D. J. Bernstein
Internet publication

Notes on *.com wildcards

Suppose the dorkycomputers.com administrator sets up his DNS server so that, when it is asked about dorkycomputers.com, it lists your DNS server as the .com DNS server.

Of course, the dorkycomputers.com server is not authorized to provide information about .com. The .com information is poison. It is the responsibility of DNS caches around the Internet to discard poison. Properly functioning caches (for example, the BIND cache since 1997, and dnscache) will discard poison.

However, some caches around the Internet do not discard poison. For example, the Microsoft Windows 2000 DNS cache, in its default configuration, does not discard poison. These caches blindly accept what the dorkycomputers.com server says: namely, that your DNS server is the .com DNS server. They send all their subsequent .com queries to your server.

Normally this means that these queries will fail. The site's users will receive error messages from their browsers when they try to reach aol.com and yahoo.com and so on. ``The Internet is broken,'' they will say. The unhappy Windows administrator will reboot his machine, flushing the poison.

However, suppose you have a *.com wildcard record pointing all .com names to your web page. The users trying aol.com and yahoo.com and so on will see your web page, and will conclude that you are an evil person trying to take over the Internet.

You might argue that the problem isn't your fault. But users have no idea that the poison comes from dorkycomputers.com. (The caches don't keep adequate logs.) Users also don't realize Microsoft's role in the incident. (Mixed UNIX/Windows shops usually have UNIX administrators eager to say ``The UNIX servers are working fine'' whenever Windows have a problem, but it's rare for a single site to have both a UNIX DNS cache and a Windows DNS cache.) What users see is your web page. So they blame you.

If this happens to enough users simultaneously then it will be big news. For example, it was widely reported in January 2001 that a DNS hosting company had ``hijacked'' yahoo.com and microsoft.com. All that the DNS hosting company had done wrong was setting up a *.com wildcard record. Microsoft had made a much larger mistake in the development of its DNS cache software, but Microsoft didn't receive any blame for the incident.

Bottom line: Don't publish incorrect DNS information. In particular, don't publish *.com wildcards. You may think that it's safe, because properly functioning caches will never see the incorrect information; but many caches on the Internet do not work properly.