1

Our domain has the following DNS records:

*.example.com      IN   CNAME    foo.org
example.com        IN   A        x.x.x.x
example.com        IN   TXT      "v=spf1 mx -all"
example.com        IN   MX       10 mail.mailhost.com
mail.example.com   IN   CNAME    mail.mailhost.com

example.com emails appear to send and receive properly.

We do not control foo.org, and do not trust its administrators.

Q1: Is it in any way possible for them to exploit the wildcard CNAME to read example.com emails?

Q2: Any other evil potential uses of a wildcard CNAME we should worry about?

Chris S
  • 11
  • 1
  • 2
    Nooooo, don't do that. Wildcard CNAMEs are full of unintended consequences, because they mean "*all* records for this name should go over there". – womble Sep 15 '15 at 23:51

3 Answers3

1

Mail transport agents will use the MX (though I've seen some terrible code that only knows about A records); CNAME tend not to be supported as MX records, with some DNS or mail servers warning or refusing to deal with such (Courier, I believe). Where a user@sub.example.com address goes may need research, or might be irrelevant if you only use @example.com, and do not expect the fine folks at foo.com to forge mails as if from a subdomain, for some reason.

thrig
  • 1,676
  • 11
  • 9
  • No, we're not worried about outgoing mail from a subdomain, or outgoing mail in general. The concern is whether they could somehow obtain incoming mail. – Chris S Sep 15 '15 at 22:02
  • Shouldn't, MX will get it (or possibly the A). – thrig Sep 15 '15 at 22:28
1

It's not possible to say from the information you give if they can use it access your mail server via IMAP, POP3 or something like that, since that depends on the mail server's configuration rather than on what is in DNS. It does seem unlikely, though, given a reasonably normal mail server setup.

You have completely handed over control over all names under example.com, except for the name mail.example.com. To tell if they can use that to your detriment does, again, require information not given here.

Calle Dybedahl
  • 2,133
  • 13
  • 17
1

A1: There are no known exploits (if ther are, they would likely be patched quickly)

A2: Wildcard CNAMES work like this: If a more record doesn't exist, follow the wildcard.

https://www.rfc-editor.org/rfc/rfc4592#section-2.2.1

Something else to think about: glue records: where upstream servers have the IP address of the nameservers for servers using subdomains as nameservers (example ns1.example.org is a nameserver for example.org, so the zone .org. has an A record for ns1.example.org)

Another Example: We has some school accounts I manage, the teachers use a multi-site wordpress (teachername.example.org), but students also have their own email domain, students.example.org. since records exist for students.example.org for MX, A, TXT and others, the students.example.org does not follow *.example.org.

If the domain that I point *.example.org CNAME to had an MX record, it would only apply to the subdomains that do not have MX records, same for DKIM, DMARC, and others, however per this example the key for dkim wouldn't work as default._domainkey.example.org does not match the wildcard of *.example.org, but rather *._domainkey.example.org.

ALSO, Can we have multiple CNAMES for a single Name?

Community
  • 1
Jacob Evans
  • 7,886
  • 3
  • 29
  • 57