When managing public-facing services with multiple subdomains, administrators often need to implement a catch-all solution while maintaining specific records for critical subdomains. This creates an interesting configuration challenge in BIND (Berkeley Internet Name Domain) where we need:
- A wildcard record (*.domain.tld) pointing to default IP (1.1.1.1)
- Specific exceptions (www.domain.tld) pointing to different IPs (2.2.2.2)
Here's the complete configuration for a zone file (e.g., /etc/bind/zones/domain.tld.db):
$TTL 86400
@ IN SOA ns1.domain.tld. admin.domain.tld. (
2024021501 ; Serial
3600 ; Refresh
1800 ; Retry
604800 ; Expire
86400 ; Minimum TTL
)
; Name servers
@ IN NS ns1.domain.tld.
@ IN NS ns2.domain.tld.
; Base records
@ IN A 1.1.1.1
ns1 IN A 192.168.1.10
ns2 IN A 192.168.1.11
; Specific subdomains (exceptions)
www IN A 2.2.2.2
mail IN A 3.3.3.3
; Wildcard catch-all
* IN A 1.1.1.1
After implementing the configuration, verify it with these commands:
# Check syntax
named-checkconf /etc/bind/named.conf
named-checkzone domain.tld /etc/bind/zones/domain.tld.db
# Reload BIND
rndc reload domain.tld
# Test resolution
dig anyrandom.domain.tld +short ; Should return 1.1.1.1
dig www.domain.tld +short ; Should return 2.2.2.2
For more complex environments, consider these additional configurations:
; Wildcard with different record types
* IN MX 10 mail.domain.tld.
* IN TXT "v=spf1 a mx ~all"
; CNAME wildcards (if needed)
*.dev IN CNAME devcluster.domain.tld.
; Specific wildcard overrides
special.*.domain.tld IN A 4.4.4.4
If the configuration isn't working as expected:
- Verify zone file serial number increments after changes
- Check that the wildcard is placed after specific records
- Confirm proper permissions on zone files (typically root:named)
- Inspect BIND logs at /var/log/named/named.log
When managing a BIND DNS server, there are scenarios where you need to catch all undefined subdomains and redirect them to a specific IP address, while maintaining explicit records for certain subdomains. This is particularly useful for:
- Development environments needing catch-all domains
- SaaS applications handling custom subdomains
- Migration scenarios where old subdomains should redirect
Here's the complete solution using BIND's wildcard functionality:
zone "domain.tld" {
type master;
file "/etc/bind/db.domain.tld";
allow-transfer { slaves; };
};
Create or modify your zone file with these entries:
$TTL 86400
@ IN SOA ns1.domain.tld. admin.domain.tld. (
2023081501 ; Serial
3600 ; Refresh
1800 ; Retry
604800 ; Expire
86400 ; Minimum TTL
)
; Name servers
IN NS ns1.domain.tld.
IN NS ns2.domain.tld.
; Explicit records
www IN A 2.2.2.2
mail IN A 3.3.3.3
; Wildcard catch-all
* IN A 1.1.1.1
After reloading BIND, verify with these commands:
# Check configuration syntax
named-checkconf
# Test specific records
dig +short www.domain.tld # Should return 2.2.2.2
dig +short mail.domain.tld # Should return 3.3.3.3
dig +short random.domain.tld # Should return 1.1.1.1
dig +short any.other.domain.tld # Should return 1.1.1.1
For cases where certain subdomains shouldn't be caught by the wildcard:
; Wildcard with exclusions
* IN A 1.1.1.1
except IN A 4.4.4.4
When implementing wildcard DNS:
- Wildcard records add minimal processing overhead
- Consider TTL values carefully for cache behavior
- Monitor query patterns in production environments
Avoid these mistakes:
- Forgetting to increment the serial number after changes
- Mixing wildcard and explicit records incorrectly
- Not considering DNSSEC implications if enabled