Partial CNAME setup: Can we create a second level wildcard record?

What is the name of the domain?

domain.com

What is the issue you’re encountering

The behaviour detailed below works, but it is not present in the documentation

What steps have you taken to resolve the issue?

Hi,

We have recently created a Partial CNAME setup for one of our zones.

The documentation states that we need to create CNAME records pointing to {your-hostname}.cdn.cloudflare.net for every hostname you wish to proxy through Cloudflare. This works as intended.

We have many second level subdomains so in order to simplify our setup we tried using a wildcard and it worked while being undocumented.
Here is an example:

Domain for the partial zone: domain.com

DNS records in our authoritative DNS:

CNAME: test -> test.domain.com.cdn.cloudflare.net
CNAME: *.test -> domain.com.cdn.cloudflare.net

DNS records inside Cloudflare partial zone

A record:  api.test -> <PUBLIC_IP>
A record:  test -> <ANOTHER_PUBLIC_IP>

In our tests, api.test.domain.com resolves to the record corresponding to api.test inside Cloudflare.

Is this intended to work?
Is this safe to use second level wildcards in a Partial Setup while being undocumented ?

Thanks for your help!

What feature, service or problem is this related to?

DNS records

What are the steps to reproduce the issue?

  1. Create a zone using Partial Setup for a domain
  2. In the domain autoritative DNS, add the following CNAME record: *.test -> domain.extension.cdn.cloudflare.net
  3. In the Cloudflare zone DNS, add an A record for api.test -> <PUBLIC_IP>
  4. Make a request to api.test.domain.extension

I’ve just typed a very long answer that disappeared when the site suddenly decided to to a refresh, so here’s the short version:

During DNS resolution, it only really matters that the name resolves to a Cloudflare IP address. So your CNAME target doesn’t have to be api.test.domain.com.cdn.cloudflare.net, but could probably be community.cloudflare.com.

Don’t actually do this, as it would cause a lot of other problems. Some settings need to be set at the DNS level. For example, enabling/disabling ECH would set specific https DNS records for domain.com.cdn.cloudflare.net.
Also, you would end up with a lot of TXT records etc for community.cloudflare.com that you don’t want on your domain.

As longs as these DNS level settings are the same for all your subdomains, it wouldn’t matter whether you set the “correct” CNAME record to api.test.domain.com.cdn.cloudflare.net or your “lazy” version with a wildcard to domain.com.cdn.cloudflare.net.

However, if there were different DNS records for domain.com.cdn.cloudflare.net and api.test.domain.com.cdn.cloudflare.net, your “lazy” solution would stop working.

You should also be aware that your way would lead to wrong results in the DNS analytics, as there would never be any queries for api.test.domain.com.cdn.cloudflare.net. Your DNS analytics would essentially become useless.

2 Likes

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.