When configuring DNS records, the interaction between wildcard and explicit CNAME records follows specific precedence rules. The DNS system will always prioritize an exact hostname match over a wildcard match. This means:
*.example.com. IN CNAME target1.example.com.
specific.example.com. IN CNAME target2.example.com.In this configuration, queries for "specific.example.com" will resolve to "target2.example.com", completely ignoring the wildcard record. The wildcard only acts as a catch-all for non-matching subdomains.
Let's examine real-world BIND zone file configurations to demonstrate this behavior:
; Zone file for example.com
$TTL 3600
@ IN SOA ns1.example.com. admin.example.com. (
2023081501 ; serial
3600 ; refresh
900 ; retry
604800 ; expire
86400 ; minimum TTL
)
; Name servers
IN NS ns1.example.com.
IN NS ns2.example.com.
; Base domain records
@ IN A 192.0.2.1
www IN CNAME example.com.
; Wildcard configuration
* IN CNAME fallback.example.com.
; Explicit subdomains override wildcard
api IN CNAME aws-lb-123.elb.amazonaws.com.
blog IN CNAME ghost.io.You can verify this behavior using common DNS tools:
# Testing explicit record
dig +short specific.example.com CNAME
> target2.example.com.
# Testing wildcard fallback
dig +short random123.example.com CNAME
> target1.example.com.While the basic precedence rule is straightforward, there are some special scenarios to consider:
- DNSSEC validation must be properly configured for both record types
- Some DNS providers implement wildcards differently in their UI
- TTL differences between records don't affect precedence
- CNAME chains (where a CNAME points to another CNAME) must still follow these rules
Major DNS providers handle this consistently, but their interfaces differ:
// AWS Route 53 JSON representation
{
"Changes": [{
"Action": "UPSERT",
"ResourceRecordSet": {
"Name": "*.example.com",
"Type": "CNAME",
"TTL": 300,
"ResourceRecords": [{ "Value": "fallback.example.com" }]
}
}]
}Remember that DNS caching can sometimes obscure immediate changes, so always verify with +norecursive queries when testing.
In DNS resolution, there's a clear hierarchy when multiple records exist for the same hostname. The wildcard (*) record serves as a catch-all, but specific records always take precedence over wildcard entries. This behavior is defined in RFC 4592 which specifies wildcard DNS record behavior.
Consider these DNS records configured in a zone file:
; Zone file example
@ IN A 192.0.2.1
* IN CNAME domain.com
bla.domain.com. IN CNAME some.example.com.
www IN CNAME domain.com
In this setup:
- Requests to
bla.domain.comwill resolve tosome.example.com - Requests to
foo.domain.com(non-existent) will resolve todomain.com - Requests to
www.domain.comwill resolve todomain.com
You can verify this behavior using dig command:
dig +nocmd +noall +answer bla.domain.com CNAME
dig +nocmd +noall +answer random123.domain.com CNAME
The first command should return some.example.com while the second will show domain.com.
When implementing wildcard CNAMEs with specific overrides:
- Ensure your DNS provider supports both record types
- Check for TTL (Time-To-Live) differences which might cause temporary resolution issues
- Remember that wildcards don't match empty hostnames (just
domain.com)
Major cloud providers handle this consistently:
# AWS Route 53 example
{
"Changes": [
{
"Action": "CREATE",
"ResourceRecordSet": {
"Name": "*.example.com",
"Type": "CNAME",
"TTL": 300,
"ResourceRecords": [{"Value": "domain.com"}]
}
},
{
"Action": "CREATE",
"ResourceRecordSet": {
"Name": "special.example.com",
"Type": "CNAME",
"TTL": 300,
"ResourceRecords": [{"Value": "other.target.com"}]
}
}
]
}
Be aware of these edge cases:
- Some DNS implementations may cache records differently
- DNSSEC validation might behave differently with wildcards
- Email-related records (MX) have special wildcard rules