I want to find out all the subdomains of a given domain. I found a hint which tells me to dig the authoritative Nameserver with the following option: dig @ns1.foo.bar some_domain.com axfr
But this never works. Has anyone a better idea/approach
I want to find out all the subdomains of a given domain. I found a hint which tells me to dig the authoritative Nameserver with the following option: dig @ns1.foo.bar some_domain.com axfr
But this never works. Has anyone a better idea/approach
If the DNS server is configured properly, you won't be able to get the entire domain. If for some reason is allows zone transfers from any host, you'll have to send it the correct packet to make that request. I suspect that's what the dig statement you included does.
In windows nslookup the command is
ls -d somedomain.com > outfile.txt
which stores the subdomain list in outfile.txt
few domains these days allow this
The hint (using axfr) only works if the NS you're querying (ns1.foo.bar in your example) is configured to allow AXFR requests from the IP you're using; this is unlikely, unless your IP is configured as a secondary for the domain in question.
Basically, there's no easy way to do it if you're not allowed to use axfr. This is intentional, so the only way around it would be via brute force (i.e. dig a.some_domain.com, dig b.some_domain.com, ...), which I can't recommend, as it could be viewed as a denial of service attack.
You can only do this if you are connecting to a DNS server for the domain -and- XFER is enabled for your IP address. This is the mechanism that secondary systems use to load a zone from the primary. In the old days, this was not restricted, but due to security concerns, most primary name servers have a whitelist of: secondary name servers + a couple special systems.
If the nameserver you are using allows this then you can use dig or nslookup.
For example:
#nslookup
>ls domain.com
NOTE: because nslookup is being deprecated for dig and other newere tools, some versions of nslookup do not support "ls", most notably Mac OS X's bundled version.
Use Network tools from CyD Software Labs. You can read about their DNS module here: cydsoft.com/products.php?helpid=126&product=13
robotex tools which are free will let you do this but they make you enter the ip of the domain first:
If you can't get this information from DNS (e.g. you aren't authorized) then one alternative is to use Wolfram Alpha.
You will be able to see a list of sub-domains there. Although I suspect it does not show ALL sub-domains.
You can also use that website : http://www.wholinks.org/report.php (very fast)
You can use this site to find subdomains Find subdomains
This tool will try a zone transfer and also query search engines for list of subdomains.
i have tested wolfram with alibaba.com : 30 subdomains displayed ... with wholinks.org : 1.434 subdomains and with magicnet : unable to answer ...
On tripod.com : wolfram : 10 - wholinks : 15,108 - magicnet : unable to answer ...
... !