Dns wildcards demystified

©!Men!&!Mice!!http://menandmice.com! 
©!ISC!http://www.isc.org
DNS!wildcards
1

©!Men!&!Mice!!http://menandmice.com!
DNS!wildcards
!
!
!
Demo!time!
2

DNS!wildcards
the!DNS!protocol!allows!the!definition!on!“wildcard”!DNS!
records!to!synthesise!DNS!answers!from!authoritative!
servers!
DNS!wildcards!are!domain!names!(owner!names)!with!the!
leftmost!label!being!a!single!asterisk!“*”!
there!are!no!other!wildcard!characters!in!DNS!other!than!“*”!
DNS!wildcards!have!their!own!rules!that!are!different!
from!other!systems!with!wildcards!(regular!expressions,!
Unix!shell!filename!globbing,!DOS/Windows!filename!
wildcards!...)
3

DNS!wildcards
DNS!wildcards!have!been!originally!defined!in!the!
“original”!DNS!RFC!1034,!and!have!been!updated!in!
RFC!2672!and!RFC!4592!
RFC!4592!“The!Role!of!Wildcards!in!the!Domain!Name!
System”!is!a!must!read!to!understand!all!nuances!of!DNS!
wildcards
4

DNS!wildcards
DNS!wildcard!examples!(from!different!zones): 
 
*.example.com. 3600 IN A 192.0.2.80 
*.firma.example.com. 600 IN MX 10 mail.example.net. 
*.example. 86400 IN TXT “a wildcard”!
not!wildcard!records!(just!“normal”!domain!names): 
 
*test.example.de. 400 IN A 192.0.2.11 
test.*.example.com. 600 IN TXT “not a wildcard” 
**.example.com. 600 IN TXT “alsonot a wildcard” 
 
5

DNS!wildcards
Example!zone!with!wildcards!(from!RFC!4592): 
$ORIGIN example. 
example. 3600 IN SOA <SOA RDATA> 
example. 3600 NS ns.example.com. 
example. 3600 NS ns.example.net. 
*.example. 3600 TXT "this is a wildcard" 
*.example. 3600 MX 10 host1.example. 
sub.*.example. 3600 TXT "this is not a wildcard" 
host1.example. 3600 A 192.0.2.1 
_ssh._tcp.host1.example. 3600 SRV <SRV RDATA> 
subdel.example. 3600 NS ns.example.com. 
subdel.example. 3600 NS ns.example.net. 
 
6

DNS!wildcards
7
“.”
“example.”
“*”
“sub”
“host1”
“_tcp”
“_ssh”
“host2”
“_tcp”
“_ssh”
“subdel”
$ORIGIN example. 
host1.example. 3600 A 192.0.2.1 
subdel.example. 3600 NS ns.example.net.

DNS!wildcards
8
“.”
“example.”
“*”
“sub”
“host1”
“_tcp”
“_ssh”
“host2”
“_tcp”
“_ssh”
“subdel”
Query:!host3.example. ? IN MX ?
$ORIGIN example. 
host1.example. 3600 A 192.0.2.1 

DNS!wildcards
8
“.”
“example.”
“*”
“sub”
“host1”
“_tcp”
“_ssh”
“host2”
“_tcp”
“_ssh”
“subdel”
Answer:!host3.example. 3600 IN MX 10 host1.example.
$ORIGIN example. 
host1.example. 3600 A 192.0.2.1 

DNS!wildcards
9
“.”
“example.”
“*”
“sub”
“host1”
“_tcp”
“_ssh”
“host2”
“_tcp”
“_ssh”
“subdel”
Query:!host3.example. ? IN A ?
$ORIGIN example. 
host1.example. 3600 A 192.0.2.1 

DNS!wildcards
9
“.”
“example.”
“*”
“sub”
“host1”
“_tcp”
“_ssh”
“host2”
“_tcp”
“_ssh”
“subdel”
Answer:!NOERROR / NODATA (Answer = 0)
$ORIGIN example. 
host1.example. 3600 A 192.0.2.1 

DNS!wildcards
10
“.”
“example.”
“*”
“sub”
“host1”
“_tcp”
“_ssh”
“host2”
“_tcp”
“_ssh”
“subdel”
Query:!foo.bar.example. ? IN TXT ?
$ORIGIN example. 
host1.example. 3600 A 192.0.2.1 

DNS!wildcards
10
“.”
“example.”
“*”
“sub”
“host1”
“_tcp”
“_ssh”
“host2”
“_tcp”
“_ssh”
“subdel”
Query:!foo.bar.example. ? IN TXT ?
Answer:!foo.bar.example. 3600 IN TXT “this is a wildcard”
$ORIGIN example. 
host1.example. 3600 A 192.0.2.1 

DNS!wildcards
11
“.”
“example.”
“*”
“sub”
“host1”
“_tcp”
“_ssh”
“host2”
“_tcp”
“_ssh”
“subdel”
$ORIGIN example. 
host1.example. 3600 A 192.0.2.1 

DNS!wildcards
12
“.”
“example.”
“*”
“sub”
“host1”
“_tcp”
“_ssh”
“host2”
“_tcp”
“_ssh”
“subdel”
Query:!sub.*.example. ? IN MX ?
$ORIGIN example. 
host1.example. 3600 A 192.0.2.1 

DNS!wildcards
13
“.”
“example.”
“*”
“sub”
“host1”
“_tcp”
“_ssh”
“host2”
“_tcp”
“_ssh”
“subdel”
Query:!_telnet._tcp.host1.example. ? IN SRV ?
$ORIGIN example. 
host1.example. 3600 A 192.0.2.1 

DNS!wildcards
14
“.”
“example.”
“*”
“sub”
“host1”
“_tcp”
“_ssh”
“host2”
“_tcp”
“_ssh”
“subdel”
$ORIGIN example. 
host1.example. 3600 A 192.0.2.1 

DNS!wildcards
14
“.”
“example.”
“*”
“sub”
“host1”
“_tcp”
“_ssh”
“host2”
“_tcp”
“_ssh”
“subdel”
Answer:!host1.example. 3600 IN A 192.0.2.1
$ORIGIN example. 
host1.example. 3600 A 192.0.2.1 

DNS!wildcards
15
“.”
“example.”
“*”
“sub”
“host1”
“_tcp”
“_ssh”
“host2”
“_tcp”
“_ssh”
“subdel”
Query:!host.subdel.example. ? IN A ?
$ORIGIN example. 
host1.example. 3600 A 192.0.2.1 

DNS!wildcards
15
“.”
“example.”
“*”
“sub”
“host1”
“_tcp”
“_ssh”
“host2”
“_tcp”
“_ssh”
“subdel”
Query:!host.subdel.example. ? IN A ?
Answer:!referral to subdel.example
$ORIGIN example. 
host1.example. 3600 A 192.0.2.1 

DNS!wildcards
16
“.”
“example.”
“*”
“sub”
“host1”
“_tcp”
“_ssh”
“host2”
“_tcp”
“_ssh”
“subdel”
Query:!ghost.*.example. ? IN MX ?
$ORIGIN example. 
host1.example. 3600 A 192.0.2.1 

DNS!wildcards
17
“.”
“example.”
“*”
“sub”
“host1”
“_tcp”
“_ssh”
“host2”
“_tcp”
“_ssh”
“subdel”
Query:!*.example. ? IN TXT ?
$ORIGIN example. 
host1.example. 3600 A 192.0.2.1 

DNS!wildcards
17
“.”
“example.”
“*”
“sub”
“host1”
“_tcp”
“_ssh”
“host2”
“_tcp”
“_ssh”
“subdel”
Query:!*.example. ? IN TXT ?
Answer:!*.example. 3600 TXT "this is a wildcard" 
$ORIGIN example. 
host1.example. 3600 A 192.0.2.1 

Empty!non!terminal
“empty non-terminal”: 
$ORIGIN example. 
host1.example. 3600 A 192.0.2.1 
 
18

Empty!non!terminal
19
“.”
“example.”
“*”
“sub”
“host1”
“_tcp”
“_ssh”
“host2”
“_tcp”
“_ssh”
“subdel”
$ORIGIN example. 
host1.example. 3600 A 192.0.2.1 
 
empty!non!terminalempty!non!terminalempty!non!terminal!
nodes

The!closest!encloser!is!the!node!in!the!zone's!tree!of!
existing!domain!names!that!has!the!most!labels!
matching!the!query!name!(consecutively,!counting!from!
the!root!label!downward).!!Each!match!is!a!"label!match"!
and!the!order!of!the!labels!is!the!same.!
The!closest!encloser!is,!by!definition,!an!existing!name!in!
the!zone.!The!closest!encloser!might!be!an!empty!non-
terminal!or!even!be!a!wildcard!domain!name!itself.!!In!
no!circumstances!is!the!closest!encloser!to!be!used!to!
synthesise!records!for!the!current!query.
20
Closest!Encloser!and!the!Source!of!
Synthesis!(1/2)

Synthesis!(2/2)
The!source!of!synthesis!is!defined!in!the!context!of!a!query!
process!as!that!wildcard!domain!name!immediately!
descending!from!the!closest!encloser,!provided!that!this!
wildcard!domain!name!exists.!"Immediately!descending"!
means!that!the!source!of!synthesis!has!a!name!of!the!form: 
 
*.<closest encloser>.!
A!source!of!synthesis!does!not!guarantee!having!a!RRSet!to!
use!for!synthesis.!!The!source!of!synthesis!could!be!an!
empty!non-terminal.
21

©!Men!&!Mice!!http://menandmice.com!22
Domain Name in Query closest encloser source of synthesis
host3.example. example. *.example.
_telnet._tcp.host1.example. _tcp.host1.example. no source
_dns._udp._host2.example. host2.example. no source
_telnet._tcp.host3.example. example. *.example.
_chat._udp.host3.example. example. *.example.
foobar.*.example. *.example. no source
Synthesis

other!wildcard!rules!(1)
•DNSSEC!does!not!allow!wildcard!NS!records 
 
; this is not legal DNS data inside a DNSSEC 
; signed zone 
 
*.example.com. 3600 IN NS ns1.example.org. 
*.example.com. 3600 IN NS ns2.example.org.
23

•in!SRV!record,!the!full!name!is!the!owner-name.!
There!cannot!be!a!wildcard!on!the!domain!part!of!an!
SRV!record!(same!for!TLSA,!DKIM!...) 
 
; this is not a wildcard for the SRV record 
_ldap._tcp.*.example.com. IN SRV 10 20 389 ldap-srv.example.com.
24

•Wildcard!DS!(DNSSEC!delegation!signer)!records!
are!ignored!
•Wildcard!DNAME!records!are!not!allowed! 
(represents!a!threat!to!the!coherency!of!the!DNS)!
•If!a!source!of!synthesis!is!an!empty!non-terminal,!
the!answer!will!be!NOERROR!/!NODATA!(Answer!=!
0)
25

TL;DR
26
Be!careful!with!DNS!wildcard!records!

Thank!you!
!
Questions?!!Comments?
27

Dns wildcards demystified

Recommended

Recommended

More Related Content

Similar to Dns wildcards demystified

Similar to Dns wildcards demystified (9)

More from Men and Mice

More from Men and Mice (20)

Recently uploaded

Recently uploaded (20)

Dns wildcards demystified