[TriLUG] OT: Sub-Domain Services

Aaron S. Joyner aaron at joyner.ws
Sun Jan 30 07:22:45 EST 2005 

Brent Verner wrote:

>[2005-01-25 13:23] Scott Lundgren said:
>| ...
>| What I'd like is this:
>|      www.mydomain.com is routed to my webhosting provider.
>|      dev.mydomain.com is routed to my server at home.
>| 
>| Looking at cpanel for my account @ the web hosting provider I can set up
>| subdomains though they have to point to directory in my account. I don't
>| see a way to set this up within GoDaddy's account maintainance. Ergo I
>| guess I have to look for another way.
>
>  What _I_ like to do is have a wildcard host entry.  This way
>I don't have to screw around with my dns every time I decide
>I need another virtual host...  
>8< --- 8<
>Would this cause trouble to any name servers?  Mine? (probably not,
>it knows it's a wildcard answer)  Your service provider's? (perhaps,
>because it might cache actual host results instead of one wildcard
>entry...or is the wildcard host a full fledged feature of DNS that
>all name servers know about?)
>  
>
Sorry for the ridiculously late response.  :)  I've had this in my 
Drafts folder, but this last week has been really crazy and I haven't 
had time to respond until now.

Wildcard DNS is certainly something that can be handled by DNS servers, 
but your resolver may not handle it as well as you'd hope.  Consider 
than when resolving host.com with an entry in your resolv.conf similar 
to "search yourdomain.com", you might get host.com.yourdomain.com 
instead.  Wildcard DNS is also bad for other reasons - if someone is 
trying to validate a subdomain of your domain, they may get a false 
positive.  Consider that if a spammer forges spam from 
reallybogus at bogus.yourdomain.com, when the receiving mail server goes to 
look up bogus.yourdomain.com, it could stop and reject the spam right 
there - but if you have a wildcard domain it's going to get a result, 
and then unnecessarily chatter to your mail server, or even worse, if 
you're not running a mail server and are dropping packets to port 25, it 
may hang for an indeterminate about of time waiting for a response from 
your host.

As for the DOS aspect, that same situation where you don't have a 
wildcard DNS will still cause the server to cache a "no such domain" 
request, and it will only cache up to the limit of the size of the 
cache.  You won't crash the machine, or even BIND (baring some other bug 
or misconfiguration), you'll just fill it with bogus cache information, 
and cause it to work harder.  You could do the same thing by querying 
against any domain you like (and probably more quickly with random 
domains, as it would cache more glue records found along the way, and 
they'd have longer cache expiry times than an missed response).

For a historical example of why it is bad when your resolver completes 
things you didn't expect, check this RFC written about the particular 
trouble it has caused in the past:
http://www.faqs.org/rfcs/rfc1535.html

Aaron S. Joyner

More information about the TriLUG mailing list