diff --git a/api/envoy/data/dns/v3/dns_table.proto b/api/envoy/data/dns/v3/dns_table.proto
index 5f0275dea6b7..7c3d3964b27f 100644
--- a/api/envoy/data/dns/v3/dns_table.proto
+++ b/api/envoy/data/dns/v3/dns_table.proto
@@ -132,6 +132,11 @@ message DnsTable {
     // Wildcard records are supported on the first label only, e.g. `*.example.com` or `*.subdomain.example.com`.
     // Names such as `*example.com`, `subdomain.*.example.com`, `*subdomain.example.com`, etc
     // are not valid wildcard names and asterisk will be interpreted as a literal `*` character.
+    // Wildcard records match subdomains on any levels, e.g. `*.example.com` will match
+    // `foo.example.com`, `bar.foo.example.com`, `baz.bar.foo.example.com`, etc. In case there are multiple
+    // wildcard records, the longest wildcard match will be used, e.g. if there are wildcard records for
+    // `*.example.com` and `*.foo.example.com` and the query is for `bar.foo.example.com`, the latter will be used.
+    // Specific records will always take precedence over wildcard records.
     string name = 1 [(validate.rules).string = {min_len: 1 well_known_regex: HTTP_HEADER_NAME}];
 
     // The configuration containing the method to determine the address of this endpoint