.

[edit - Michael Hampton has a good point]

That being said, if you don't have a specific reason to accept any (variable) subdomain, like I do, then you shouldn't accept them.

MrPete · Answer 4 · 2023-04-27T02:35:33.603

There's one rather important crucially GOOD use of wildcard DNS: to block subdomain spam via spf!

Along with whatever else is configured, it is rather important to also set up:

*.example.com.      21599   IN      TXT     "v=spf1 -all"

Why? Because without this, a spammer can and will send millions of emails using random (non-existent) subdomains spoofing your primary domain.

Real world data from 2023 (plus global research from 1 1/2 years ago)

There are now about 1 1/2 billion email servers have a domain that responds to a DNS query
About 1/3 do use/check spf in some way (I'm ignoring misconfiguration for this)
About 0.03% use/check DMARC and DKIM. (DMARC can block invalid subdomain email.)

So: how do we tell a billion email servers that we don't send email from miscellaneous nonexistent subdomains? With a wildcard TXT subdomain entry.

Real world data on what happens when we don't do that...

I have a small email server. It never sends or receives email using its own domain. It only services our other domains. ANY email sent with its domain is by definition invalid.
I have properly configured SPF, DKIM and DMARC for the domain. All (spam) emails from joe@example.com do get blocked at the recipient end, by spf and/or DMARC.

Without wildcard TXT spf subdomain, what happens?

From DMARC reporting, we know the 0.03% of DMARC-capable servers block over 4200 spam emails a week (mostly from Asia). They are emails from "joe@ubx.example.com" ... @clt.example.com... etc etc
Since that represents only 0.03% of servers at best (not all send reports!), the other 99.97% are receiving over 14 million spam emails a week on my non-existent subdomains!
AND, the 1/3 of servers -- about half a billion -- that have SPF... they APPROVE the emails because I don't have an spf record for every possible subdomain.
That's 5+ million spams a week getting through to servers that DO check spf!

By setting up wildcard TXT as shown above, those ten million spams are all blocked. Yes, the other 2/3 of servers don't block, but that's not our problem.

Data Sources:

RedHunt Labs, "Wave 6 Internet=Wide Study: State of SPF, DKIM and DMARC" 10 Feb, 2022
Real world spam capture data: DMARC reports for one of my own domains.

score 2 · Answer 5 · edited Sep 21 '18 at 15:49

2

Another issue here is the SEO: if all *.example.com showing the same content, your website will be badly referenced, at least by Google (https://support.google.com/webmasters/answer/66359).

edited Sep 21 '18 at 15:49

Patrick Mevzek

10,581
7
35
45

answered Jun 20 '16 at 10:13

Clément Moulin - SimpleRezo

249
2
9

score 1 · Answer 6 · answered Jan 12 '21 at 12:23

Using wildcard DNS record is bad practice only if you don't actually serve wildcard service. In addition, some ancient programs may have greater change to fail DNS query.

Other answers have already provided lots of examples where you try to mix wildcard domain with static names and there're potential pitfalls for those cases. Those cases are actually cases where the original intent wasn't to serve wildcard service and as a result, some static usage accidentally slipped to wrong static service (instead of slipping to a wildcard service that can correctly handle any wildcard or it's not a true wildcard service).

TL;DR: wildcard DNS is good for wildcard services, but it's bad practice to use wildcard DNS for static services because any errors are harder to diagnose.

score 1 · Answer 7 · answered Dec 13 '18 at 07:55

I know this is an old question, however I'd like to share a real world example of where using wildcard domains can cause problems. I am however going to change the domain name and also hide the full SPF record to save embarrassment.

I was helping someone who was having issues with DMARC, as part of the checks I always look up the DMARC record with DIG

;; ANSWER SECTION:
_dmarc.somedomain.com. 21599 IN      CNAME   somedomain.com.
somedomain.com.      21599   IN      TXT     "v=spf1 <rest of spf record> -all"

I also got the same result when looking for their DKIM record.

Consequently emails sent from this domain will get a DKIM fail as the DKIM module will try parsing the SPF record for a DKIM key and fail, and will also get a Permerror for DMARC for the same reason.

Wildcard domains might seem like a good idea but set up wrongly they can cause all sorts of issues.

score 0 · Answer 8 · answered Jun 20 '16 at 10:19

This is really a bad idea, suppose if you want to host one subdomain a.company.com in one web server, and b.company.com in another web server, may be another ISP. What you will do ?. So wildcard DNS is not an option, it should be precise, create A record for each sub domain and points to relevant IP. Chances are there to move your web server from one ISP to another ISP, in this case what will you do ?

score -2 · Answer 9 · answered Jan 08 '17 at 19:35

I think the best reason not to have a wildcard DNS record in the first place is to avoid giving away your server IP address to a potential attacker and reduce the exposition to DDOS attacks. This is also recommended setup by Cloudflare: https://blog.cloudflare.com/ddos-prevention-protecting-the-origin/

score -3 · Answer 10 · answered Mar 01 '13 at 02:17

Is a wildcard DNS record bad practice?

No, and contrary to others I believe it is good practice.

Most internet users fat finger a DNS name at some point. They will type ww.mycompany.com or wwe.mycompany.com What would you rather happen an "oops we couldn't find that site" or for them to pull up your primary home page? More often than not having them pull up your primary home page is preferable. Which is what a LOT of people do.

Even if someone put a link to i.dont.like.your.website.whatever.com it would still pull up your home page, which is actually what you want. After all, they can't make that i.dont.... site go to their server, you still control the DNS routing so it goes to yours.

Is a wildcard DNS record bad practice?

10 Answers10

Linked

Related