Wildcard DNS records let you point any (non‑explicit) subdomain of your domain to a destination, without creating each subdomain one by one. They’re especially useful for multi‑tenant apps (like customer1.example.com, customer2.example.com) or catch‑all subdomains (like preview links or short-lived environments).
This article explains how wildcard matching works, when it doesn’t apply, how to set up common wildcard records in HostBible, and how to troubleshoot the most common surprises.
Not covered here: changing/switching nameservers. If your domain isn’t using HostBible DNS, see our DNS Nameservers article.
What is wildcard DNS?
A wildcard DNS record uses an asterisk (*) to match subdomains that don’t have an explicit record.
Example:
A record for
*.example.comcan match:app.example.comcustomer-123.example.comanything.example.com
Wildcard DNS is a DNS feature—it does not create real “subdomain objects”. It simply tells resolvers where to go when someone asks for a name that isn’t explicitly defined.
How *.example.com matching really works
Wildcard matching has a few rules that explain most “why doesn’t this work?” cases.
1) Wildcards match one label at a time
*.example.com matches one-subdomain.example.com
It does not match two.levels.example.com (like a.b.example.com).
If you need that, you typically create an additional wildcard at the next level, such as *.b.example.com.
2) An explicit subdomain wins over the wildcard
If you create an explicit record for app.example.com, that name will use the explicit record—not the wildcard.
This is usually what you want (and it’s a great way to override a wildcard for specific subdomains like www, api, or mail).
3) Wildcards are name-based, not “fallback-per-record-type”
This is the most common pitfall.
If the DNS name exists at all, wildcard records typically won’t “fill in” missing record types for that same name.
Example scenario:
You have an explicit
app.example.comA record.You also have a wildcard
*.example.comTXT record.
If a service looks up a TXT record for app.example.com, the result may be “no TXT record” (often shown as NODATA), and the wildcard TXT might not be used—because app.example.com exists.
Takeaway: If a service requires a TXT record at an exact name (like app.example.com), add that TXT record explicitly.
4) Wildcards don’t match the root domain (example.com)
*.example.com does not cover:
example.com(the apex / root)Usually not
wwwunlesswwwis not defined (butwwwis a subdomain, so it can match—see rule #2)
If you want example.com to resolve, create separate records for the root (@ / apex) as needed.
When wildcard records are helpful
Multi-tenant apps (customer subdomains)
If your app assigns each customer a subdomain:
acme.example.comcontoso.example.com
A wildcard lets you route all tenants to the same load balancer, reverse proxy, or app entry point—then your application routes based on the hostname.
Catch-all subdomains (marketing, previews, short-lived links)
Examples:
preview-9382.example.comcampaign-spring.example.comstaging-anything.example.com
Wildcard DNS prevents you from having to create DNS entries for each one.
Development / ephemeral environments
Teams often use patterns like:
feature-branch-123.example.compr-456.example.com
A wildcard record supports this pattern cleanly—just make sure your app and SSL setup also support it (see note below).
When wildcard records don’t apply (or shouldn’t be used)
Mail and authentication records should be explicit
Wildcard DNS is not a substitute for mail and identity records.
Create these explicitly when needed:
MXrecords (mail routing)TXTrecords for SPF (v=spf1 ...)_dmarc.example.com(DMARC policy)DKIM selector records like
selector._domainkey.example.comAny provider verification record with underscores (often required exactly)
We don’t cover provider-specific mail setup here. The key rule is: mail/auth records should be explicit, not wildcarded.
Verification records usually need exact hostnames
Many services validate ownership using very specific names such as:
_acme-challenge.example.com(for DNS-based SSL validation)_service-verification.example.com
If verification fails, don’t assume the wildcard will apply—add the exact record name the service provides.
If you’re doing DNS validation for SSL, keep it simple here and refer to our SSL Certificates article for the deeper details.
Wildcards don’t “invent” deeper subdomains
*.example.com won’t catch a.b.example.com.
If your structure has multiple levels, you may need additional records like:
*.dev.example.com*.eu.example.com
HostBible wildcard record examples
Below are common wildcard record patterns in HostBible. In most DNS editors, the Name/Host field for a wildcard is either:
*(recommended in most control panels), or*.example.com(if the field requires a fully-qualified name)
If HostBible auto-appends your domain, enter * as the name and HostBible will apply it under your domain.
Wildcard A record (IPv4): point all subdomains to one IP
Use this when your destination is an IPv4 address.
Example
Type: A
Name/Host:
*Value:
203.0.113.10TTL: Default (or your preferred TTL)
What it does:
Any undefined subdomain (like anything.example.com) resolves to 203.0.113.10.
Wildcard AAAA record (IPv6): point all subdomains to one IPv6
Use this when your destination supports IPv6.
Example
Type: AAAA
Name/Host:
*Value:
2001:db8:abcd::10TTL: Default
Tip: You can use both A + AAAA wildcard records together if your service is dual-stack.
Wildcard CNAME record: point all subdomains to a hostname
Use this when your destination is another hostname (for example, a platform hostname or a traffic manager).
Example
Type: CNAME
Name/Host:
*Value/Target:
app.your-service.exampleTTL: Default
Important CNAME rules
A
CNAMErecord must point to a hostname, not an IP address.A
CNAMEgenerally cannot coexist with other record types at the exact same name.
That means if you set*as a CNAME, you typically can’t also have*as an A/AAAA/TXT.
If you need TXT verification and wildcard routing, you often must choose a routing approach that doesn’t require * to be a CNAME—or you must place TXT records on the exact verification names instead of *.
Wildcard TXT record: attach a TXT value to many subdomains (use carefully)
Wildcard TXT can be useful for some internal conventions, but many third‑party verification flows require specific TXT hostnames and won’t rely on wildcard behavior.
Example
Type: TXT
Name/Host:
*Value:
some-text-valueTTL: Default
Common pitfall:
If a specific subdomain already exists (any record type), wildcard TXT may not apply to TXT lookups for that name. When in doubt, add the TXT record to the exact name the service requests.
Common pitfalls (and how to avoid them)
Pitfall 1: “My wildcard doesn’t work for www / api / app”
Check whether you already have explicit records like:
www.example.comapi.example.com
If they exist, the wildcard won’t be used for those names.
Fix: Update the explicit record (or remove it if you truly want wildcard behavior).
Pitfall 2: “It works for test.example.com but not a.b.example.com”
That’s expected: *.example.com doesn’t match two levels deep.
Fix: Add a second wildcard at the right level, such as *.b.example.com.
Pitfall 3: “My verification TXT record isn’t being found”
This is usually due to one of these:
The record name needs to be exact (like
_acme-challengeor_dmarc)The subdomain already exists, so wildcard TXT isn’t applied
A wildcard
CNAMEconflicts with adding a wildcardTXT
Fix checklist:
Add the TXT record to the exact hostname provided by the service.
Ensure there is no conflicting record type at the same name (especially CNAME).
Re-check the hostname formatting in HostBible (whether to enter
*vs*.example.comvs full name).
Pitfall 4: “DNS changes aren’t showing up”
DNS results can be cached.
Fix checklist:
Wait for TTL/caching to expire (especially after edits).
Test using multiple resolvers and tools (see below).
Confirm your domain is actually using HostBible DNS (nameservers).
If not, your edits in HostBible won’t affect live DNS—see our DNS Nameservers article.
Pitfall 5: “Wildcard DNS works, but the website shows the wrong site”
Wildcard DNS only routes traffic to a destination. Your web server/app must also:
accept the hostname in the request, and
route it correctly (often using the “Host” header)
Fix: Configure your application/web server to handle unknown hostnames appropriately (tenant routing, default site, 404 rules, etc.).
How to test wildcard DNS
You can test from your computer using command-line tools:
Test an A record
dig +short anything.example.com A
Test an AAAA record
dig +short anything.example.com AAAA
Test a TXT record
dig +short anything.example.com TXT
Tip: Test both:
a made-up subdomain (to confirm wildcard behavior), and
a known explicit subdomain (to confirm override behavior).
Best practices for wildcard DNS in HostBible
Use wildcard records when your app/platform is designed for dynamic subdomains.
Keep these common subdomains explicit when needed:
@(root),www,api,mail,autodiscover, and any service-specific hostnames
Add verification and auth records explicitly:
_acme-challenge,_dmarc, DKIM selectors, and other underscore-based names
If you mention SSL: wildcard DNS often implies you may need a certificate that covers many subdomains. For details, see our SSL Certificates article.
Quick FAQ
Does *.example.com include example.com?
No. The root/apex (example.com) needs its own record(s).
Can I create wildcard A and wildcard AAAA together?
Yes, commonly (IPv4 + IPv6).
Can I create wildcard CNAME and wildcard TXT at the same time?
Usually no, because a CNAME at * typically prevents other record types at the same name. Use explicit verification records instead.
Will wildcard DNS create “infinite subdomains” automatically?
It will make them resolve in DNS, but your app/server must still handle requests for those hostnames.