[jiggawatts]

That’s all absolutely true, but I have found that wildcard DNS zones with wildcard certificates tend to get zero un-solicited traffic as long as the client devices are not browsers.

I.e.: if the host is listening only to some specific host header but registered with a wildcard prefix, then drive-by attackers have no trivial way to guess the prefix.

I would never rely on this for security, but it does help cut down on the “spam” in the request logs so that I can focus on the real errors.

This works best for API endpoints not used by browsers or embedded into web pages.

It’s also my current preferred setup for Internet-facing non-production sites. Otherwise they get so much attack traffic that the real log entries might be less than 0.1% of the total.