- Wildcard DNS record
A wildcard DNS record is a record in a
DNS zonethat will match requests for non-existent domain names. A wildcard DNS record is specified by using a "*" as the left most label (part) of a domain name, e.g. *.example.com. The exact rules about when a wild card will match is specified in RFC 1034, but the rules are neither intuitive nor clearly specified. This has resulted in incompatible implementations and unexpected results when they are used.
Definitions for DNS wildcards
Wild card DNS record in a
zone filelooks similar to this example:
*.example.com. 3600 MX 10 host1.example.com.
This wild card DNS record will cause DNS lookups on domain names ending in example.com that do not exist to have MX records synthesized for them. So, a lookup for the MX record for somerandomname.example.com would return an MX record pointing to host1.example.com.
Wildcards in the DNS are much more limited than other
wildcard characters used in other computer systems. Wildcard DNS records have a single "*" (asterisk) as the left most DNS label, such as *.example.com. Asterisks at other places in the domain will not work as a wildcard, so neither *abc.example.com nor abc.*.example.com work as wildcard DNS records. More over, the wild card is matched only when a domain does not exist, not just when there are no matching records of the type that has been queried for. Even the definition of "does not exist" as defined in the search algorithm of RFC 1034 section 4.3.2 can result in the wild card not matching cases that you might expect with other types of wildcards. The original definition of how a DNS wildcard behaves is specified in RFC 1034 sections 4.3.2 and 4.3.3, but only indirectly by certain steps in a search algorithm and as a result, the rules are neither intuitive nor clearly specified. As a result, 20 years later, RFC 4592, "The Role of Wildcards in the Domain Name System" was written to help clarify the rules.
To quote RFC 1912, "A common mistake is thinking that a wildcard MX for a zone will apply to all hosts in the zone. A wildcard MX will apply only to names in the zone which aren't listed in the DNS at all." That is, if there is a wild card MX for *.example.com, and an A record (but no MX record) for www.example.com, the correct response (as per RFC 1034) to an MX request for www.example.com is "no error, but no data"; the expected response is the MX record attached to *.example.com.
Example wildcard usages
The following example is from RFC 4592 section 2.2.1 and is useful in clarifying how wildcards work.
Say there is a
DNS zonewith the following resource records:
$ORIGIN example. example. 3600 IN SOAA look at the domain names in a tree structure is helpful:
example. 3600 NS ns.example.com. example. 3600 NS ns.example.net. *.example. 3600 TXT "this is a wildcard" *.example. 3600 MX 10 host1.example. sub.*.example. 3600 TXT "this is not a wildcard" host1.example. 3600 A 192.0.2.1 _ssh._tcp.host1.example. 3600 SRV _ssh._tcp.host2.example. 3600 SRV subdel.example. 3600 NS ns.example.com. subdel.example. 3600 NS ns.example.net.
-------------example------------ / / / / / / * host1 host2 subdel
sub _tcp _tcp
The following responses would not be synthesized from any of the wildcards in the zone:
The final example highlights one common misconception about wildcards. A wildcard "blocks itself" in the sense that a wildcard does not match its own subdomains. That is, *.example. does not match all names in the example. zone; it fails to match the names below *.example.. To cover names under *.example., another wildcard domain name is needed--*.*.example.--which covers all but its own subdomains.
Wildcards in practice
To quote from RFC 4592, many DNS implementations diverge, in different ways, from the original definition of wildcards. Some of the variations include:
djbdns, in addition to checking for wildcards at the current level, the server checks for wildcards in all enclosing superdomains, all of the way up to the root.Fact|date=May 2008 In the examples listed above, the query for _telnet._tcp.host1.example. for an MX record would match a wild card despite the domain _tcp.host1.example. existing.
* Microsoft's DNS server (if configured to do so [ [http://www.microsoft.com/technet/prodtechnol/windows2000serv/reskit/regentry/46758.mspx?mfr=true Microsoft Corporation ] ] ) and
MaraDNS(by default) have wildcards also match all requests for empty resource record sets, i.e. domain names for which there are no records "of the desired type". In the examples listed above, the query for sub.*.example. for an MX record would match, despite sub.*.example. explicitly existing with only an A record.
BIND, the server follows CNAME chains that are synthesised from wildcards.Fact|date=May 2008
Registries/ISPs that employ wildcards
domain name registrars have, at various times, deployed wild cards for the top-level domains that they serve, most notably VeriSignfor the .comand .netwith its (now removed) Site Findersystem. The .museumTLD also had a wild card which has now been removed. Top-level domains using a wildcard DNS record, as of July 2008, include .cg, .cm, .kr, .mp, .nu, .ph, .rw, .st, .tk, .vg, and .ws.
It has also become common for ISPs to synthesize
A records to redirect typos to their advertising sites. so called "Catchall" typosquatting, but these aren't true wild cards, but rather modified caching name servers. [ [http://blog.washingtonpost.com/securityfix/2008/04/when_monetizing_isp_traffic_go.html When Monetizing ISP Traffic Goes Horribly Wrong - Security Fix ] ]
Ignoring wildcards employed by others
Internet Software Consortiumproduced a version of the BINDDNS software that can be configured by system administrators to filter out wildcard DNS from certain domains. Various others produced a wide range of software patchesfor BINDand for djbdns.
* [http://www.iab.org/documents/docs/2003-09-20-dns-wildcards.html IAB Commentary: Architectural Concerns on the use of DNS Wildcards]
* [http://www.isc.org/products/BIND/delegation-only.html Internet Software Consortium announcement of "delegation-only" feature that can be used to filter out wildcards]
Wikimedia Foundation. 2010.
Look at other dictionaries:
Wildcard character — For other meanings of wild card see wild card. The term wildcard character has the following meanings: TelecommunicationIn telecommunications, a wildcard character is a character that may be substituted for any of a defined subset of all possible … Wikipedia
Comparison of DNS server software — Contents 1 Servers compared 1.1 BIND 1.2 Microsoft DNS 1.3 Dn … Wikipedia
Microsoft DNS — is the name given to the implementation of domain name system services provided in Microsoft Windows operating systems. Contents 1 Overview 2 DNS lookup client 2.1 The effects of running the DNS Client service … Wikipedia
RRSIG-Record — Mit RRSIG Resource Record bzw. Signature Resource Record können im Rahmen von DNSSEC (DNS Security) beliebige Resource Records digital unterschrieben werden. Der RRSIG Typ löste 2004 den nahezu identischen SIG Resource Record ab.… … Deutsch Wikipedia
RRSIG Resource Record — Mit RRSIG Resource Record bzw. Signature Resource Record können im Rahmen von DNSSEC (DNS Security) beliebige Resource Records digital unterschrieben werden. Der RRSIG Typ löste 2004 den nahezu identischen SIG Resource Record ab.… … Deutsch Wikipedia
SIG-Record — Mit SIG Resource Record bzw. Signature Resource Record können im Rahmen von DNSSEC (DNS Security) beliebige Resource Records digital unterschrieben werden. Der SIG Typ ist nicht mehr im Gebrauch und wurde 2004 durch den nahezu identischen RRSIG… … Deutsch Wikipedia
SIG Resource Record — Mit SIG Resource Record bzw. Signature Resource Record können im Rahmen von DNSSEC (DNS Security) beliebige Resource Records digital unterschrieben werden. Der SIG Typ ist nicht mehr im Gebrauch und wurde 2004 durch den nahezu identischen RRSIG… … Deutsch Wikipedia
Carácter Wildcard (informática) — Saltar a navegación, búsqueda Un carácter comodín es un carácter que representa cualquier otro carácter o cadena de caracteres. Algunos de los caracteres comodines que se utilizan en informática son: * (asterisco), % (por ciento), (guión… … Wikipedia Español
Domain Name System — The Domain Name System (DNS) is a hierarchical distributed naming system for computers, services, or any resource connected to the Internet or a private network. It associates various information with domain names assigned to each of the… … Wikipedia
Site Finder — was a wildcard DNS record for all .com and .net unregistered domain names, run by .com and .net top level domain operator VeriSign between 15 September 2003 and 4 October 2003.ite FinderAll Internet users who accessed any unregistered domains in… … Wikipedia