Wildcard DNS Record - Example Wildcard Usages

Example Wildcard Usages

The following example is from RFC 4592 section 2.2.1 and is useful in clarifying how wildcards work.

Say there is a DNS zone with the following resource records:

$ORIGIN example. example. 3600 IN SOA example. 3600 NS ns.example.com. example. 3600 NS ns.example.net. *.example. 3600 TXT "this is a wildcard" *.example. 3600 MX 10 host1.example. sub.*.example. 3600 TXT "this is not a wildcard" host1.example. 3600 A 192.0.2.1 _ssh.tcp.host1.example. 3600 SRV _ssh.tcp.host2.example. 3600 SRV subdel.example. 3600 NS ns.example.com. subdel.example. 3600 NS ns.example.net.

A look at the domain names in a tree structure is helpful:

 | -------------example------------ / / \ \ / / \ \ / / \ \ * host1 host2 subdel | | | | | | sub tcp tcp | | | | _ssh _ssh

The following responses would be synthesized from one of the wildcards in the zone:

Queried Domain	Queried RR Type	Results
`host3.example.`	MX	the answer will be a "host3.example. IN MX ..."
`host3.example.`	A	the answer will reflect "no error, but no data" because there is no "A" resource record (RR) set at `*.example`.
`foo.bar.example.`	TXT	the answer will be "foo.bar.example. IN TXT ..." because `bar.example.` does not exist, but the wildcard does.

The following responses would not be synthesized from any of the wildcards in the zone:

Queried Domain	Queried RR Type	Results
`host1.example.`	MX	no wild card will match because `host1.example.` exists. Instead you will get an answer of "no error, but no data". The wildcard MX record does not provide MX records for domains that otherwise exist.
`sub.*.example.`	MX	no wild card will match because `sub..example.` exists. The domain `sub..example.` will never act as a wild card, even though it has an asterisk in it.
`_telnet.tcp.host1.example.`	SRV	no wild card will match because `tcp.host1.example.` exists (without data).
`host.subdel.example.`	A	no wild card will match because `subdel.example.` exists and is a zone cut, putting `host.subdel.example.` into a different DNS zone. Even if `host.subdel.example.` does not exist in the other zone, a wild card will not be used from the parent zone.
`ghost.*.example.`	MX	no wild card will match because `*.example.` exists, it is a wild card domain, but it still exists.

The final example highlights one common misconception about wildcards. A wildcard "blocks itself" in the sense that a wildcard does not match its own subdomains. That is, *.example. does not match all names in the example. zone; it fails to match the names below *.example.. To cover names under *.example., another wildcard domain name is needed—*.*.example.—which covers all but its own subdomains.

Read more about this topic: Wildcard DNS Record