[Gllug] speaking of DNS server setups...

Mike Brodbelt mike at coruscant.demon.co.uk
Wed Jan 5 00:54:32 UTC 2005


On Tue, 2005-01-04 at 15:46 +0000, Benedikt Heinen wrote:
> Is it possible, with bind9 or another name server, to specify part of a 
> domain name as a wildcard?
> 
> e.g.  I would like to define the same setup for all *.foo.net hosts, so 
> that www.a.foo.net, www.b.foo.net, ... www.zyx-cba.foo.net all point to 
> the same host?
> 
> Second, and now it gets more interesting, can I specify exceptions?
> 
> e.g. turning off bar.foo.net but still allowing all other *.foo.net 
> permutations?

Yes, you can do all the above. For a memorable example of the use of
wildcard records, think of Verisign's sitefinder "service". They should
be used only after careful thought though - they cause many problems,
usually due to the implementor not fully considering what the resolver
actually does when you search for a non-fully qualified name. From RFC
1912:-

===================================================================
Wildcard As and CNAMEs are possible too, and are really confusing to
users, and a potential nightmare if used without thinking first. It
could result (due again to domain searching) in any telnet/ftp attempts
from within the domain to unknown hosts to be directed to one address.
One such wildcard CNAME (in *.edu.com) caused Internet-wide loss of
services and potential security nightmares due to unexpected
interactions with domain searching. It resulted in swift fixes, and even
an RFC ([RFC1535]) documenting the problem.
===================================================================

If you deploy wildcard records without thinking very carefully about the
consequences, you can easily shoot yourself in the foot. You can also
potentially leave large security holes lying about that you're unaware
of.

> (obviously, if I can specify to not allow specific combinations in DNS, I 
> am not to worried if postfix wouldn't allow to block specific entries 
> within those; after all, who should find the postfix server, once the MX 
> record for bar.foo.net is gone?)


I don't know whether you're thinking of wildcard MX records, but take
note that they don't work the way you might think they should. From RFC
1912 again:-

=========================================================================== 
Wildcard MXs are useful mostly for non IP-connected sites. A common mistake
is thinking that a wildcard MX for a zone will apply to all hosts in the
zone. A wildcard MX will apply only to names in the zone which aren't 
listed in the DNS at all. e.g., 

           podunk.xx.      IN      NS      ns1
                           IN      NS      ns2
           mary            IN      A       1.2.3.4
           *.podunk.xx.    IN      MX      5 sue

Mail for mary.podunk.xx will be sent to itself for delivery. Only mail
for jane.podunk.xx or any hosts you don't see above will be sent to the
MX. For most Internet sites, wildcard MX records are not useful. You
need to put explicit MX records on every host. 

Wildcard MXs can be bad, because they make some operations succeed when
they should fail instead. Consider the case where someone in the domain
"widget.com" tries to send mail to "joe at larry". If the host "larry"
doesn't actually exist, the mail should in fact bounce immediately. But
because of domain searching the address gets resolved to
"larry.widget.com", and because of the wildcard MX this is a valid
address according to DNS. Or perhaps someone simply made a typo in the
hostname portion of the address. The mail message then gets routed to
the mail host, which then rejects the mail with strange error messages
like "I refuse to talk to myself" or "Local configuration error". 
===========================================================================

HTH,

Mike.

-- 
Gllug mailing list  -  Gllug at gllug.org.uk
http://lists.gllug.org.uk/mailman/listinfo/gllug




More information about the GLLUG mailing list