Is a wildcard DNS record bad practice?

57,408

Solution 1

If you ever put a computer in that domain, you will get bizarre DNS failures, where when you attempt to visit some random site on the Internet, you arrive at yours instead.

Consider: You own the domain example.com. You set up your workstation and name it. ... let's say, yukon.example.com. Now you will notice in its /etc/resolv.conf it has the line:

search example.com

This is convenient because it means you can do hostname lookups for, e.g. www which will then search for www.example.com automatically for you. But it has a dark side: If you visit, say, Google, then it will search for www.google.com.example.com, and if you have wildcard DNS, then that will resolve to your site, and instead of reaching Google you will wind up on your own site.

This applies equally to the server on which you're running your web site! If it ever has to call external services, then the hostname lookups can fail in the same way. So api.twitter.com for example suddenly becomes api.twitter.com.example.com, routes directly back to your site, and of course fails.

This is why I never use wildcard DNS.

Solution 2

Is a wildcard DNS record bad practice?

Personally, I don't like it. Especially when there are machines in that domain. Typos go unchecked, errors are less obvious... but there's nothing fundamentally wrong with it.

The only negative I found is that someone could link to my site using http://i.dont.like.your.website.mywebsite.tld.

Have your http server redirect all such requests to the proper, canonical addresses, or not respond at all. For nginx that would be something like:

server {
    listen 80;
    server_name *.mywebsite.tld;
    return 301 $scheme://mywebsite.tld$request_uri;
    }

and then the regular

server {
    listen  80;
    server_name mywebsite.tld;
    [...]
    }

Solution 3

It's all a matter of opinion. For me it's not bad practice.

I'm creating a multi-tenant app which uses a database per tenant. It then selects the database to be used based on the subdomain.

For example milkman.example.com will use the tenant_milkman database.

Like this I have separated tables for each tenant, like, tenant_milkman.users, tenant_fisherman.users, tenant_bobs_garage.users, which in my opinion is a huge lot easier to maintain for this specific app, instead of having all users from all companies in the same table.

[edit - Michael Hampton has a good point]

That being said, if you don't have a specific reason to accept any (variable) subdomain, like I do, then you shouldn't accept them.

Solution 4

Another issue here is the SEO: if all *.example.com showing the same content, your website will be badly referenced, at least by Google (https://support.google.com/webmasters/answer/66359).

Solution 5

I know this is an old question, however I'd like to share a real world example of where using wildcard domains can cause problems. I am however going to change the domain name and also hide the full SPF record to save embarrassment.

I was helping someone who was having issues with DMARC, as part of the checks I always look up the DMARC record with DIG

;; ANSWER SECTION:
_dmarc.somedomain.com. 21599 IN      CNAME   somedomain.com.
somedomain.com.      21599   IN      TXT     "v=spf1 <rest of spf record> -all"

I also got the same result when looking for their DKIM record.

Consequently emails sent from this domain will get a DKIM fail as the DKIM module will try parsing the SPF record for a DKIM key and fail, and will also get a Permerror for DMARC for the same reason.

Wildcard domains might seem like a good idea but set up wrongly they can cause all sorts of issues.

View more solutions

57,408

problemofficer - n.f. Monica

Updated on September 18, 2022

Comments

problemofficer - n.f. Monica almost 2 years

I asked my hoster to add three subdomains all pointing to the IP of the A record. It seems he simply added a wildcard DNS record because any random subdomain resolves to my IP now. This is OK for me from a technical point of view, since there are no subdomains pointing anywhere else. Then again I don't like him not doing what I asked for. And so I wonder whether there are other reasons to tell him to change that. Are there any?

The only negative I found is that someone could link to my site using http://i.dont.like.your.website.mywebsite.tld.
- jscott over 11 years
  
  In some cases wildcards can be required. For instance, multi-tenant webapps like Wordpress can be configured to automatically spawn new instances using sub-domains -- e.g. site1.blog.example.com, site2.blog.example.com -- with the wildcard in place for *.blog.example.com, you don't need to go configure each of these individually.
Michael Hampton over 11 years

@ChrisLively Blame modern Linux systems for being "helpful" and adding it. BTW, using ".local" really is bad practice, and not just in Windows environments.
MDMarra over 11 years

Yeah, definitely never use made up TLDs anywhere, even internally.
MDMarra over 11 years

I actually blogged about this in regards to a Windows environment. Not to mention that at least three groups have bid on the .local TLD now that ICANN is selling them to anyone with a substantial enough wallet. .local isn't reserved and shouldn't be used. Doing so violates RFCs and isn't necessary at all. Best practice is to use a delegated third-level subdomain for internal resources like internal.company.com. Just because you see something a lot doesn't make it right.
MDMarra over 11 years

Could you please point me to the section of RFC 2606 that reserves .local? I've read this RFC at least a dozen times with people that use it in this argument and I can tell you with certainty that it's not there.
Zypher over 11 years

@ChrisLively you see it a lot because it was MS Best practices for a long time. From when Windows 2000 and AD came out till at least just before 2008R0. It is no longer considered good practice to do this.
MDMarra over 11 years

@ChrisLively there are plenty of other reasons not to use it other than it's a violation of RFCs as they're currently written (which is really all that matters anyway). For example, have fun introducing anything needing mDNS into your AD .local environment and still leaving mDNS enabled. I think you're looking at things the wrong way. You shouldn't be justifying why it's OK to break the RFCs, you should be asking what benefit there is to using .local and the answer is that there are none. It's equal work to configure it either way and one is standards compliant and one isn't. It's simple.
MDMarra over 11 years

I absolutely agree that it shouldn't use your public DNS name, it should use a delegated (separate) subdomain like internal.example.com where your external namespace is example.com. There's no reason to make up a TLD and using a delegated subdomain doesn't have any downside. Seriously, if you're going to advocate in favor of violating an RFC and using non-standard naming, you should bring good, solid reasons why. It's not on the people following the standards and published best practices to prove their side of the argument. If you'd like to continue this discussion, hop into Server Fault Chat.
MDMarra over 11 years

Oh, and in a few years it's going to be very difficult to get certificates for .local which means UCC/SAN certs for Lync/Exchange will have to be signed by an internal CA, making it painful if you have external non-domain joined users.
Håkan Lindqvist almost 10 years

The problem I have with this reasoning is that 1. it breaks error handling, 2. it's entirely www-centric while your wildcard records will affect other protocols as well. The result being that you've broken error handling for other things where you have made no effort to patch things up.
Michael Hampton almost 10 years

You have a good technical reason to use wildcard DNS. Most people don't.
comfreak over 7 years

@MDMarra actually a few days before your comment, the IETF proposed the RFC 6762 where in section 3 they specify .local as a special TLD for link-local use only: tools.ietf.org/html/rfc6762#section-3
sleske over 7 years

As a matter of fact, this seems highly dangerous to me - it allows you to access an arbitrary database by changing the domain name. I'd argue that this is a type of injection vulnerability. Admittedly it's not necessarily exploitable - but why take chances?
Pedro Moreira over 7 years

@sleske It's not, because the user must authenticate against that subdomain (for that database). If he switches, he will need to authenticate again, as it is seen as a completely different "site".
sleske over 7 years

@PedroMoreira: Yes, that reduces the attack surface. Still, providing access to arbitrary databases seems dangerous. For example, what if there is a backup database with identical credentials, but data that was purged from the main db - this would allow anyone access who knows the name. Still, I realize security is always a tradeoff - just wanted to point out the inherent danger.
Pedro Moreira over 7 years

@sleske That's why all the accessible databases are prefixed with tenant_. I made sure the application can't even connect to them.
kasperd over 7 years

Using wildcard domains does not change exposure to such attacks. And the link does not support your incorrect claims. All that link says is that Cloudflare happen to be charging a higher price for wildcard domains. That only says something about Cloudflare's business models and nothing about the practice of using wildcard domains.
kasperd over 7 years

It is even worse if the client runs Mac OS X. A long time ago I created a record for *.example.net. And to get around the problem you mention I ended up creating a subdomain named search.example.net to advertised through DHCP. That worked until a Mac OS X client came along and when told to use search.example.net actually searched both search.example.net and example.net.
Michael Rogers over 7 years

If you use wildcard dns with cloudflare since it doesn't go through cloudflare (unless you pay enterprise, most don't) anyone can ping any a made up subdomain and find your real IP. Without wildcard they can't. that's all there is to it.
Naveed Abbas over 7 years

@comfreak To elaborate, RFC 6762 says .local MUST be resolved via a multicast query. It conflicts with a typical use of an internal domain as of today.
Patrick Mevzek almost 5 years

Both points are orthogonal. Even if all names point to the same IP, the webserver gets the name requested and can deliver completely different content.
Clément Moulin - SimpleRezo almost 5 years

That's why I have precized "if all *.example.com showing the same content"... The SEO risk sounds to me to something interesting to mention.
Patrick Mevzek almost 5 years

"The SEO risk sounds to me to something interesting to mention." Maybe but they are completely unrelated to using a wildcard or not. You can have many separate names all resolving to a single IP address without any kind of wildcards and hence having (or not) the SEO risks you speak about. The use of a wildcard does not change anything in any direction here.
CodingInTheUK over 4 years

Yes in case of such service, they may charge you more for wildcard protection. Although this question isn't about those types of services its about wildcarding dns and whether it should be done or not under normal situations.
Eliezer Berlin over 3 years

Sorry, does this refer to WINDOWS domains? Or to adding a computer on the same network as *.example.com?
Ajax almost 3 years

not gonna work if you want to allow thousands of people to sign up w/o human intervention.
Ajax almost 3 years

and adding dns on demand would be slow. wildcard means no latency to propagate DNS if you wanna spin up a new namespace.