Skip to content
broch
get started →

Wildcard Domain & DNS

Broch generates tunnel URLs by placing a name in front of your domain: name.tunnels.company.com. This requires a wildcard DNS record pointing *.tunnels.company.com at your server.

You need to own a domain and be able to create DNS records on it.

Choosing a hostname

Section titled “Choosing a hostname”

Pick a subdomain of a domain you control. Common patterns:

tunnels.company.com       *.tunnels.company.com → your server
broch.company.com     *.broch.company.com → your server
dev-tunnels.company.com   *.dev-tunnels.company.com → your server

The value you choose becomes API__WILDCARDHOSTNAME in your server configuration. For example:

API__WILDCARDHOSTNAME=tunnels.company.com

This produces tunnel URLs like my-app.tunnels.company.com.

Choose this value before you activate your license — the wildcard hostname is bound into your license token at activation. See Licensing.

DNS record

Section titled “DNS record”

Create a wildcard A record (or CNAME) in your DNS provider pointing *.tunnels.company.com to your server’s IP address or hostname.

Record typeNameValue
A*.tunnels.company.comYour server’s IP address
CNAME*.tunnels.company.comYour server’s DNS name (e.g., ALB hostname on AWS)

Use a CNAME when the server’s IP address can change (e.g., AWS ALB, Azure Container Apps FQDN). Use an A record when the IP is stable (e.g., a reserved IP on DigitalOcean or a static IP on a VM).

This record is for resolution, not the certificate. It only makes name.tunnels.company.com resolve to your server. The TLS certificate is separate — with the recommended Caddy DNS-01 setup it’s issued and renewed automatically and you create no certificate records by hand (see TLS Certificates). You need exactly one wildcard record, never one per tunnel.

On Cloudflare, keep these records DNS-only (grey cloud), not proxied (orange cloud) — the proxy breaks Caddy’s TLS and the DNS-01 challenge and masks client IPs.

Per-platform DNS setup

Section titled “Per-platform DNS setup”

Docker Compose (any Linux host)

Create a wildcard A record pointing to your server’s public IP:

*.tunnels.company.com  →  203.0.113.42   (your server IP)

Verify with: nslookup test.tunnels.company.com — should resolve to your IP.

Azure Container Apps

After terraform apply, the module outputs the Container App FQDN (terraform output -raw container_app_fqdn). Create a wildcard CNAME:

*.tunnels.company.com  →  your-app.region.azurecontainerapps.io

AWS (ECS / ALB)

After terraform apply, the module outputs the ALB DNS name (terraform output -raw alb_dns_name). Create a wildcard CNAME:

*.tunnels.company.com  →  your-alb-1234.us-east-1.elb.amazonaws.com

DigitalOcean (Terraform)

After terraform apply, the output shows the reserved IP. Create a wildcard A record:

*.tunnels.company.com  →  203.0.113.42   (reserved IP from output)

Propagation

Section titled “Propagation”

DNS changes take time to propagate — typically minutes, but up to 48 hours depending on your provider and TTL settings. Use a low TTL (300 seconds) while setting up and testing, then raise it once confirmed working.