VSPIC
DNS Tools

Wildcard DNS Checker — Detect Catch-All Resolution

Probe a random subdomain and compare A record answers to the apex to detect wildcard DNS

How to Use This Tool

  1. Enter the apex domain to test (for example example.com) without inventing your own subdomain.
  2. Click Check Wildcard to generate a unique random label prefixed with wc- under that apex.
  3. The tool queries A records for the apex and for randomSubdomain.apex in parallel.
  4. Compare apex IP sets with random subdomain IP sets after sorting.
  5. wildcardLikely is true when the random name resolves and either apex had no A records or both sides share identical IP sets.
  6. sameAsApex true means sorted IP lists match exactly — strong signal of catch-all or wildcard A configuration.

About This Tool

Wildcard DNS makes every unlisted subdomain resolve to the same records as if a catch-all rule existed. That helps parked pages and simple SaaS routing but breaks security models that issue per-host certificates or assume NXDOMAIN for nonexistent names. VSPIC generates a unique random subdomain label, queries A records for both the apex domain and the random host, then reports whether answers suggest wildcard behavior through wildcardLikely and sameAsApex flags.

Results include the exact randomSubdomain tested, apexRecords, randomRecords, and boolean indicators. Wildcard detection is heuristic — some hosts return generic parking pages only for unknown names without true DNS wildcard. Combine findings with application testing before relying solely on DNS shape.

Common use cases

  • View all DNS records of a domain after migration
  • Confirm DNS records after domain changes
  • Test for DNS leaks when using a VPN
  • Debug email delivery with MX and TXT records

What wildcard DNS means

A wildcard record like *.example.com answers queries for any label not explicitly defined elsewhere. Users typing anything.example.com reach the same server as www or as each other depending on configuration.

Without wildcard, undefined subdomains return NXDOMAIN or no A records — safer default for namespaces where only known hosts should exist.

How the random subdomain probe works

Predictable test names like test.example.com might collide with real records. Timestamp and random-based labels minimize collision with production hostnames.

Parallel apex and random queries compare outcomes at the same instant, reducing false conclusions from mid-test DNS changes.

Reading wildcardLikely and sameAsApex

wildcardLikely combines resolution success with apex comparison logic from the handler. sameAsApex strictly compares sorted IPv4 string lists from A answers.

Apex empty but random resolving still flags wildcardLikely — catch-all on unused apex happens on parked domains.

Security implications

Certificate authorities and security scanners treat wildcard DNS carefully. Attackers exploit wildcard misconfiguration to hijack unintended subdomains pointing at your IP.

Remove wildcard when issuing per-app subdomains or using external DNS verification that assumes negative answers for missing names.

Wildcard versus explicit records

Explicit A records for www and api coexist with wildcard covering everything else. Random probe still resolves — interpret alongside your intended architecture.

CDN CNAME wildcards behave similarly at the edge even when authoritative zone looks different.

IPv6 and record limits

This check focuses on A record answers from the implemented query path. AAAA-only wildcards may not mirror IPv4 behavior — extend investigation with AAAA lookups if dual-stack matters.

Multiple A records load balance across IPs — sameAsApex compares full sorted sets, not single addresses.

Parking and monetization pages

Registrars enable wildcard to show ads on typos. sameAsApex true with parking content is expected — document business justification if keeping wildcard.

Migrating off parking requires removing wildcard before cutover to avoid stale catch-all during NS changes.

Remediation steps

Delete *.example.com wildcard entries at the DNS provider after listing required explicit subdomains. Wait for TTL, then re-run this checker until random labels no longer resolve.

Verify explicit hosts still resolve individually after wildcard removal.

Limits of heuristic detection

Split-horizon DNS, geo DNS, and application-layer default vhosts mimic wildcard symptoms without DNS wildcard records. HTTP inspection confirms user-visible behavior.

Single-run probes can be wrong if transient anycast answers differ — run twice if results surprise.

Frequently Asked Questions

Yes. VSPIC offers this wildcard DNS checker at no cost with no account required. Results load in real time.

We do not permanently store your queries on our servers. Some tools run entirely in your browser; others fetch public data for the request only.

Yes. Open the page in any modern phone or tablet browser. Results work on Wi‑Fi and mobile data.

No. Some SaaS and parking setups rely on it. Security-sensitive zones should avoid catch-all resolution.

To avoid clashing with real hostnames like test or dev that already have explicit records.

wildcardLikely can still be true when random subdomains resolve — common on parked domains.

The handler compares A record answers. CNAME chains may affect results indirectly when resolved to A.

This probe uses A queries. IPv6-only wildcard setups need separate AAAA investigation.

Next step for your check

Continue with dns compare tool on VSPIC.

DNS Compare Tool

Related Tools

Explore more free VSPIC tools for IP, DNS, security, and network diagnostics.

Browse all toolsComparison guides

Trusted by Users Who Value Privacy

Always Free

No premium plan ever

100% Private

Files processed in browser

Instant Results

Convert in seconds

Works Everywhere

Any device, any OS