Blogs‎ > ‎

Wildcard DNS - Good or Bad?

posted 29 Feb 2016, 02:47 by Andrew at Lycom   [ updated 1 Mar 2016, 15:14 ]
I'm in the process of trying to move a client's sites from their current hosting provider's VPS to a dedicated server.

There's usually quite a discovery process involved in these jobs, as typically most SME businesses are very light on documenting things! Information about logins, which interfaces are used to manage services etc becomes quite sketchy the more you enquire.

Anyway, one thing I missed about their main domain is that the agency that has been managing it has setup 'wildcard DNS' for  their domain.  I've not come across this much before, except for sub-domains and specialist implementations of online blogging platforms.  I'm used to a traditional BIND / Microsoft DNS server setup where you definitely want to define your DNS records very carefully, with possibly some scope for allowing dynamic DNS records as part of the DNS/DHCP internal 'split horizon' DNS setup.

Is it bad? In my opinion, YES.  Mainly, it's LAZY.  You don't have to bother about knowing your fully qualified domain names (FQDN) - everything just gets pointed at the the same IP address.  This means that if you do come to move to a different setup (like now), you have no idea which hostnames are actually used. OK, you can look at host headers / aliases on the web server, unless some genius has also allowed the web site to accept all requests:

Hmmm. Not good.

In the past I've had a couple of sites running on dedicated IP addresses which had all sorts of 'unknown' international domains pointed at them which promptly broke when we migrated servers (it was a large multinational company with lots of country TLD's). There are lots of other technical and security reasons why it's considered bad practice. My main concern is that it breaks error handling, and whilst it is done for web hosting convenience these records will affect other protocols as well.

I'm happy to accept that there are circumstances where it is useful, but I think those circumstances can be better addressed by the careful use of subdomains or domain variations:


Oh, and someone every organisation should keep a track of what domains and hostnames you actually use and why!