Dns wildcards demystified

©!Men!&!Mice!!http://menandmice.com! 
©!ISC!http://www.isc.org
DNS!wildcards
1

©!Men!&!Mice!!http://menandmice.com!
DNS!wildcards
!
!
!
Demo!time!
2

DNS!wildcards
the!DNS!protocol!allows!the!definition!on!“wildcard”!DNS!
records!to!synthesise!DNS!answers!from!authoritative!
servers!
DNS!wildcards!are!domain!names!(owner!names)!with!the!
leftmost!label!being!a!single!asterisk!“*”!
there!are!no!other!wildcard!characters!in!DNS!other!than!“*”!
DNS!wildcards!have!their!own!rules!that!are!different!
from!other!systems!with!wildcards!(regular!expressions,!
Unix!shell!filename!globbing,!DOS/Windows!filename!
wildcards!...)
3

DNS!wildcards
DNS!wildcards!have!been!originally!defined!in!the!
“original”!DNS!RFC!1034,!and!have!been!updated!in!
RFC!2672!and!RFC!4592!
RFC!4592!“The!Role!of!Wildcards!in!the!Domain!Name!
System”!is!a!must!read!to!understand!all!nuances!of!DNS!
wildcards
4

DNS!wildcards
DNS!wildcard!examples!(from!different!zones): 
 
*.example.com. 3600 IN A 192.0.2.80 
*.firma.example.com. 600 IN MX 10 mail.example.net. 
*.example. 86400 IN TXT “a wildcard”!
not!wildcard!records!(just!“normal”!domain!names): 
 
*test.example.de. 400 IN A 192.0.2.11 
test.*.example.com. 600 IN TXT “not a wildcard” 
**.example.com. 600 IN TXT “alsonot a wildcard” 
 
5

DNS!wildcards
Example!zone!with!wildcards!(from!RFC!4592): 
$ORIGIN example. 
example. 3600 IN SOA <SOA RDATA> 
example. 3600 NS ns.example.com. 
example. 3600 NS ns.example.net. 
*.example. 3600 TXT "this is a wildcard" 
*.example. 3600 MX 10 host1.example. 
sub.*.example. 3600 TXT "this is not a wildcard" 
host1.example. 3600 A 192.0.2.1 
_ssh._tcp.host1.example. 3600 SRV <SRV RDATA> 
subdel.example. 3600 NS ns.example.com. 
subdel.example. 3600 NS ns.example.net. 
 
6

DNS!wildcards
7
“.”
“example.”
“*”
“sub”
“host1”
“_tcp”
“_ssh”
“host2”
“_tcp”
“_ssh”
“subdel”
$ORIGIN example. 
host1.example. 3600 A 192.0.2.1 
subdel.example. 3600 NS ns.example.net.

DNS!wildcards
8
“.”
“example.”
“*”
“sub”
“host1”
“_tcp”
“_ssh”
“host2”
“_tcp”
“_ssh”
“subdel”
Query:!host3.example. ? IN MX ?
$ORIGIN example. 
host1.example. 3600 A 192.0.2.1 

DNS!wildcards
8
“.”
“example.”
“*”
“sub”
“host1”
“_tcp”
“_ssh”
“host2”
“_tcp”
“_ssh”
“subdel”
Answer:!host3.example. 3600 IN MX 10 host1.example.
$ORIGIN example. 
host1.example. 3600 A 192.0.2.1 

DNS!wildcards
9
“.”
“example.”
“*”
“sub”
“host1”
“_tcp”
“_ssh”
“host2”
“_tcp”
“_ssh”
“subdel”
Query:!host3.example. ? IN A ?
$ORIGIN example. 
host1.example. 3600 A 192.0.2.1 

DNS!wildcards
9
“.”
“example.”
“*”
“sub”
“host1”
“_tcp”
“_ssh”
“host2”
“_tcp”
“_ssh”
“subdel”
Answer:!NOERROR / NODATA (Answer = 0)
$ORIGIN example. 
host1.example. 3600 A 192.0.2.1 

DNS!wildcards
10
“.”
“example.”
“*”
“sub”
“host1”
“_tcp”
“_ssh”
“host2”
“_tcp”
“_ssh”
“subdel”
Query:!foo.bar.example. ? IN TXT ?
$ORIGIN example. 
host1.example. 3600 A 192.0.2.1 

DNS!wildcards
10
“.”
“example.”
“*”
“sub”
“host1”
“_tcp”
“_ssh”
“host2”
“_tcp”
“_ssh”
“subdel”
Query:!foo.bar.example. ? IN TXT ?
Answer:!foo.bar.example. 3600 IN TXT “this is a wildcard”
$ORIGIN example. 
host1.example. 3600 A 192.0.2.1 

DNS!wildcards
11
“.”
“example.”
“*”
“sub”
“host1”
“_tcp”
“_ssh”
“host2”
“_tcp”
“_ssh”
“subdel”
$ORIGIN example. 
host1.example. 3600 A 192.0.2.1 

DNS!wildcards
12
“.”
“example.”
“*”
“sub”
“host1”
“_tcp”
“_ssh”
“host2”
“_tcp”
“_ssh”
“subdel”
Query:!sub.*.example. ? IN MX ?
$ORIGIN example. 
host1.example. 3600 A 192.0.2.1 

DNS!wildcards
13
“.”
“example.”
“*”
“sub”
“host1”
“_tcp”
“_ssh”
“host2”
“_tcp”
“_ssh”
“subdel”
Query:!_telnet._tcp.host1.example. ? IN SRV ?
$ORIGIN example. 
host1.example. 3600 A 192.0.2.1 

DNS!wildcards
14
“.”
“example.”
“*”
“sub”
“host1”
“_tcp”
“_ssh”
“host2”
“_tcp”
“_ssh”
“subdel”
$ORIGIN example. 
host1.example. 3600 A 192.0.2.1 

DNS!wildcards
14
“.”
“example.”
“*”
“sub”
“host1”
“_tcp”
“_ssh”
“host2”
“_tcp”
“_ssh”
“subdel”
Answer:!host1.example. 3600 IN A 192.0.2.1
$ORIGIN example. 
host1.example. 3600 A 192.0.2.1 

DNS!wildcards
15
“.”
“example.”
“*”
“sub”
“host1”
“_tcp”
“_ssh”
“host2”
“_tcp”
“_ssh”
“subdel”
Query:!host.subdel.example. ? IN A ?
$ORIGIN example. 
host1.example. 3600 A 192.0.2.1 

DNS!wildcards
15
“.”
“example.”
“*”
“sub”
“host1”
“_tcp”
“_ssh”
“host2”
“_tcp”
“_ssh”
“subdel”
Query:!host.subdel.example. ? IN A ?
Answer:!referral to subdel.example
$ORIGIN example. 
host1.example. 3600 A 192.0.2.1 

DNS!wildcards
16
“.”
“example.”
“*”
“sub”
“host1”
“_tcp”
“_ssh”
“host2”
“_tcp”
“_ssh”
“subdel”
Query:!ghost.*.example. ? IN MX ?
$ORIGIN example. 
host1.example. 3600 A 192.0.2.1 

DNS!wildcards
17
“.”
“example.”
“*”
“sub”
“host1”
“_tcp”
“_ssh”
“host2”
“_tcp”
“_ssh”
“subdel”
Query:!*.example. ? IN TXT ?
$ORIGIN example. 
host1.example. 3600 A 192.0.2.1 

DNS!wildcards
17
“.”
“example.”
“*”
“sub”
“host1”
“_tcp”
“_ssh”
“host2”
“_tcp”
“_ssh”
“subdel”
Query:!*.example. ? IN TXT ?
Answer:!*.example. 3600 TXT "this is a wildcard" 
$ORIGIN example. 
host1.example. 3600 A 192.0.2.1 

Empty!non!terminal
“empty non-terminal”: 
$ORIGIN example. 
host1.example. 3600 A 192.0.2.1 
 
18

Empty!non!terminal
19
“.”
“example.”
“*”
“sub”
“host1”
“_tcp”
“_ssh”
“host2”
“_tcp”
“_ssh”
“subdel”
$ORIGIN example. 
host1.example. 3600 A 192.0.2.1 
 
empty!non!terminalempty!non!terminalempty!non!terminal!
nodes

The!closest!encloser!is!the!node!in!the!zone's!tree!of!
existing!domain!names!that!has!the!most!labels!
matching!the!query!name!(consecutively,!counting!from!
the!root!label!downward).!!Each!match!is!a!"label!match"!
and!the!order!of!the!labels!is!the!same.!
The!closest!encloser!is,!by!definition,!an!existing!name!in!
the!zone.!The!closest!encloser!might!be!an!empty!non-
terminal!or!even!be!a!wildcard!domain!name!itself.!!In!
no!circumstances!is!the!closest!encloser!to!be!used!to!
synthesise!records!for!the!current!query.
20
Closest!Encloser!and!the!Source!of!
Synthesis!(1/2)

Synthesis!(2/2)
The!source!of!synthesis!is!defined!in!the!context!of!a!query!
process!as!that!wildcard!domain!name!immediately!
descending!from!the!closest!encloser,!provided!that!this!
wildcard!domain!name!exists.!"Immediately!descending"!
means!that!the!source!of!synthesis!has!a!name!of!the!form: 
 
*.<closest encloser>.!
A!source!of!synthesis!does!not!guarantee!having!a!RRSet!to!
use!for!synthesis.!!The!source!of!synthesis!could!be!an!
empty!non-terminal.
21

©!Men!&!Mice!!http://menandmice.com!22
Domain Name in Query closest encloser source of synthesis
host3.example. example. *.example.
_telnet._tcp.host1.example. _tcp.host1.example. no source
_dns._udp._host2.example. host2.example. no source
_telnet._tcp.host3.example. example. *.example.
_chat._udp.host3.example. example. *.example.
foobar.*.example. *.example. no source
Synthesis

other!wildcard!rules!(1)
•DNSSEC!does!not!allow!wildcard!NS!records 
 
; this is not legal DNS data inside a DNSSEC 
; signed zone 
 
*.example.com. 3600 IN NS ns1.example.org. 
*.example.com. 3600 IN NS ns2.example.org.
23

•in!SRV!record,!the!full!name!is!the!owner-name.!
There!cannot!be!a!wildcard!on!the!domain!part!of!an!
SRV!record!(same!for!TLSA,!DKIM!...) 
 
; this is not a wildcard for the SRV record 
_ldap._tcp.*.example.com. IN SRV 10 20 389 ldap-srv.example.com.
24

•Wildcard!DS!(DNSSEC!delegation!signer)!records!
are!ignored!
•Wildcard!DNAME!records!are!not!allowed! 
(represents!a!threat!to!the!coherency!of!the!DNS)!
•If!a!source!of!synthesis!is!an!empty!non-terminal,!
the!answer!will!be!NOERROR!/!NODATA!(Answer!=!
0)
25

TL;DR
26
Be!careful!with!DNS!wildcard!records!

Thank!you!
!
Questions?!!Comments?
27

Dns wildcards demystified

Recommandé

Recommandé

Contenu connexe

Similaire à Dns wildcards demystified

Similaire à Dns wildcards demystified (9)

Plus de Men and Mice

Plus de Men and Mice (20)

Dernier

Dernier (20)

Dns wildcards demystified