Setting Up Wildcard DNS and Wildcard SSL

Archived content. No warranty is made as to technical accuracy. Content may contain URLs that were valid when originally published, but now link to sites or pages that no longer exist.

The Internet Platform and Operations deployment of WindowsSharePoint Services hosts many sites, but the sites share the sameDomain Name System (DNS) and Secure Sockets Layer (SSL) settings.The Internet Platform and Operations group accomplished this byusing wildcards to make the settings apply to all sites on theserver farm.

Wildcard DNS

A major benefit of host-header mode for Windows SharePointServices is that many user sites can be served by one IIS virtualserver, but each sites have its own DNS name. For example, inSTSBeta environment, each customer has his or her own URL in theformat http:// username These Web sitesare actually all on the same virtual server on the IIS Web server.The DNS system must resolve the different URLs to the same serverfarm.

For example, the following two example URLs resolve to the sameIP address:

  • resolves to

  • resolves to

There are about 15,000 sites in STSBeta hosting. Instead ofcreating 15,000 DNS entries in the DNS server for zone,the server farm uses a wildcard DNS entry:

  • * resolves to

This way, only one entry is needed for the entire server farmand all of its sites.

Different steps are needed for entering the DNS entry, dependingon whether the DNS server is running Windows Server 2003 or Windows2000 Server.

Enter DNS entry in Windows Server 2003

  1. Click Start, click Control Panel, click Administrative Tools,and then click DNS.

  2. On the Action menu, click Connect to DNS Server.

  3. In Connect to DNS Server, click The following computer.

  4. Type the DNS computer name with the wildcard:*

  5. Select the Connect to the specified computer now check box, andthen click OK.

Enter DNS entry in Windows 2000 Server

  1. In the DNS administration tool, create a child domain"*" under

  2. In the "*" domain, create an entry with an empty node name and IP address 65.54.319.336. You will getwarning that the node name is empty. You can ignore thiswarning.

Wildcard SSL

Because this deployment uses HTTP proxy servers, it must useBasic Authentication. However, Basic Authentication allowsmalicious users easier access to user passwords than otherauthentication methods if the malicious user can sniff the network.Secure Sockets Layer (SSL) helps hide the network from malicioususers. To set up SSL in a Windows SharePoint Services host-headerenvironment, the Internet Platform and Operations group applied anSSL certificate for the whole server farm by using the wildcard URL* and installing it on all front-end Webservers. For detailed steps for applying SSL certificates, see IIS6.0 Online Help.

There are some issues to be aware of when using wildcard URLswith SSL:

  • Users will get an IP address when resolving site by using PING or Nslookup.

  • Search results might point to the wrong address. This isdiscussed in section 2.7 of RFC 1912 and a documented case in RFC1535.

  • The wildcard SSL certification will produce a warning if theuser is accessing the site by using any Internet Explorer versionon the first released version of Windows 2000. The issue does notoccur on Windows 2000 SP1 and later. For more information, see Microsoft Knowledge Base Article 257873 .