What is a Wildcard DNS Record?

A wildcard DNS record uses an asterisk as its leftmost label to stand in for any subdomain. A record for *.example.com answers for anything.example.com, blog.example.com, and any other single-label name under example.com that you have not defined explicitly.

Wildcards work with several record types. A wildcard A record sends every unmatched subdomain to one IP address, while a wildcard CNAME record aliases them all to another hostname. The point is the same: one rule, many names.

The key rule with wildcards is that an explicit record always beats the wildcard. Resolution looks for the most specific match first:

• If a queried name has its own exact record, that record is returned and the wildcard is not consulted.
• If no exact record exists, the wildcard answers in its place.

So with both *.example.com and an explicit app.example.com, a lookup for app.example.com uses the explicit record, while a lookup for random.example.com falls through to the wildcard. It is also worth knowing that a wildcard only covers one level by default, *.example.com does not automatically match deep.nested.example.com, and that wildcards do not override the apex name itself.

• Catch-all subdomains — point every unmatched name at a single landing page or application without enumerating them.
• Multi-tenant SaaS — give each customer a subdomain like customer.example.com on the fly, so a single wildcard routes thousands of tenants to one application.
• Dynamic environments — serve preview or per-branch deployments where subdomain names are generated automatically and cannot be predicted.

The same breadth that makes wildcards useful also creates exposure:

• Unintended matches. A wildcard answers for names you never meant to publish, including typos and guessed subdomains, all of which now resolve to your infrastructure.
• Security exposure. Because every name under the wildcard resolves, attackers can probe arbitrary subdomains, and a broad wildcard can make some subdomain takeover scenarios easier if traffic lands on a service that is not properly claimed.
• Certificate scope. Pairing a wildcard record with a wildcard TLS certificate means one compromised key covers every subdomain at once.

• Scope wildcards narrowly. Apply them to a dedicated subdomain such as *.apps.example.com rather than the whole domain when you can.
• Add explicit records for sensitive names so they cannot accidentally fall through to the wildcard's destination.
• Validate what each subdomain serves to ensure the wildcard is not directing traffic to an unclaimed or stale service.
• Watch for changes. Because a wildcard touches so many names, a single edit has wide blast radius. ZoneWatcher alerts you the moment a wildcard or any other record changes, so an unexpected edit does not silently reroute every subdomain.