Zero trust wildcard and application together

In my dns i have a wildcard domain:

  1. *.tool.example.com
  2. monitoring.tool.example.com
  3. another.tool.example.com

DNS will find the closest match first which makes sense, so monitoring.tool.example.com will be a match and resovle the given address. But missing.tool.example.com wiil hit the wildcard route… All good.

Cloudflare zero trust / access doesnt seem to work like this. So *.tool.example.com will always work with any domain. Is there a way to make acces rules use the most specific rule and stop processing all subsequent rules.

I would like a catch all access rule for new apps, but apps with specific rules to be abided by.

So *.tool.example.com might be blocked by auth, but monitoring.tool.example.com might allow anyone on a given IP address.

This is how it works. I just added a wildcard record to check with a different auth provider than a more specific Access policy. A host which matched the wildcard record was met with the wildcard IdP and a host with the more specific policy was presented with the IdPs assigned to it.