SplitDNS/horizon DNS with some public wildcard records

Hello,

I have a scenario where I host our public domain internally in an Azure Private DNS zone. I have some services internally that require this to be a thing. However, I would rather my internal users access the public facing pages through the public path, which is going through a proxied Cloudflare connection. I have gotten this to work by doing the following:

subdomain.mydomain.com which is a proxied A record in Cloudflare. This would be setup on Azure Private DNS as a CNAME with subdomain and subdomain.mydomain.com.cdn.cloudflare.net as the record. When doing this, my internal clients that request subdomain.mydomain.com can access the site just fine through Cloudflare as expected.

What I really need to work is one that is *.mydomain.com. However, when setting up *.mydomain.com as an A record that is proxied in Cloudflare, that works just fine publicly. When trying to do the same CNAME record internally, this won’t work as the CNAME value of *.mydomain.com.cdn.cloudflare.net isn’t allowed because the * character in *.mydomain.com.cdn.cloudflare.net. Is anyone familiar with how to setup a CNAME record for Cloudflare when you have a Split/Horizon based DNS setup and you want it proxied through Cloudflare as a Wildcard domain request?

Thank you.

Wildcard DNS only allows a wildcard in the label of the record, so you cannot do what you are asking.

DNAME records should do what you are trying to do, but I do not know what support for these is like in Azure Private DNS.

Azure Private DNS only offers up:

A
AAAA
CNAME
MX
PTR
SRV
TXT

So, no go on DNAME. I can however move this zone to an actual DNS server if need be. I’ve never worked with DNAME records. I will look it up and see if it’s viable.

I did find that it seems to work when I choose a subdomain I’ll never use in my application. For example, proxy.

So, on Azure private DNS if I use a CNAME record *.mydomain.com with the alias proxy.mydomain.com.cdn.cloudflare.net it seems to be working and working with all types of subdomains that I throw at it. My assumption is because Cloudflare has the wildcard proxy record in place and whatever it is doing under the covers is OK with it. I’ll open a case with CF support to see if that is OK and not at risk of being changed later.

This will only work if all of your other hostnames are either :grey: or :orange:. If some are :grey: and some are :orange: you will get unexpected results. It is essentially just getting the public value of one of your DNS records and returning that result for everything on the private version of the zone.

You will have problems with other DNS record types, such as TXT records, that are in your Cloudflare copy of the zone, they will be invisible to your internal DNS server.

Correct, for the records that I’m concerned about I still manually manage them explicitly which takes precedent over the wildcard which seems to be working as usual still. I have had it set this way prior to cloudflare and manage both private/public zones as records are created. We just have an app that has a bunch of subdomains so it’s easier to mark that as wildcard and its cloud based so it’s good to have it going the public routes.

Have you tried creating a record for foo.wexample.com in Cloudflare and pointing * to foo.example.com.cdn.cloudflare.net?

1 Like

I haven’t yet, I was thinking that could also be a good option as it should achieve the same goal. I will try that as well to see if it works.

2 Likes

Cloudflare support responded with:

The method you just tested and implemented is our current method to allow a wildcard record to be used while using a partial (CNAME) setup. As you mentioned, the caveat here is that the name that you pick should be one that you don’t plan on using in the future for a subdomain. If you were to add a record with the same name on your Cloudflare DNS, this new record would take precedence over the wildcard record you added due to how [certificate and hostname priority works]

So, this was the correct solution at least from what support is saying. Thanks for your help and other creative ideas!

2 Likes

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.