Wildcard DNS: a beginner's guide
Detect wildcard DNS configuration
Wildcard DNS records: the catch-all that catches more than you meant
A wildcard DNS record is a DNS entry written with an asterisk in place of the subdomain — for example, `*.example.com → 203.0.113.10`. The asterisk means "any subdomain that doesn't have an explicit record matches this one." So with a single wildcard A record, a request for `anything.example.com`, `random.example.com`, or `marketing-test-2025.example.com` will all return the same IP address, without you having to create individual records for each one. Wildcards are a powerful and convenient feature of DNS, and they are also one of the easier features to use in ways you didn't intend.
You should care because a wildcard record can quietly mask misconfigurations and even leak information. If you set up a wildcard pointing to your main web server, then every typo and every test subdomain will resolve — which can hide bugs, expose internal tools that were never meant to be public, and confuse customers who hit a typo'd subdomain that appears to work but actually serves the wrong content. Multi-tenant SaaS platforms often deliberately use wildcards (so every customer gets a subdomain like `customer-name.example.com` automatically), but the same setup on a regular website can create surprises.
The five things every wildcard check looks at:
Does a wildcard record exist? The first question is simply whether there is one — many domains have wildcards they don't remember setting up.
What does the wildcard point at? Pointing at the main production server is a common (and risky) default; pointing at a dedicated landing page or a 404 host is safer.
Does the wildcard apply to all record types? A wildcard can be set for A, AAAA, CNAME, MX, TXT, and others. Some are more dangerous than others — a wildcard MX record, for example, means every made-up subdomain can also receive email.
Are there explicit records that override the wildcard? Explicit subdomains always win over the wildcard, so unintended exposures often come from gaps where the explicit record is missing.
Is the wildcard part of a multi-tenant strategy? If yes, that is intentional and good. If no, it is probably a leftover that should be removed.
Three questions a wildcard check answers:
Do I have a wildcard DNS record at all, and if so, what does it point to?
Is the wildcard exposing any internal tools or test environments by accident?
Should this wildcard exist, or is it a leftover from a forgotten experiment?
The cost of an unintended wildcard is silent exposure of things that were never meant to be public. The fix is simply to delete the wildcard or replace it with explicit records. The principle is the same as in any other configuration system: defaults should be conservative, and broad rules should be intentional.
The Wildcard DNS endpoint, in plain language
In one sentence: Detect wildcard [DNS (Domain Name System)](/guides/dns-lookup) configuration
Detects wildcard DNS (Domain Name System) configuration by testing for .domain resolution. Per the official internet standard, wildcard records match only one label level — .example.com matches foo.example.com but NOT bar.foo.example.com. This endpoint tests this distinction and analyzes security implications.
Don't worry if some of the words above are still unfamiliar — there's a plain-language glossary at the bottom of this page, and most of the terms link to their own beginner guides if you want to learn more.
What is actually happening when you call it
Here's what's actually happening behind the scenes when you call this endpoint:
Tests by querying two independent cryptographically random subdomains and comparing responses. Wildcard DNS (Domain Name System) is confirmed only when both probes return matching records, preventing false positives from DNS load balancers. Determines the wildcard record type (A, AAAA, CNAME (Canonical Name record)) and identifies the wildcard target.
If you're using an AI assistant through MCP, you don't need to understand any of the technical details — the assistant calls the tool and translates the result for you.
Why this specific tool matters
Let's skip the marketing fluff and answer the only question that actually matters: why should you, a real human with a real to-do list, care about the Wildcard DNS tool? Here's the plain-English version, written the way you'd hear it from a friend who happens to do this for a living.
Wildcard DNS (Domain Name System) makes NXDOMAIN-based subdomain enumeration impossible and can mask dangling CNAME (Canonical Name record) vulnerabilities. Understanding wildcard configuration is a prerequisite for accurate subdomain discovery, takeover detection, and proper certificate scoping.
Picture this in real life. Imagine a penetration tester. Here's the situation they're walking into: During reconnaissance, detect if wildcard DNS (Domain Name System) is in use which affects subdomain enumeration techniques. Without the right tool, that person would be stuck copy-pasting between five browser tabs, reading documentation written for engineers, and crossing their fingers that the answer they cobble together is correct. With the Wildcard DNS tool, the same person gets a clear answer in seconds — no spreadsheets, no guessing, no waiting for someone on the infrastructure team to free up.
Three questions this tool answers in plain English. If any of these have ever crossed your mind, the Wildcard DNS tool is built for you:
Is my domain pointing to the right place right now?
Did the DNS change I just made actually take effect everywhere in the world?
Is anything in my DNS misconfigured in a way that could break email or break the website?
You can either click the tool and get the answer yourself, or ask your AI assistant — connected through MCP (Model Context Protocol) — to ask the question for you and translate the answer into something you can paste into Slack.
Who gets the most out of this. Founders running their own infrastructure, marketers coordinating launches, IT admins inheriting domains from a former employee, and ops engineers troubleshooting live outages. If you see yourself in that list, this is one of the EdgeDNS tools you should bookmark today.
What happens if you skip this entirely. Skip it and you're flying blind on the one piece of config that decides whether your website and email work at all. That's why running this check — even once a month — is one of the cheapest forms of insurance you can give your domain.
Available on the free plan. The technical details: `GET /v1/dns/wildcard`.
When would I actually use this?
If you're still on the fence about whether the Wildcard DNS tool belongs in your toolbox, this section is for you. Below you'll meet three real people — a penetration tester, a security engineer, and a DNS administrator — facing three real situations where this tool turns a stressful afternoon into a five-minute task. Read whichever story sounds closest to your week.
Story 1: Security Assessment
Imagine you're a penetration tester. During reconnaissance, detect if wildcard DNS (Domain Name System) is in use which affects subdomain enumeration techniques.
Why it matters: Adjust subdomain discovery methodology based on wildcard detection.
Story 2: Subdomain Takeover Risk Assessment
Imagine you're a security engineer. Detect wildcard CNAME (Canonical Name record) configurations pointing to third-party services. If the service is deprovisioned, ALL subdomains become vulnerable to takeover.
Why it matters: Identify one of the most dangerous DNS (Domain Name System) misconfigurations before attackers exploit it.
Story 3: DNS Hygiene Audit
Imagine you're a DNS administrator. Audit domains for unintended wildcard configurations that could expose internal services.
Why it matters: Identify and remediate accidental wildcard DNS (Domain Name System) that increases attack surface.
Common situations across teams. Beyond the three stories above, here are the everyday workplace moments when people across the company reach for the Wildcard DNS tool — or one of the tools right next to it in this category. If any of these are on your calendar this month, that's your sign:
Right before launching a new website or migrating to a new host.
After making any DNS change, to confirm the new settings are live everywhere.
When customers report that your site or email "just stopped working" out of nowhere.
As a recurring monthly health check to catch silent misconfigurations early.
If you can see yourself in even one of those bullets, the Wildcard DNS tool will pay for itself the first time you use it.
Still not sure? Here's the easiest test in the world. Open Claude, ChatGPT, Gemini, or any other AI assistant connected to the EdgeDNS MCP server and ask, in your own words: "Is the Wildcard DNS tool useful for my job?" The assistant will look at the tool, ask you a couple of follow-up questions about what you're trying to accomplish, and give you a straight answer in plain English. No commitment, no signup forms, no jargon.
The easiest way: just ask your AI assistant
If you've connected the EdgeDNS MCP server to Claude, ChatGPT, Gemini, Cursor, or any other AI assistant, you don't need to write any code. Just ask in plain English:
"Use the Wildcard DNS tool to check example.com and explain anything that looks wrong in plain language."
The AI will figure out which tool to call, fill in the right parameters, run it, and then explain the result back to you. No copy-pasting between tabs. No reading raw JSON. No memorizing endpoint names.
MCP (Model Context Protocol) access is free on every plan, including the free tier. One API key works for both REST and AI — you do not have to choose.
The technical way: call it from code
If you're a developer and want to call the endpoint from a script or your own application, here's the simplest possible example. Replace the placeholder API key with the real one from your dashboard.
# Replace edns_live_YOUR_KEY with your real API key from the dashboard
curl -H "Authorization: Bearer edns_live_YOUR_KEY" \
"https://api.edgedns.dev/v1/dns/wildcard?domain=example.com"What you need to provide
There's just one piece of information you need to provide. The table below explains exactly what it is and what a real value looks like.
| Field | Type | Required? | What it means | Example |
|---|---|---|---|---|
domain | string | Yes | The domain to check for wildcard DNS (Domain Name System) | example.com |
What you get back
When you call this tool, you'll get back a JSON object with the fields below. If you're talking to it through an AI assistant, the assistant reads these for you and explains them in plain language — you don't need to memorize them.
| Field | Type | What you'll see in it |
|---|---|---|
domain | string | The queried domain |
has_wildcard | boolean | Whether wildcard DNS (Domain Name System) is detected |
wildcard_type | string | The wildcard record type: A, AAAA, CNAME (Canonical Name record), or null |
wildcard_ips | array | IPv4 (Internet Protocol version 4) addresses returned by wildcard resolution |
wildcard_ipv6s | array | IPv6 (Internet Protocol version 6) addresses returned by wildcard resolution |
wildcard_cname_target | string | CNAME (Canonical Name record) target if wildcard is a CNAME record |
tested_subdomain | string | Random subdomain used for wildcard detection |
Words you might be wondering about
If any words on this page felt like jargon, here's a plain-language version. Click any linked term to read a full beginner-friendly guide.
DNS (Domain Name System) — The internet's address book. When you type a website name, DNS turns it into the actual numeric address computers use to find each other.
CNAME (Canonical Name record) — A DNS entry that says "this name is just an alias for that other name."
NXDOMAIN (non-existent domain response) — DNS-speak for 'this name doesn't exist.' If you query a typo of a real domain, you get an NXDOMAIN response.
RFC (Request for Comments) — The official internet standards documents. When someone says 'RFC 8484' they mean a specific numbered standards document — in that case, the one defining DNS over HTTPS.
Need Programmatic Access?
Automate domain intelligence with 100+ API endpoints and a free MCP server for AI integration.