How to control destination of incorrect/non-existant subdomains?

OS type and version: Ubuntu 20.04
Webmin version: 1.984
Virtualmin version: 6.17-3
Related products version: Apache version 2.4.41

I have a domain ( that has a variety of sites using subdomains. For example,,, etc. In DNS (at GoDaddy) we have these wildcarded, so for example will go to the correct IP address without having to propagate DNS changes.

Recently we have become aware of bots (probably) accessing their main site by using nonexistent subdomains consisting of “foreign” domains prepended to our wildcarded subdomains, for example These requests land on the main site, which is a CMS that caches generated pages, and a few links on those pages get cached pointing to Normal people browse the site, click those cached links, and end up logged out or trying to access the SSL domain that has no cert installed.

Why are these requests going to I would think they would end up at the “It Works” page.

How do I set up the server so that these requests actually go to the It Works page?


You have configured the DNS for your domain at GoDaddy to point all subdimains to an IP address. In Virtualmin, the default domain will be served when the IP address of the Virtualmin server is entered in a browser.

If you want a domain to be accessed only by its given domain name then don’t make that domain the default domain in Virtualmin. In your particular case, @robbrandt , if you create a domain, say, invalid.yoirdomain.tld and make it your default domain (via Virtualmin → Server Configuration → Website Options) then all bots that use fictitious subdomain names will see the autogenerated Virtualmin under construction page while those who enter valid domain names will see the web content for the corresponding domain name.

I think that should solve your problem with the bots.

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.