Wildcard domains


We have a SaaS platform, our marketing page is a WP site on the main domain www.domainname and is hosted at Kinsta. Our application is hosted on Linode at app.domainname Each of our clients have their own subdomain like biz1.domainname and biz2.domainname We have thousands and thousands of these subdomain pages.

when i did the scan to connect my nameservers… I saw a message that said " Widcards may be added to DNS, but only enterprsie customers can proxy widlcards through the CDN. To use the CDN at your plan level, you must add specific records". I am really not sure if this is a problem or not…

But i spoke to a sales person and he said it would be fine. Ofcourse I am worried that we move the NS and then have a major outage… so i am trying to understand what the options are, and make sure that i am setting it up properly.

The goal is to continue pointing www.domainname and domainname to the Kinsta IP. And the wildcard *.domainname.com to the linode server.

will this work? Is there anything we need to consider?(upload://yy3PCOpIM5ZHMnwGCASNmd8KzN5.png)




For your question, do you plan to take advantage of Cloudflare features like caching, DDOS mitigation, etc?

If your upstream provider says that it’s fine that that message shows up, then they probably have their own solutions for ddos mitigation, caching, etc. and you should be good.



It sounds like you want to put Cloudflare full services in front of your Kinsta website, but want an easy wildcard DNS solution.

What you’ll end up with is DNS that works for all those subdomains, and they’ll be reachable, but they won’t get Cloudflare caching or DDoS protection. And Linode is a very basic server setup with no frills in front of it, such as DDoS protection.

Is that ok?



Right now we have customers all over the world, but servers in Texas with a load balancer. The plan is to move 1 server to Tokyo and then use Cloudfare to send customers that are closer to Tokyo there, and then send the people closer to texas to our texas servers. And theoretically we will do that in a few different regions. So instead of load balancing, we will use Anycast to reduce the latency and boost the response times.

Our customers will all be using App.domainname to access their accounts, etc… but our customer’s customer… they will be using the other subdomain biz1.domainname so it is really important that all subdomains are able to use anycast… Cachine is primarily important for app.domainname… the other pages dont need it as much.

Any suggestions?



I called in and spoke to a sales person for Cloudflare… he said it was fine… but im not sure that he really knew all of the details and repercussions for being wrong :slight_smile: he was helpful, but i didnt get a feeling of certainty from him. Linode did recommend cloudflare too, but they also dont know the exact use case… so im a little hesitant on pulling the trigger



To clarify…unless you’re an Enterprise customer that can proxy wildcard DNS, you’re not getting anything other than great DNS service. Your visitors will go straight to your Linode’s IP address with no geographic routing. And no Anycast.

To be amazing, you’d need to craft a script to use Cloudflare’s API to automatically add those subdomain records to DNS and proxy them.


1 Like


So to confirm & add on to the thoughts from @Judge and @sdayman

Yes :orange: wildcard records are an Enterprise only feature. Honestly it’s a bit of an arbitrary feature to require ENT for, but we also give unlimited DDoS mitigation to our free plans so the arbitrary nature of our features sort of cuts both ways. :slight_smile:

To echo @sdayman you will probably want to script adding zones individually (or export them into a BIND format and do a mass import to begin. And it will simplify things long term if you script adding a new host record for a customer as you sign them up to your service.

To do the type of geo-routing you’re describing with regards to origin you would still need a load balancer. It would make sense to use Cloudflare’s load balancer for that so that we can route them based on the edge colo they connect to.

Depending on the type of SaaS service you might also look at https://www.cloudflare.com/ssl-for-saas-providers/ which is an ENT only offering… I work with a number of SaaS providers who have implemented it. May not be necessary in your use case, but thought I’d throw it out there.

Haveing worked for/helped build a few SaaS products I can tell you that in generally explicit definitions rather than relying on wildcards or other internal code mechanisms to treat all customers the same is generally better in the long run. It may mean a little more work on feature A that never proves to be really necessary, but that pales in level of effort that can sometimes be required to retrofit customer identification/differentation into an application pipeline.


closed #8

This topic was automatically closed after 31 days. New replies are no longer allowed.