Share via


Wildcard DNS Entires

I was working on a case with a customer for something that was too weird to ignore.

We wanted to use DNS Suffix Search Orders on the clients so that clients could query using short names for servers in DNS domains which weren’t their own.

e.g. A PC in the domain child-dom-1.corp.contoso.com wanted to ping the short name “serverX”.

ServerX had registered its name in the DNS zone matching its primary DNS Suffix: child-dom-2.corp.contoso.com

So the answer is to set the DNS Suffix Search Order list. Prior to this the customer had configured the DNS zone child-dom2.corp.contoso.com to use WINS forwarders, pointing to a WINS server which serverX was also using. But WINS was on the way out (see the previous blog for those details on how to decommission WINS).

DNS Suffix Search Order is configured on the properties of the NIC or in Group Policies (for all NICs):

image

We tried both methods, but it was not able to resolve names in any domain except the Primary DNS Suffix domain.

Once there is a DNS Suffix Search Oder list defined, Windows must use that list over the single, Primary DNS Suffix. So what was going on?

When we ran nslookup and set debug=2 we could see that queries for a non-existent host (e.g. mickeymouse) would reply back with a SUCCESS message for the A record, but no IP address in the answer.

The solution:

In the zone child-dom-1.corp.contoso.com there was a record called * with a type of MX. This record makes requests for ALL types of other records (A, AAAA, CNAME etc) succeed. And because the DNS client was getting back successes, it didn’t need to try alternate DNS Suffixes.

The wildcard MX record was, of course deleted, and everything works as expected.

But why have wildcard MX records?

Wildcard MX records are good for when you have a large number of hosts which are not directly Internet-connected (for example, behind a firewall) and for administrative or political reasons it is too difficult to have individual MX records for every host, or to force all e-mail addresses to be "hidden" behind one or more domain names. In that case, you must divide your DNS into two parts, an internal DNS, and an external DNS. The external DNS will have only a few hosts and explicit MX records, and one or more wildcard MXs for each internal domain. Internally the DNS will be complete, with all explicit MX records and no wildcards.

Comments

  • Anonymous
    November 25, 2013
    Good one! But why there was - a SUCCESS message for the A record, but no IP address in the answer? Is it because the record was MX and quer was for A?

  • Anonymous
    December 05, 2013
    @Mohan:  This [the * record] record makes requests for ALL types of other records (A, AAAA, CNAME etc) succeed.