*.domain.com hundreds of DNS records

When I add new domain with *.domain.com record, CF generates hundreds of subdomains in DNS like:
1
2
3
4
4g
admin
a
etc.

The second problem is that I cannot even clear this - only delete each record one-by-one.

If you have a wild card DNS record when import into Cloudflare, then this will happen. You can remove your zone, then remove the wildcard DNS record and re-add your zone.

I also wrote a program that can delete all your DNS records. Documentation is available here: DNS Purge - Cloudflare Utilities

2 Likes

I don’t think that it should work like that - why CF doesn’t fix this wildcard error? Zone removing will crash my site obviously.
DNS purge also would be better in DNS editor with no need to install additional software.
This topic created just because I can’t contact CF support other way - need fix, not workaround.

Which wildcard error? If you have a wildcard, you simply configured all those records.

Or can you propose a way for Cloudflare to recognise a wildcard?

Anyhow, @Cyb3r-Jak3’s tool is the right approach here.

2 Likes

Generate several random UUIDs. Look them up in the target domain. If they all exist and point to the same thing–whoa, hey, looks like a wildcard, proceed Y/N?

2 Likes

That was actually a question for the OP :wink:

But yeah, now we know the OP has a wildcard. And then what? How do you distinguish a wildcard from a proper record, while keeping the same workflow? You don’t :wink:

  1. Option “do not brute-force my DNS” when adding domain.
  2. If brute-force goes well and any subdomain exists with same IP-address - stop it and ask about wildcard. It is bad idea to add all of 200 bruteforced subdomains.
  3. Check some random subdomains 10+ characters long.
  4. It is not too hard to understand that this brute-force system will fail with wildcard - isn’t it? If fail is inevitable then we can soften consequences with “Purge DNS” option.

The question was how you distinguish a wildcard record from a proper record.

If you don’t know how then just… do not do it! That’s the solution - just let user to add records manually!
Now I can’t use domain with CF because I don’t want to remove 200 trash records manually and I can’t remove wildcard from current DNS because that will crash my site - current solution not only fails with wildcard but it also forces user to not use CF, what could be worse?!

That’s not about Cloudflare not knowing how, that’s about it not being possible, hence my question.

Now whether people add records manually, that’s a whole different subject and you have a guarantee that people will complain about that workflow as well, just as they do when they configured a wildcard and then have all those records.

It is possible - you can check few 10-20 charachers long random subdomains - I said it before.

Then would you mind to answer my question finally?

It is wrong question because no need to do that when adding domain as no need to brute-force and add hundreds of subdomains.

It hardly is the “wrong question”, as this the precise issue we are discussing here and which you were criticising.

Regardless of your claims, it is not possible to distinguish a wildcard record and that is why Cloudflare can’t do that. They could change the overall workflow but then we are exactly where I mentioned before. In short, we are going in circles :wink:

Ok, I’ll teach you!

Step 1: Try some random subdomain like io23r3io2jr3320r932ijdi2j3e - if it returns for example A-record then it means that wildcard is used for this domain.
Step 2: If you do want to check all of your subdomains dictionary - do that! You’ll see hundreds(or millions) of subdomains with same(!) A-record from Step 1 - it means that all of this subdomains are equal to wildcard and should be replaced with.

I don’t think you’re on the same page.

If I have a record of admin that I did create pointing to 1.1.1.1 and a wildcard pointing to 1.1.1.1, how do you know if admin is a wildcard or one that I did create & do want to be imported?

You don’t. The point is that DNS doesn’t make any indication to you if the record was created explicitly by me or if the wildcard was the reason your query got an answer.

If you should be forced to import all of the records is another question. The question of knowing if a record is a wildcard or not, not knowing if a wildcard is there at all, is what is being discussed.

You can tell if a wildcard is present, not if my record was a wildcard or created specifically.

It’s been a known issue for more than 2 months and Enterprise customers are given the option to skip the import, if you want to get more attention to the issue then opening a support ticket is your best bet.

1 Like