Custom hostname for AWS ClientVPN?

Question

Say I have the following record:

*.foo.bar CNAME *.baz.qux

If I do a DNS query on test.foo.bar, will it return the record for test.baz.qux? Or will it do something else?

EDIT: There's a reason for wanting to do this. AWS's Client VPN provides an endpoint with random prefix, e.g. *.cvpn-endpoint-foo.bar.clientvpn.us-west-2.amazonaws.com, meaning it will accept a connection with any value used for the prefix (used so there's no DNS caching of the endpoint's A records, corresponding to OpenVPN's remote-random-hostname option). I would like to provide a connection endpoint like *.vpn.mydomain.com. So, I was wondering if there was a way to do this, where a random prefix can be used with the custom domain and have it pass that through to the domain it CNAMEs to.

To summarize: is there a way I can use AWS's Client VPN random prefix via a custom DNS record?

Answer 1

Such CNAME record is illegal. You cannot have wildcard * as CNAME value, only single domain name at the RHS of CNAME. You can have something like

*.foo.bar. CNAME zuka.baz.qux.

Also, note the dots at the end of domain names. Without them zone name will be appended.

Update To clarify this. '*' in the RHS is not wild card, it is treated as regular domain name. So, unless you have host or subdomain named *.baz.qux any query for whatewer.foo.bar will return not found: 3(NXDOMAIN)

Answer 2

I ran into this question after suffering the same confusion about wildcards and CNAMES. I managed to get a good solution thanks to Yuri's answer putting me in the right direction.

Basically I just chose my own 'random' fixed subdomain for the VPN Endpoint and pointed my CNAME entry to it. So if the VPN Endpoint DNS Name is:

*.cvpn-endpoint-xxxxxx.prod.clientvpn.<region>.amazonaws.com

Then I use the following CNAME entry:

vpn.my-domain.com CNAME <random>.cvpn-endpoint-xxxxxx.prod.clientvpn.<region>.amazonaws.com.

The above entry handles clients without remote-random-hostname capability. I can then add another wildcard CNAME to catch clients with this option enabled:

*.vpn.my-domain.com CNAME vpn.my-domain.com

With these two entries I can happily distribute vpn config that points to vpn.my-domain.com and re-map this in Route53 if I ever need to replace the VPN Endpoint.

Slightly related documentation: https://docs.aws.amazon.com/vpn/latest/clientvpn-admin/troubleshooting.html#resolve-host-name