Recommendations and further study
      Back to home
      1. Security Rating® Knowledge Base
      2. Security Rating
      3. Recommendations and further study

      Wildcard et related risks

      Learn more about the Wildcard measure.

      Summary : 

      Historically, the DNS system has offered wildcard certificate functionality. It allows you to respond positively with a value to any query on a RECORD type. Some systems, such as messaging systems, base their operation (filtering) on the non-existence of an FQDN (Fully Qualified Domain Name). One of the impacts of using Wildcard certificates is that the proof of non-existence disappears. 

      It is therefore recommended not to use Wildcard records, to replace them with automatic provisioning systems if necessary, and, if they cannot be replaced, to limit their use to specific types and to isolate them on sub-domains dedicated to this use.

       

      There are seven types of RECORD for Wildcard DNS:

      Wildcard DNS CNAME : 

      Using a wildcard on a CNAME record increases the scope of the effect to all RECORD types (A, AAAA, MX, TXT, SRV, ...). The effects of this use are very difficult to anticipate.

       

      Wildcard DNS NS : 

      The use of a wildcard on an NS record is systematically undefined according to RFC4592, section 4.2. The consequences of their use are unpredictable.

       

      Wildcard DNS MX : 

      The use of a wildcard on an MX record invalidates the basic defense mechanism of all mail servers receiving an email sent from this domain.

       

      Wildcard DNS A : 

      The use of a Wildcard on a type A record invalidates the basic defense mechanism of all mail servers receiving an email sent from this domain, and increases the vulnerability of network equipment to DDOS-type attacks. 

       

      Wildcard DNS AAAA :

      The use of a wildcard on a AAAA record invalidates the basic defense mechanism of all mail servers receiving email from this domain, and increases the vulnerability of network equipment to DDOS attacks.

       

      Wildcard DNS TXT : 

      Using a wildcard on a TXT record propagates this information systematically to all sub-domains, and the effect on value usage is uncontrolled.

       

      Wildcard DNS SRV :

      Using a wildcard on an SRV record propagates this information systematically to all subdomains, and declared services will be requested on unpredictable FQDNs.