[TriLUG] OT: Sub-Domain Services
Aaron S. Joyner
aaron at joyner.ws
Sun Jan 30 07:22:45 EST 2005
Brent Verner wrote:
>[2005-01-25 13:23] Scott Lundgren said:
>| What I'd like is this:
>| www.mydomain.com is routed to my webhosting provider.
>| dev.mydomain.com is routed to my server at home.
>| Looking at cpanel for my account @ the web hosting provider I can set up
>| subdomains though they have to point to directory in my account. I don't
>| see a way to set this up within GoDaddy's account maintainance. Ergo I
>| guess I have to look for another way.
> What _I_ like to do is have a wildcard host entry. This way
>I don't have to screw around with my dns every time I decide
>I need another virtual host...
>8< --- 8<
>Would this cause trouble to any name servers? Mine? (probably not,
>it knows it's a wildcard answer) Your service provider's? (perhaps,
>because it might cache actual host results instead of one wildcard
>entry...or is the wildcard host a full fledged feature of DNS that
>all name servers know about?)
Sorry for the ridiculously late response. :) I've had this in my
Drafts folder, but this last week has been really crazy and I haven't
had time to respond until now.
Wildcard DNS is certainly something that can be handled by DNS servers,
but your resolver may not handle it as well as you'd hope. Consider
than when resolving host.com with an entry in your resolv.conf similar
to "search yourdomain.com", you might get host.com.yourdomain.com
instead. Wildcard DNS is also bad for other reasons - if someone is
trying to validate a subdomain of your domain, they may get a false
positive. Consider that if a spammer forges spam from
reallybogus at bogus.yourdomain.com, when the receiving mail server goes to
look up bogus.yourdomain.com, it could stop and reject the spam right
there - but if you have a wildcard domain it's going to get a result,
and then unnecessarily chatter to your mail server, or even worse, if
you're not running a mail server and are dropping packets to port 25, it
may hang for an indeterminate about of time waiting for a response from
As for the DOS aspect, that same situation where you don't have a
wildcard DNS will still cause the server to cache a "no such domain"
request, and it will only cache up to the limit of the size of the
cache. You won't crash the machine, or even BIND (baring some other bug
or misconfiguration), you'll just fill it with bogus cache information,
and cause it to work harder. You could do the same thing by querying
against any domain you like (and probably more quickly with random
domains, as it would cache more glue records found along the way, and
they'd have longer cache expiry times than an missed response).
For a historical example of why it is bad when your resolver completes
things you didn't expect, check this RFC written about the particular
trouble it has caused in the past:
Aaron S. Joyner
More information about the TriLUG