amazon-web-servicesamazon-cloudfrontamazon-route53

Weird ("too smart") Route 53 wildcard behavior


I have *.example.com Route 53 alias record which pointed to distribution1.cloudfront.net. Distribution1 has static.example.com as alternative name. So far so good - it's standard DNS behavior.

I created another CF distribution - distribution2.cloudfront.net, with dynamic.example.com alternative name. And, without adding dynamic.example.com DNS record, which points to the second distribution, web requests to dynamic.example.com are going to distribution2.cloudfront.net, not according to DNS. I.e., 'nslookup dynamic.example.com' returns distribution1.cloudfront.net IPs, but HTTP request - objects from distribution2.cloudfront.net.

It's definitely a feature, but


Solution

  • It is documented behaviour, though somewhat hidden in the fine print:

    [Y]ou can add a wildcard alternate domain name, such as *.example.com, that includes (that overlaps with) a non-wildcard alternate domain name, such as www.example.com. If you have overlapping alternate domain names in two distributions, CloudFront sends the request to the distribution with the more specific name match, regardless of the distribution that the DNS record points to. For example, marketing.domain.com is more specific than *.domain.com.

    https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/CNAMEs.html#alternate-domain-names-restrictions