diff --git a/management/server/nameserver.go b/management/server/nameserver.go
index 0a55d80f7..a9b7e3cf7 100644
--- a/management/server/nameserver.go
+++ b/management/server/nameserver.go
@@ -2,6 +2,7 @@ package server
 
 import (
 	"context"
+	"strings"
 	"unicode/utf8"
 
 	"github.com/rs/xid"
@@ -262,7 +263,10 @@ func validateDomainInput(primary bool, domains []string, searchDomainsEnabled bo
 	}
 
 	for _, domain := range domains {
-		if nbDomain.IsValidDomain(domain) {
+		if strings.HasPrefix(domain, "*") {
+			return status.Errorf(status.InvalidArgument, "wildcard prefix is not allowed: %s", domain)
+		}
+		if !nbDomain.IsValidDomain(domain) {
 			return status.Errorf(status.InvalidArgument, "nameserver group got an invalid domain: %s", domain)
 		}
 	}
diff --git a/management/server/nameserver_test.go b/management/server/nameserver_test.go
index 959e7856a..ad46443e0 100644
--- a/management/server/nameserver_test.go
+++ b/management/server/nameserver_test.go
@@ -910,12 +910,12 @@ func TestValidateDomain(t *testing.T) {
 			errFunc: require.NoError,
 		},
 		{
-			name:    "Valid domain name with trailing dot",
+			name:    "Invalid domain name with trailing dot",
 			domain:  "example.",
-			errFunc: require.NoError,
+			errFunc: require.Error,
 		},
 		{
-			name:    "Invalid wildcard domain name",
+			name:    "Valid wildcard domain name",
 			domain:  "*.example",
 			errFunc: require.Error,
 		},
@@ -932,7 +932,7 @@ func TestValidateDomain(t *testing.T) {
 		{
 			name:    "Invalid domain name with double hyphen",
 			domain:  "test--example.com",
-			errFunc: require.Error,
+			errFunc: require.NoError, // Note: Double hyphen is not valid but due to punicode hard to filter out
 		},
 		{
 			name:    "Invalid domain name with a label exceeding 63 characters",
@@ -968,7 +968,7 @@ func TestValidateDomain(t *testing.T) {
 
 	for _, testCase := range testCases {
 		t.Run(testCase.name, func(t *testing.T) {
-			testCase.errFunc(t, validateDomain(testCase.domain))
+			testCase.errFunc(t, validateDomainInput(false, []string{testCase.domain}, false))
 		})
 	}
 
diff --git a/shared/management/domain/validate.go b/shared/management/domain/validate.go
index 6744c704b..6a52e636f 100644
--- a/shared/management/domain/validate.go
+++ b/shared/management/domain/validate.go
@@ -8,7 +8,7 @@ import (
 
 const maxDomains = 32
 
-var domainRegex = regexp.MustCompile(`^(?:\*\.)?(?:(?:xn--)?[a-zA-Z0-9_](?:[a-zA-Z0-9-_]{0,61}[a-zA-Z0-9])?\.)*(?:xn--)?[a-zA-Z0-9](?:[a-zA-Z0-9-_]{0,61}[a-zA-Z0-9])?$`)
+var domainRegex = regexp.MustCompile(`^(?:\*\.)?(?:(?:xn--)?[a-zA-Z0-9](?:[a-zA-Z0-9-]{0,61}[a-zA-Z0-9])?)(?:\.(?:xn--)?[a-zA-Z0-9](?:[a-zA-Z0-9-]{0,61}[a-zA-Z0-9])?)*$`)
 
 // ValidateDomains checks if each domain in the list is valid and returns a punycode-encoded DomainList.
 func ValidateDomains(domains []string) (List, error) {
@@ -57,7 +57,7 @@ func IsValidDomain(domain string) bool {
 		return false
 	}
 
-	return !domainRegex.MatchString(string(punycode))
+	return domainRegex.MatchString(string(punycode))
 }
 
 // ToValidDomain converts a domain to a valid domain format.