Wildcard DNS records are used to serve requests for otherwise non-existent domain names.
For example, the following DNS zone file excerpt contains two non-wildcard A records along with a wildcard record:
; Name Record Type IP Address example.com. A 126.96.36.199 www.example.com. A 188.8.131.52 *.example.com. A 184.108.40.206
If you look up the www.example.com A record in the above recordset, you’ll receive a response of 220.127.116.11, since explicit records take precedence over wildcard records. If you look up the foo.example.com DNS record, you’ll receive a response of 18.104.22.168, since there is only a wildcard record for foo.example.com.
Wildcard DNS records are handy, but how do you monitor them? Two options come to mind:
The Classic Approach
Until recently, we would have recommended picking a couple random records which match the wildcard expression, and which you’re unlikely to ever create non-wildcard records for, then monitor them. For example, you could verify that the following records exist as a proxy for the *.example.com DNS record shown above:
; Name Record Type IP Address foo.example.com. A 22.214.171.124 bar.example.com. A 126.96.36.199
The above approach works, but:
- It’s not obvious from looking at what’s being monitored that the two records are proxies for a wildcard record. I like my monitoring systems to be stupid-simple, so that if I get paged at 2 am, I’ll be able to easily tell in my half-asleep state what the problem is.
- You’re at the mercy of randomly selected records continuing to exist only as wildcard records.
- It’s more work to setup than the next option.
Check Wildcard DNS Records Directly
We recently added a feature to DNS Check which enables you to monitor wildcard DNS records directly. To use this feature, just enter the wildcard record’s name as it would appear in the zone file, including its asterisk (*):
In order to comply with RFC 4592, we support wildcards in the leftmost portion of the domain. So for example, you can use this feature to monitor *.example.com or *.foo.example.com, but not foo.*.example.com. This is similar to BIND’s treatment of wildcard records.
Here’s how this works behind the scenes once the monitored record is created:
Each time DNS Check tests a wildcard record, it generates a random 20-character string, then inserts it in place of the wildcard. For example, *.example.com may be replaced with jcjmwpdddykdmafpltbj.example.com. A new random string gets generated for each check, so if somehow a random sequence which is actually used by a non-wildcard record gets generated for one check, a different sequence will be generated for the next check.
We’ve added wildcard support to all of our supported DNS record types, including A, AAAA, CNAME, MX and NS records.
I hope this feature helps you to improve your DNS record monitoring. If aren’t already using DNS Check, please feel free to sign up for an account. Having an account enables you to import your entire zone file, then get notified automatically if any of your DNS records stop returning the value(s) that your zone file says they should. You can also individually add or edit DNS records that you wish to monitor.