Wildcard DNS (pros and cons)

JimH@Nucleus.com jimh at nucleus.com
Fri Dec 10 19:10:09 UTC 2004

That was some of the things I thought up after I send the email as I was 
sitting down to have lunch.  We had a few requests to add a wildcard to a 
domain for external use, which I felt that this could potentially cause 
problems, and wanted to avoid wildcard dns.. I can see using it on an 
internal DNS for what ever reason, I just can not see the purpose for using 
it on a live DNS server, and live registered domain.


----- Original Message ----- 
From: "Kevin Darcy" <kcd at daimlerchrysler.com>
Cc: <bind-users at isc.org>
Sent: Friday, December 10, 2004 11:54 AM
Subject: Re: Wildcard DNS (pros and cons)

> JimH at Nucleus.com wrote:
>>What is the purpoase of allowing *.example.com within a DNS Zone?  Is 
>>any pros or cons in allowing this sort of thing?
>>I have never been a fan of wildcarding, and now people are asking for 
>>and before getting in out my head I want to investigate this "feature"
>>I can think of one con.. if your charging for DNS changes then they would
>>never have to contact you, but they could also just run there own DNS and
>>manage themselves.
> There's nothing _technically_ wrong with using wildcards. It's just that
> wildcards in DNS don't operate like simple, intuitive pattern matches -- 
> they are "blocked" by delegations or even "empty non-terminals", for
> instance -- so folks have difficulty conceptualizing them, and this
> frequently leads to nasty surprises. When used *properly* they can be
> very powerful and convenient. We use wildcard MX records in our internal
> root zone to route outbound Internet mail, for instance, which allows us
> to run "dumb" mail configurations on our servers and control the mail
> routing centrally. But if some day, for example, I were to define a
> foobar.microsoft.com name in our internal DNS (e.g. to redirect a
> worm-generated DoS to the bit bucket), then if I didn't remember to also
> define an explicit *.microsoft.com MX record, then the "empty
> non-terminal" would put the kibosh on all mail to @microsoft.com
> addresses (mostly hate mail, probably :-). So wildcards are powerful but
> dangerous if not used properly.
>                                          - Kevin
>               - Kevin

More information about the bind-users mailing list