DNS Wildcard

2012-08-07

Question

_{Tuesday, August 7, 2012 6:16 PM}

Hi,

I did a quick research on the forum and found a few interesting posts but none of them answer my question. Here they are:

Consider you have 2 DNS internal and external zones called armlock.com.

The external zone contains records and IPs of Internet servers only.
The internal zone contains both IPs of Internet and Intranet servers. The IPs of of the intranet servers is to avoid queries going out to the Internet then back in the company. They just direct the clients to the internal servers avoiding necessary traffic (no matter if it's just little traffic).

That said, if one creates a new record in the External zone then Internal one will get out-dated eventually, thus the need to create a wildcard to forward the query to the External DNS if it doesn't exist in the Internal zone.

Trying to put both cases as simple as possible:

Internal record exists: The client queries www.armlock.com. The record exists internally and has the IP 10.10.10.15 which is returned to the client. The client is then happy.

Internal record does not exist: The client queries suppliers.armlock.com. The record doesn't exist internally [**here the wildcard should kick in] then the DNS server doesn't find a record for that but sees a wildcard and forwards the query to an external DNS (root hint, google or any other).

I saw on another non-MS forum someone saying this is not possible by Microsoft's DNS design but I'm not 100% sure.

Hope this makes sense. Cheers.

All replies (12)

_{Wednesday, August 8, 2012 12:12 AM ✅Answered}

That said, if one creates a new record in the External zone then Internal one will get out-dated eventually, thus the need to create a wildcard to forward the query to the External DNS if it doesn't exist in the Internal zone.

That plan isnt going to work as you expect. DNS wildcards are not used for the purpose of "forwarding" DNS queries to another DNS server. Unfortunately, this is the downside to a split-DNS design. You have to maintain both the internal and external zone manually and in sync.

More Info:

What is Split-DNS?

Configuring Wildcard DNS Records

IT Guides and Videos | itgeared.com

_{Thursday, August 9, 2012 6:00 AM ✅Answered}

Split zone is exactly that, two different records, internally with only internal records, and external with external records.

But as you know being very knowledgable with DNS, that DNS does not forward a query for a zone its authorative for (meaning it hosts the zone).

Therefore, I'm sure we're in agreement that the best a wildcard will do is **only resolve **non-existent records to a specific IP, that's it.

Ace Fekay
MVP, MCT, MCITP EA, MCTS Windows 2008/R2, Exchange 2007 & Exchange 2010, Exchange 2010 EA, MCSE & MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP - Directory Services
Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php

This post is provided AS-IS with no warranties or guarantees and confers no rights.

_{Thursday, August 9, 2012 6:17 AM ✅Answered}

Hi,

Thanks for your post.

I agree with Jorge. If your scenario is a split DNS (internal zone and external zone with same name), you need to manually maintain general records, such as www.armlock.com and suppliers.armlock.com.

For DNS wildcard, DNS server use wildcards to associate multiple possible DNS name destinations with a single computer acting as a gateway for all names based on a wildcarded name. It is common used of MX record and some user-based SharePoint site.

Basics of using DNS wildcards

When you are trying to determine where to use a wildcard in DNS, such as an MX resource record used to route and forward mail, note these guidelines:

The asterisk (*) is the character reserved to indicate the wildcarded name.
The asterisk is only used once as the leading (leftmost) character in a DNS name. For example, *.example.microsoft.com.
If used, an asterisk must always match at least one or more whole labels of a name that precede any non-wildcarded (exact) characters in the remaining part of the name. For example, the wildcard name *.example.microsoft.com may apply to one or more descendents of a domain, such as haifa.example.microsoft.com or seattle.us.example.microsoft.com, but it will not apply to the domain name itself, which is example.microsoft.com. (In your case, no support for armlock.com)
Wildcards are not used when a query for an exact name produces an exact match.
The contents of wildcarded resource records conform to normal DNS formats and rules for resource records.

For more detailed information, you may check the following article.

DNS wildcarding

http://technet.microsoft.com/en-us/library/cc739235(v=ws.10)

Setting Up Wildcard DNS for SharePoint

http://technet.microsoft.com/en-us/library/cc288031(v=office.12).aspx

Best Regards,

Aiden

Aiden Cao

TechNet Community Support

_{Wednesday, August 8, 2012 5:21 AM}

It's possible to create a wildcard, but they can get you in trouble and recommended to stay away from them whether a split-zone or not.

In addition, more info here:

Can't Access Website with Same Name (Split Zone or no Split Brain)
http://msmvps.com/blogs/acefekay/archive/2009/09/04/split-zone-or-no-split-zone-can-t-access-internal-website-with-external-name.aspx

This post is provided AS-IS with no warranties or guarantees and confers no rights.

_{Wednesday, August 8, 2012 1:23 PM}

Hi Jorge, I know all those processes. My questions was more is it possible because I found not references on Technet.
But thanks anyway.

_{Wednesday, August 8, 2012 1:59 PM}

Hi Ace, I appreciate your reply.

However, the delegation suggested in the URL is to a specific record, which I already knew.

My question is more like, if the record does not exist in the zone, then a wildcard should forward the request to another DNS server.

I know this is an unusual usage of DNS and definitively not a best practice but I found nothing saying it should not be done. I say it's not a best practice because I know DNS very well but I don't have a way around this, very unfortunately.

Please understand that this is to avoid going out to the Internet, then back in the DMZ and internal network. I can just make the clients go directly to the server in the internal network. Why is it setup like that?... Legacy, in short.

_{Thursday, August 9, 2012 12:09 PM}

Since you can do a delegation of a record to be sent out I thought there could be some tricky way of doing this once I found nothing on Technet but thinking a bit better, this is against the authoritative principle/design.

Agreed Ace. I just wanted to exhaust the options even if they seemed not possible, which was my belief since the beginning.

Thanks a lot everyone for the inputs.

_{Thursday, August 9, 2012 4:00 PM}

I understand what you were trying to do. Unfortunately a wildcard won't work that way. Maybe, and just maybe, and test this, is to create a zone called *.whatever.com, and create a blank host record with the IP you want it resolveto. I have never tried that, but give it a shot.

This post is provided AS-IS with no warranties or guarantees and confers no rights.

_{Thursday, August 9, 2012 5:26 PM}

I tried that before. It will just return the IP of the host you created. But anyway, no pain, no gain. Will have to manage both zones.

Cheers.

_{Thursday, August 9, 2012 5:28 PM}

Btw, a record in the *.whatever.com would have FQDN of test.*.whatever.com thus... just let this pass... :)

_{Thursday, August 9, 2012 5:48 PM}

Actually I meant to create a blank hostname entry with just the IP. Either way, glad to have helped!

This post is provided AS-IS with no warranties or guarantees and confers no rights.

_{Thursday, August 9, 2012 5:49 PM}

Yep. That will just return the IP of such record. :D

Share via

DNS Wildcard

Question

All replies (12)

Additional resources