Wildcard DNS Entries For Free

Well, technically they can, one only needs to dig a bit deeper into his pockets :wink:

But yes, I did miss the worker bit.


The wildcard info message in the DNS settings page currently says: (emphasis mine)

Wildcards may be added to DNS, but only Enterprise customers can proxy wildcards through the CDN…

And according to Cloudflare support, the enterprise plan starts at $5,000 per month ($60,000 annually).

That’s not “dig a bit deeper into [your] pockets”, that’s well into “completely empty your pockets” territory (for anyone that isn’t actually an enterprise).

So while I can kind of understand if this was a feature of the Pro ($20/mo) plan, right now it’s extremely cost prohibitive for developers / personal users (and probably many small businesses too) - especially when AWS route53 includes it (for no extra cost, which ends up being like $1/mo for a small site).

Chances are you don’t need a proxied wildcard entry if you’re doing anything other than SAAS or giving out subdomains, things which aren’t common for anyone other than businesses with millions in revenue that can afford Cloudflare enterprise.

If you’re, as you said, a “developer” or “personal user”, then you probably could take the time to automatically add the desired DNS subdomains using the API when needed.


Here are two ideas that require bringing own domains to fight censorship:

  1. A user brings his own domain, from which we serve text files which may be personalized based on a user token supplied by client/user. Personalization is done via Cloudflare Workers (with KV) on the edge. These text files may be PAC-scripts constructed according to client preferences. PAC-scripts may be used to fight censorship or for internal networking. The ability to bring own domains is crucial because any public domain that fights censorship may be easily censored but if user brings his own domain which we use secretly then it can’t be revealed and blacklisted.
  2. I’m a big site being censored. I create a service on Cloudflare which allows users bring their own domains and create mirrors on them of my site by proxying requests via Cloudflare Workers. Mirrors are used privately or may be shared with others if so desired.

Both use cases deal with fighting censorship and censorship being abused in bad hands is a problem in some countries.

1 Like

I was going to mention the API as well, @judge, but the problem there is that Cloudflare limits the amount of DNS records per domain. A wildcard would point every possible combination; individual subdomains would be eating away at the domain’s quota.

See https://support.cloudflare.com/hc/en-us/articles/360017421192-Cloudflare-DNS-FAQ#CloudflareDNSFAQ-HowmanyDNSrecordscanIhaveperdomain

1 Like

Cloudflare is still a business, and choosing to require Enterprise to use proxied wildcards was a business decision ¯\_(ツ)_/¯

As for the limit, this was discussed extensively here New dns records number limit?

I understand this.

Was simply noting why the API would not be the ideal route once the project reached a certain size.

1 Like

Seems like not true any more, big news for me, I wonder how I manged to skip the announcement.
So out of two problems discussed here: 1) proxied wildcard subdomains and 2) ability to bring many domains via API – only the first remains unresolved.

1 Like

The resolution:

I understand you want to get more profit for your services but isn’t getting wildcard certifiacte an easy task that requires little resources? And then price for proxying wildcard subdomains can be calculated based on number of requests served.

1 Like

:wave: @ilyaigpetrov,

@Judge doesn’t work for :logo: and has no influence over their pricing decisions. Cloudflare provides both a root domain and a wildcard certificate. What it doesn’t provide (except on enterprise plans) is support for proxying of a wildcard DNS record through their service.

How many individual records have you added so far? At your current rate of growth how long until you hit the maximum number of records for your particular plan type?


1 Like

The problem is that I want to serve responses for subdomains that I don’t know beforehand. E.g., imagine chat/forum server where each subdomain is a room/channel/forum topic. It’s just an example, not a real project.

UPD: ok, maybe it’s fine to have some installation process which creates a subdomain as forum topic. And after installation it can be proxied via CF.

UPD2: Another example – each subdomain is a search result for that subdomain as a search term.

1 Like

I would also like to explain how wildcard subdomains may be used to mitigate censorship.

  1. Russian providers are obliged to censor exact domains/subdomains and sometimes their ips (or ip ranges).
  2. If provider blocks one subdomain he shouldn’t block other subdomains. I don’t know the details but it may be illegal to block subdomains that are not in the official blacklist registry.
  3. E.g., we use subdomain name which is not known beforehand to show search results using subdomain name as a search keyword. And we want to use CF workers so we need the orange cloud.
  4. If some subdomain as a search keyword returns something offending mr. Putin (it’s illegal in Russia to offend Putin or his government) then it gets blocked but our whole search engine mounted on second level domain mustn’t be blocked because it’s not in the blacklist.

The benefit of this approach: while some subdomains are blacklisted other subdomains continue to work.

UPD: I’m not sure if offending Mr.Putin may be the cause of censorship but for sure I’ve heard about people got fined for this kind of crime.

Another example where you want proxied/orange wildcard subdomains.
kasparov.ru is a political site blocked in Russia.
You want kasparov.ru.anticensority.cf to use CF workers as a proxy to retrieve kasparov.ru response, cache it and serve to users in some format. The idea should work for other blocked sites as subdomains so the wildcard is needed.

:wave: @ilyaigpetrov,

The scenario you just described is a violation of Cloudflare’s Terms of Service so you’ll want to build such a solution on another platform.


You can’t use CF for illegal activity but kasparov.ru is illegal only in Russia not in USA. Do the CF’s Terms of Service target only USA or all counties where their platform is located (including Russia, e.g.)?

For one, that solution wouldn’t work with HTTPS since wildcard SSL can’t cover two-level down subdomains.

As for the TOS: the only thing is general Intellectual Property:

you will not use the Cloud Services to […] (b) post, transmit, store or link to any files, materials, data, text, audio, video, images or other content that infringe on any person’s intellectual property rights or that are otherwise unlawful; […]

The issue with a service like you describe is that it would make Cloudflare a “forward proxy”, something CF is not in the business of doing (otherwise they would provide official forward proxy services).

See Warp, a VPN by CF.

Warp will allow a user to connect to a VPN endpoint at the POP closest to them. It will not hide the user’s IP address, nor will it allow a user to connect to a POP in an alternate geo to bypass/circumvent content restrictions by private entities or governmental controls.

The scenario described above is Domain Fronting, which Cloudflare does not support except in limited scenarios for Enterprise customers to other domains they control and manage (and if they attempt to abuse that they are subject to termination for violation of our ToS). Using Workers it is not possible to change the host headers being sent in order to prevent just this type of activity. Whatever governmental controls are put in place to block specific content in their country/region are the business of that government and the citizens therein. Cloudflare provides DDoS mitigation and security services to prevent a bad actor (state or otherwise) from knocking a site offline, not to provide an avenue to bypass content controls.


I’m pretty sure this is on-topic, but apologies if it isn’t (DNS stuff isn’t my forte): I have an application that’s a bit like codepen.io/jsbin.com in that it allows users to write code and publish it. Currently it gets published on sandbox.website.com/their-project-name. This is obviously a big problem because this means that all of the webpages share the same origin and thus the same localStorage, etc. I’d like to use Cloudflare workers as an intelligent cache layer, but also, ideally, as a way to implement a subdomain for each project like so: their-project-name.website.com. Am I right in understanding that this is not possible on the Cloudflare free plan? Cloudflare is a business, of course, but I like CloudFront’s “pay only for what you use” approach where even the “little people” have a chance at using the cool tools and you just pay more as you scale. But I guess it’s just a different approach.