Widespread misinterpretation of DNS rules in resolving wildcards

Posted by Dominic Sayers on Server Fault See other posts from Server Fault or by Dominic Sayers
Published on 2013-06-18T13:30:27Z Indexed on 2013/07/02 11:07 UTC
Read the original article Hit count: 389

Filed under:

dns

|

wildcard

[EDITED to add: This problem has gone away on its own. I believe Cloudflare's name resolution may have been to blame. See my own answer below]

Here is a snippet of my zone file

*.example.com.      300 IN  CNAME   proxy.herokuapp.com.
foo.example.com.    300 IN  A       111.111.111.111

If I dig @8.8.8.8 foo.example.com I get the answer I expect:

;; ANSWER SECTION:
foo.example.com.    30  IN  A   111.111.111.111

The same is true of all other public DNS servers I've tried.

However, when I try to set up a check with Pingdom to a URL on foo.example.com it instead sends the traffic to my Heroku app referenced by the *.example.com RR.

The same is true of checks set up on New Relic, Errplane and traffic generated by the Heroku app itself.

So on the one side, all public DNS servers interpret the zone file one way. Yet four service providers all interpret it a different way, one that differs to the standard suggested by RFC 4592.

My question is: are these reputable, mature service providers all wrong? Or is it little me?

© Server Fault or respective owner

Related posts about dns

Master/Slave DNS setup vs. rsync'ed DNS servers

as seen on Server Fault - Search for 'Server Fault'
We currently have primary and secondary DNS servers on our corporate network. They are setup in a master/slave type setup, where the slave gets its DNS information from the master. I'm trying to figure out what the real advantage is for the master/slave setup instead of just setting up an automated… >>> More
Updating Windows DNS records from a remote windows DNS server

as seen on Server Fault - Search for 'Server Fault'
Does anyone know if it is possible for a windows 2003 DNS server to update the records for a domain so that it contains all the records of a domain of of a remotely based DNS server? Im almost certain that doesn't quite explain the problem so I shall illustrate with an example: We have two offices… >>> More
OpenVPN DNS: VPN DNS stomping local VPN

as seen on Super User - Search for 'Super User'
I've finally noodled with OpenVPN enough to get it working. Even better, I can mount samba drives, ping network machines through the TUN device, etc - it's all great. However, I'm noticing that if I have the directive: push "dhcp-option DNS 10.0.1.1" # Push our local DNS to clients Then some of… >>> More
Random DNS Client Issue with BIND9/Windows Server 2003 DNS

as seen on Stack Overflow - Search for 'Stack Overflow'
Within our office, we have a local server running DNS, for internal related "domains", (e.g. .internal, .office, .lan, .vpn, etc.). Randomly, only the hosts configured with those extensions will stop resolving on the Windows-based workstations. Sometimes it'll work for a couple weeks without issue… >>> More
DNS Tools - DNS and Few of its Concerning Terms and Tools

as seen on Article City - Search for 'Article City'
A DNS or Domain Name System lets you locate computers on a network or the Internet TCP/IP network by domain name. The DNS server sustains a database of domain names or host names along with their cor... [Author: Daisy Osbaldo - Computers and Internet - April 02, 2010] >>> More

Related posts about wildcard

wildcard ssl certificate - exchange 2010 - POP/IMAP problem

as seen on Server Fault - Search for 'Server Fault'
previously we have requested a wildcard ssl certificate from godaddy for our major domain. one of the reasons was the new established exchange server 2010. usually you require following names included in certificiate: FQDN (e.g. mail.whatever.com) Hostname (mail) Domain name (whatever.com) Autodiscover… >>> More
Creating Wildcard Certificates with makecert.exe

as seen on Geeks with Blogs - Search for 'Geeks with Blogs'
Be nice to be able to make wildcard certificates for use in development with makecert – turns out, it’s real easy. Just ensure that your CN= is the wildcard string to use. The following sequence generates a CA cert, then the public/private key pair for a wildcard certificate REM make the CA makecert… >>> More
Apache Config with Wildcard/Non-Wildcard Subdomain Mix

as seen on Stack Overflow - Search for 'Stack Overflow'
I have the domain, we'll call it "mydomain.com" and I want the following virtual hosts set up to resolve in the following way: mydomain.com / www.mydomain.com to point to /var/www/ dev.mydomain.com to point to /var/www/dev/ *.mydomain.com (all other subdomains) to point to /var/www/old My apache… >>> More
nginx subdomains improperly act like wildcard?

as seen on Server Fault - Search for 'Server Fault'
I have an odd problem with nginx subdomains. First, my configuration: server { listen 443 ssl; server_name secure.example.com; ssl_certificate example.crt; ssl_certificate_key example.key; keepalive_timeout 70; location / { fastcgi_pass… >>> More
Exclude specific domains from Apache2 serverAlias while using a catch all *(wildcard) alias

as seen on Server Fault - Search for 'Server Fault'
I have a web application that needs to support custom domains, in that regard I have set-up the following name based virtual server: <VirtualHost *:80> ServerName example.com ServerAlias * *.example.com www.example.com example.com RailsEnv production RackEnv production DocumentRoot… >>> More