Why wildcard dns

You'll need to add a matching root record empty Host field or lookups will fail if your visitor omits the "www. When you set a wildcard record, that record does not override any existing subdomain records in the zone zone is another term for all the DNS records associated with your domain.

If we do a "dig" command asking the DNS for information on a random subdomain, in this case, "goodbye. The first A record is an example of a "www" A record. The second, a wildcard A record. The third, the root domain A record. If the TLD uses a wild card service, its name servers will return a positive response e. A web user may be able to infer that an error has occurred, but Internet applications that rely on the "name error" response from the DNS may fail or not operate as intended since the "no such name" response no longer occurs.

Previous attempts at introducing wildcard resource records at the TLD level have exposed applications that are adversely affected by this change in behavior [See SAC ]. Email servers are configured to retry connection attempts, so the synthesized responses add delay to mail processing and wastes Internet resources. It's important to appreciate that an email server may try to connect for days , so an email administrator may not discover a configuration error or mistyped domain name for an unacceptably long time.

A TLD operator may choose to host an email server at the IP address returned in the synthesized response and have the server automatically return "bounce" responses, as mail servers must deal with additional load bounced traffic and any delays introduced at the TLD operator's server.

Alternatively, the TLD operator's email server might be configured to accept the connection and return a response that the addressee does not exist on that machine. This misleads the sender into believing that the domain name is correct but the person's email address is wrong.

Significant privacy issues exist if the TLD's email server is configured to store mail messages, even for a short term. Email antispam measures that attempt to validate the sender's domain will not block bogus senders. So will administrative processes that perform logging, auditing, accounting and billing also rely on the ability to distinguish positive from negative responses from DNS server, and are adversely affected as well see Site Finder Review for details.

It's important to note that there other ways to change application behavior when a user or client resolver attempts to resolve a DNS name that isn't instantiated.

A wildcard can be added at the registry level, or by a names server closer to the user; for example, any name server that processes a DNS response message on behalf of a client resolver can inspect and modify the response before caching or forwarding it to the requesting user or client resolver.

For nginx that would be something like :. I'm creating a multi-tenant app which uses a database per tenant. It then selects the database to be used based on the subdomain. That being said, if you don't have a specific reason to accept any variable subdomain, like I do, then you shouldn't accept them.

I know this is an old question, however I'd like to share a real world example of where using wildcard domains can cause problems.

I am however going to change the domain name and also hide the full SPF record to save embarrassment. Wildcard domains might seem like a good idea but set up wrongly they can cause all sorts of issues. This is really a bad idea, suppose if you want to host one subdomain a. What you will do?. So wildcard DNS is not an option, it should be precise, create A record for each sub domain and points to relevant IP.

Using wildcard DNS record is bad practice only if you don't actually serve wildcard service. In addition, some ancient programs may have greater change to fail DNS query. Other answers have already provided lots of examples where you try to mix wildcard domain with static names and there're potential pitfalls for those cases. Those cases are actually cases where the original intent wasn't to serve wildcard service and as a result, some static usage accidentally slipped to wrong static service instead of slipping to a wildcard service that can correctly handle any wildcard or it's not a true wildcard service.

Most internet users fat finger a DNS name at some point. They will type ww. More often than not having them pull up your primary home page is preferable.

Which is what a LOT of people do. Even if someone put a link to i. After all, they can't make that i. I think the best reason not to have a wildcard DNS record in the first place is to avoid giving away your server IP address to a potential attacker and reduce the exposition to DDOS attacks.

Sign up to join this community. The best answers are voted up and rise to the top. Stack Overflow for Teams — Collaborate and share knowledge with a private group. Create a free Team What is Teams? Learn more. Is a wildcard DNS record bad practice? Ask Question.

Asked 8 years, 8 months ago. Active 10 months ago. Viewed 54k times. Improve this question. Someone could link to your server using " i. In some cases wildcards can be required. For instance, multi-tenant webapps like Wordpress can be configured to automatically spawn new instances using sub-domains -- e. Add a comment. Active Oldest Votes. This is why I never use wildcard DNS. Improve this answer. Michael Hampton Michael Hampton k 39 39 gold badges silver badges bronze badges.

ChrisLively Blame modern Linux systems for being "helpful" and adding it. BTW, using ". I actually blogged about this in regards to a Windows environment.