Wild - Wildcard Label Records

This module is designed to evaluate how resolvers handle wildcard records — DNS records that contain a wildcard label (an asterisk *) in the domain name.

The module supports both responding to wildcard queries and generating responses that include wildcard domain names.

Responses may include either A records or CNAME records with varying values.

Note: Domain names containing an explicit wildcard label (*) are non-compliant according to DNS standards and are considered malformed. Resolvers should treat such names as invalid or broken.

Category: General features

Format

wild<VARIANT>.yourdomain.com

Where:

• The <VARIANT> parameter specifies the type of wildcard record and the corresponding value to be generated. The following 3 (three) variants are supported:

  • wild0 returns an A record indicating that *.yourdomain.com resolves to the IPv4 address 3.4.5.6.

  • wild1 returns a CNAME record indicating that *.yourdomain.com is an alias for a resolvable domain.

  • wild2 returns a CNAME record indicating that *.yourdomain.com is an alias for a non-resolvable domain.

Additionaly, the following format is also supported:

*.wild<VARIANT>.yourdomain.com

Where:

• The <VARIANT> parameter specifies the type of wildcard record and the corresponding value to be generated. The following 6 (six) variants are supported:

  • *.wild0 returns an A record indicating that *.wild0.yourdomain.com (a wildcard entry) resolves to the IPv4 address 3.4.5.6.

  • *.wild1 returns a CNAME record indicating that *.wild1.yourdomain.com (a wildcard entry) is an alias for a resolvable domain.

  • *.wild2 returns a CNAME record indicating that *.wild2.yourdomain.com (a wildcard entry) is an alias for a non-resolvable domain.

  • *.wild3 returns an A record indicating that test.wild3.yourdomain.com (an exact entry) resolves to the IPv4 address 3.4.5.6.

  • *.wild4 returns a CNAME record indicating that test.wild4.yourdomain.com (an exact entry) is an alias for a resolvable domain.

  • *.wild5 returns a CNAME record indicating that test.wild5.yourdomain.com (an exact entry) is an alias for a non-resolvable domain.

Examples

The most basic example returns an A record indicating that a wildcard entry *.yourdomain.com resolves to the IPv4 address 3.4.5.6 as shown here:

# dig wild.yourdomain.com @127.0.0.1

; <<>> DiG 9.20.7-1-Debian <<>> wild.yourdomain.com @127.0.0.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 52283
;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;wild.yourdomain.com.		IN	A

;; ANSWER SECTION:
*.yourdomain.com.	60	IN	A	3.4.5.6

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1) (UDP)
;; WHEN: Tue Jul 01 10:36:15 +04 2025
;; MSG SIZE  rcvd: 69

Download PCAP File

According to RFC specifications, resolvers should neither cache such responses nor interpret them as valid records.

In the wild1 variant, the query returns a CNAME record indicating that the wildcard entry *.yourdomain.com is an alias for another domain — in this case a resolvable domain:

# dig wild1.yourdomain.com @127.0.0.1

; <<>> DiG 9.20.7-1-Debian <<>> wild1.yourdomain.com @127.0.0.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 36541
;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;wild1.yourdomain.com.		IN	A

;; ANSWER SECTION:
*.yourdomain.com.	60	IN	CNAME	always924329.yourdomain.com.

;; Query time: 4 msec
;; SERVER: 127.0.0.1#53(127.0.0.1) (UDP)
;; WHEN: Tue Jul 01 10:31:48 +04 2025
;; MSG SIZE  rcvd: 95

Download PCAP File

A subsequent query to always681822.yourdomain.com will resolve to an IP address, as the always feature is designed to consistently return one. However, a resolver should not initiate this query, as the response is generally considered invalid.

This example demonstrates that the module supports arbitrary subdomains — for instance, foo.bar.yourdomain.com in this case:

# dig wild1.foo.bar.yourdomain.com @127.0.0.1

; <<>> DiG 9.20.7-1-Debian <<>> wild1.foo.bar.yourdomain.com @127.0.0.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 19880
;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;wild1.foo.bar.yourdomain.com.	IN	A

;; ANSWER SECTION:
*.foo.bar.yourdomain.com. 60	IN	CNAME	always005421.foo.bar.yourdomain.com.

;; Query time: 4 msec
;; SERVER: 127.0.0.1#53(127.0.0.1) (UDP)
;; WHEN: Tue Jul 01 10:31:50 +04 2025
;; MSG SIZE  rcvd: 119

Download PCAP File

A consequent query to always830671.foo.bar.yourdomain.com will again resolve this to an IP address.

In the wild2 variant, the query returns a CNAME record indicating that the wildcard entry is an alias for a non-resolvable domain in this case:

# dig wild2.foo.bar.yourdomain.com @127.0.0.1

; <<>> DiG 9.20.7-1-Debian <<>> wild2.foo.bar.yourdomain.com @127.0.0.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 38901
;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;wild2.foo.bar.yourdomain.com.	IN	A

;; ANSWER SECTION:
*.foo.bar.yourdomain.com. 60	IN	CNAME	nonres606555.foo.bar.yourdomain.com.

;; Query time: 4 msec
;; SERVER: 127.0.0.1#53(127.0.0.1) (UDP)
;; WHEN: Tue Jul 01 10:36:16 +04 2025
;; MSG SIZE  rcvd: 119

Download PCAP File

A consequent query to nonres412831.foo.bar.yourdomain.com will return NXDOMAIN as this domain does not exist.

Now let's explore the alternative format involving querying subdomains containing the literal *. (wildcard label) at the beginning of the domain name.

In this example, we query the basic *.wild variant. The response includes an A record indicating that the exact domain name — wildcard label included — resolves to the IPv4 address 3.4.5.6:

# dig *.wild.yourdomain.com @127.0.0.1

; <<>> DiG 9.20.7-1-Debian <<>> *.wild.yourdomain.com @127.0.0.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 55436
;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;*.wild.yourdomain.com.		IN	A

;; ANSWER SECTION:
*.wild.yourdomain.com.	60	IN	A	3.4.5.6

;; Query time: 4 msec
;; SERVER: 127.0.0.1#53(127.0.0.1) (UDP)
;; WHEN: Tue Jul 01 10:36:17 +04 2025
;; MSG SIZE  rcvd: 55

Download PCAP File

Resolvers should neither cache such responses nor interpret them as wildcard records. Domain names containing an explicit asterisk (*) are treated as literal labels, not wildcard patterns, and thus are generally not valid for matching purposes. Responses to such queries are non-compliant and should be discarded.

In this example, we request the *.wild1 variant, which closely resembles the previous case, but returns a CNAME record instead:

# dig *.wild1.yourdomain.com @127.0.0.1

; <<>> DiG 9.20.7-1-Debian <<>> *.wild1.yourdomain.com @127.0.0.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 3257
;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;*.wild1.yourdomain.com.		IN	A

;; ANSWER SECTION:
*.wild1.yourdomain.com.	60	IN	CNAME	always034415.wild1.yourdomain.com.

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1) (UDP)
;; WHEN: Tue Jul 01 10:31:53 +04 2025
;; MSG SIZE  rcvd: 87

Download PCAP File

Again, a resolver should avoid initiating any subsequent queries, as the response is generally considered invalid.

In this example, we request the *.wild3 variant, which modifies the domain name (owner name) in the answer section to include a specific hostname instead of a wildcard label:

# dig *.wild3.yourdomain.com @127.0.0.1

; <<>> DiG 9.20.7-1-Debian <<>> *.wild3.yourdomain.com @127.0.0.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 63069
;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;*.wild3.yourdomain.com.		IN	A

;; ANSWER SECTION:
test.wild3.yourdomain.com. 60	IN	A	3.4.5.6

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1) (UDP)
;; WHEN: Tue Jul 01 10:31:55 +04 2025
;; MSG SIZE  rcvd: 81

Download PCAP File

As previously noted, domain names with an explicit asterisk (*) are interpreted as literal labels rather than wildcard patterns. Furthermore, due to a mismatch between the QNAME in the query and the owner name in the answer section, resolvers should not treat the response as valid.

From the same category

• A - Return A record (IPv4 address)
• Always - Always Resolve to IP Address
• Count - Count Number of Queries
• Self - What Is My IP Address
• Size - Max A or AAAA Records Within Size Limit

Go back to catalogue.