Wildcard DNS Entries For Free

Amazon CloudFront seems to have this feature since 2013 for free.
Would be nice to have it in Cloudflare too.

Why

I have an idea for a low-budget service where I want to use Cloudflare Workers on all unregistred subdomains to output a page customized according to the subdomain name.
Of course I may do it with client side JavaScript but it may hurt SEO (and deprive me of all other benefits of Cloudflare like fast CDN and DDOS mitigation).
Because the project is just an idea and budget is low I can’t afford myself acquiring an Enterprise plan or even Pro.
A further abstraction of the project idea would be allowing users to bring their own domains to the service and manage them but as Cloudflare plans are per domain I doubt it will be feasible, without Enterprise plan at least.

Offtopic

Have you thought to start providing static site hosting service with CF? Maybe in partnership with Netlify.

Wildcards have been already supported “forever”.

Yeah, but they can’t be :orange:, hence, no Workers.

2 Likes

Well, technically they can, one only needs to dig a bit deeper into his pockets :wink:

But yes, I did miss the worker bit.

2 Likes

The wildcard info message in the DNS settings page currently says: (emphasis mine)

Wildcards may be added to DNS, but only Enterprise customers can proxy wildcards through the CDN…

And according to Cloudflare support, the enterprise plan starts at $5,000 per month ($60,000 annually).

That’s not “dig a bit deeper into [your] pockets”, that’s well into “completely empty your pockets” territory (for anyone that isn’t actually an enterprise).

So while I can kind of understand if this was a feature of the Pro ($20/mo) plan, right now it’s extremely cost prohibitive for developers / personal users (and probably many small businesses too) - especially when AWS route53 includes it (for no extra cost, which ends up being like $1/mo for a small site).

Chances are you don’t need a proxied wildcard entry if you’re doing anything other than SAAS or giving out subdomains, things which aren’t common for anyone other than businesses with millions in revenue that can afford Cloudflare enterprise.


If you’re, as you said, a “developer” or “personal user”, then you probably could take the time to automatically add the desired DNS subdomains using the API when needed.

4 Likes

Here are two ideas that require bringing own domains to fight censorship:

  1. A user brings his own domain, from which we serve text files which may be personalized based on a user token supplied by client/user. Personalization is done via Cloudflare Workers (with KV) on the edge. These text files may be PAC-scripts constructed according to client preferences. PAC-scripts may be used to fight censorship or for internal networking. The ability to bring own domains is crucial because any public domain that fights censorship may be easily censored but if user brings his own domain which we use secretly then it can’t be revealed and blacklisted.
  2. I’m a big site being censored. I create a service on Cloudflare which allows users bring their own domains and create mirrors on them of my site by proxying requests via Cloudflare Workers. Mirrors are used privately or may be shared with others if so desired.

Both use cases deal with fighting censorship and censorship being abused in bad hands is a problem in some countries.

1 Like

I was going to mention the API as well, @judge, but the problem there is that Cloudflare limits the amount of DNS records per domain. A wildcard would point every possible combination; individual subdomains would be eating away at the domain’s quota.

See https://support.cloudflare.com/hc/en-us/articles/360017421192-Cloudflare-DNS-FAQ#CloudflareDNSFAQ-HowmanyDNSrecordscanIhaveperdomain

1 Like

Cloudflare is still a business, and choosing to require Enterprise to use proxied wildcards was a business decision ¯\_(ツ)_/¯

As for the limit, this was discussed extensively here https://community.Cloudflare.com/t/new-dns-records-number-limit/68012/22?u=judge

I understand this.

Was simply noting why the API would not be the ideal route once the project reached a certain size.

1 Like

Seems like not true any more, big news for me, I wonder how I manged to skip the announcement.
So out of two problems discussed here: 1) proxied wildcard subdomains and 2) ability to bring many domains via API – only the first remains unresolved.

1 Like

The resolution:

I understand you want to get more profit for your services but isn’t getting wildcard certifiacte an easy task that requires little resources? And then price for proxying wildcard subdomains can be calculated based on number of requests served.

1 Like

:wave: @ilyaigpetrov,

@Judge doesn’t work for :logo: and has no influence over their pricing decisions. Cloudflare provides both a root domain and a wildcard certificate. What it doesn’t provide (except on enterprise plans) is support for proxying of a wildcard DNS record through their service.

How many individual records have you added so far? At your current rate of growth how long until you hit the maximum number of records for your particular plan type?

-OG

1 Like

The problem is that I want to serve responses for subdomains that I don’t know beforehand. E.g., imagine chat/forum server where each subdomain is a room/channel/forum topic. It’s just an example, not a real project.

UPD: ok, maybe it’s fine to have some installation process which creates a subdomain as forum topic. And after installation it can be proxied via CF.

UPD2: Another example – each subdomain is a search result for that subdomain as a search term.

1 Like

I would also like to explain how wildcard subdomains may be used to mitigate censorship.

  1. Russian providers are obliged to censor exact domains/subdomains and sometimes their ips (or ip ranges).
  2. If provider blocks one subdomain he shouldn’t block other subdomains. I don’t know the details but it may be illegal to block subdomains that are not in the official blacklist registry.
  3. E.g., we use subdomain name which is not known beforehand to show search results using subdomain name as a search keyword. And we want to use CF workers so we need the orange cloud.
  4. If some subdomain as a search keyword returns something offending mr. Putin (it’s illegal in Russia to offend Putin or his government) then it gets blocked but our whole search engine mounted on second level domain mustn’t be blocked because it’s not in the blacklist.

The benefit of this approach: while some subdomains are blacklisted other subdomains continue to work.

UPD: I’m not sure if offending Mr.Putin may be the cause of censorship but for sure I’ve heard about people got fined for this kind of crime.

Another example where you want proxied/orange wildcard subdomains.
kasparov.ru is a political site blocked in Russia.
You want kasparov.ru.anticensority.cf to use CF workers as a proxy to retrieve kasparov.ru response, cache it and serve to users in some format. The idea should work for other blocked sites as subdomains so the wildcard is needed.

:wave: @ilyaigpetrov,

The scenario you just described is a violation of Cloudflare’s Terms of Service so you’ll want to build such a solution on another platform.

-OG

You can’t use CF for illegal activity but kasparov.ru is illegal only in Russia not in USA. Do the CF’s Terms of Service target only USA or all counties where their platform is located (including Russia, e.g.)?

For one, that solution wouldn’t work with HTTPS since wildcard SSL can’t cover two-level down subdomains.

As for the TOS: the only thing is general Intellectual Property:

you will not use the Cloud Services to […] (b) post, transmit, store or link to any files, materials, data, text, audio, video, images or other content that infringe on any person’s intellectual property rights or that are otherwise unlawful; […]

The issue with a service like you describe is that it would make Cloudflare a “forward proxy”, something CF is not in the business of doing (otherwise they would provide official forward proxy services).