Wildcard DNS (pros and cons)

Edward Buck ed at bashware_REMOVEME_.net
Fri Dec 10 19:55:20 UTC 2004


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Kevin Darcy wrote:

| There's nothing _technically_ wrong with using wildcards. It's just that
| wildcards in DNS don't operate like simple, intuitive pattern matches --
| they are "blocked" by delegations or even "empty non-terminals", for
| instance -- so folks have difficulty conceptualizing them, and this
| frequently leads to nasty surprises. When used *properly* they can be
| very powerful and convenient. We use wildcard MX records in our internal
| root zone to route outbound Internet mail, for instance, which allows us
| to run "dumb" mail configurations on our servers and control the mail
| routing centrally. But if some day, for example, I were to define a
| foobar.microsoft.com name in our internal DNS (e.g. to redirect a
| worm-generated DoS to the bit bucket), then if I didn't remember to also
| define an explicit *.microsoft.com MX record, then the "empty
| non-terminal" would put the kibosh on all mail to @microsoft.com
| addresses (mostly hate mail, probably :-). So wildcards are powerful but
| dangerous if not used properly.

I've noticed that some spammers are using domains with wildcards to get
around spam blocking techniques.  An example is o2.pl, a legitimate (?)
domain that is being used to send significant amounts of spam lately
because of their wildcard entry.  Do a lookup on anything.o2.pl and
you'll see what I'm referring to.

Many mail servers enforce sender domain verification.  Unfortunately,
spam from spurious.o2.pl, even though it is not a real domain, will pass
domain verification checks (A record checks).

It's not difficult to block *.o2.pl to prevent these mails from getting
through but those with limited mail filtering setups may find it
difficult (blocking each variation of *.o2.pl is impossible).

Just something to consider before using wildcards.  I personally don't
like them and do not see a good reason to use them (except perhaps to
ease administrative burden).  IMO, dns entries should not be ambiguous.

Ed
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFBuf8h+8K5zYeYuXsRArw1AJ9911IVCfrtqT7/+d29NudMayUSHwCfRtag
rrVwIFJXJvB1qBBgTc/QXU8=
=DxcS
-----END PGP SIGNATURE-----



More information about the bind-users mailing list