Chapter 8

Subdomains & Wildcards

staging, api, SaaS CNAMEs, wildcard risks.

Learning objectives

  • Plan subdomain structure for staging, API, and marketing
  • Know when wildcards help and when they create security risk
  • Apply CNAME vs A for third-party SaaS subdomains

Subdomains are names under your domain

Each subdomain can point somewhere completely different:

HostnamePoints toRecord
www.workshopco.caMarketing siteA or CNAME
staging.workshopco.caTest serverA → 203.0.113.99
book.workshopco.caCalendly / SaaSCNAME → vendor hostname
docs.workshopco.caNotion / GitBookCNAME

www vs apex

Users type both workshopco.ca and www.workshopco.ca. Pick a canonical host and redirect the other with HTTP 301 at the web server — but DNS must resolve both first.

Common pattern

Apex A → web server IP. www CNAME → apex. Server config redirects apex → www (or reverse). TLS certificates must cover both names.

Wildcards

*.workshopco.ca.  3600  IN  A  203.0.113.10

Matches any single label: foo.workshopco.ca, bar.workshopco.ca. Does not match a.b.workshopco.ca.

Wildcard risk

Attackers can claim unplanned subdomains if you wildcard to a server that accepts any Host header — especially with shared hosting or misconfigured TLS. Prefer explicit records for production services.

Worked example — SaaS booking subdomain

Calendly asks Workshop Co. to create:

book  CNAME  calendly.com.

They verify ownership via TXT or by checking the CNAME exists. The SaaS platform handles TLS on their side.

Try it yourself — design subdomains

Workshop Co. launches:

  • Member portal at members.workshopco.ca (IP 203.0.113.30)
  • Status page CNAME to statuspage.example.net
  • Internal admin at admin.workshopco.ca — should NOT be public wildcard

Write the three DNS entries.

Answer 
members  A      203.0.113.30
status   CNAME  statuspage.example.net.
admin    A      203.0.113.31

No wildcard needed. Restrict admin by firewall/VPN even with DNS public.

Quick check

Will *.workshopco.ca match staging.api.workshopco.ca?

Answer

No — one-level wildcard only. You would need *.api.workshopco.ca separately.