I want to find out all the subdomains of a given domain. I found a hint which tells me to dig the authoritative Nameserver with the following option: dig @ns1.foo.bar some_domain.com axfr
But this never works. Has anyone a better idea/approach
+1
A:
If the DNS server is configured properly, you won't be able to get the entire domain. If for some reason is allows zone transfers from any host, you'll have to send it the correct packet to make that request. I suspect that's what the dig statement you included does.
Steve Moyer
2008-09-25 07:46:29
A:
In windows nslookup the command is
ls -d somedomain.com > outfile.txt
which stores the subdomain list in outfile.txt
few domains these days allow this
Midhat
2008-09-25 07:50:40
+11
A:
The hint (using axfr) only works if the NS you're querying (ns1.foo.bar in your example) is configured to allow AXFR requests from the IP you're using; this is unlikely, unless your IP is configured as a secondary for the domain in question.
Basically, there's no easy way to do it if you're not allowed to use axfr. This is intentional, so the only way around it would be via brute force (i.e. dig a.some_domain.com, dig b.some_domain.com, ...), which I can't recommend, as it could be viewed as a denial of service attack.
TimB
2008-09-25 07:51:47
You mean a.somedomain.com, b.somedomain.com, of course? @ in domain names are surprising.
bortzmeyer
2009-03-13 07:11:18
Yes, bortzmeyer, you're absolutely correct, I meant a.some_domain.com, etc. I can't believe I wrote it with "@", and that it took nearly 5 months before someone picked it up!
TimB
2009-03-17 01:37:29
A:
You can only do this if you are connecting to a DNS server for the domain -and- XFER is enabled for your IP address. This is the mechanism that secondary systems use to load a zone from the primary. In the old days, this was not restricted, but due to security concerns, most primary name servers have a whitelist of: secondary name servers + a couple special systems.
If the nameserver you are using allows this then you can use dig or nslookup.
For example:
#nslookup
>ls domain.com
NOTE: because nslookup is being deprecated for dig and other newere tools, some versions of nslookup do not support "ls", most notably Mac OS X's bundled version.
benc
2008-09-29 04:57:12
A:
Use Network tools from CyD Software Labs. You can read about their DNS module here: cydsoft.com/products.php?helpid=126&product=13
Michael
2009-11-12 20:01:58
+1
A:
- dig somedomain.com soa
- dig @ns.SOA.com somedomain.com axfr
Miroslav Mirkov
2010-02-25 21:34:51
A:
robotex tools which are free will let you do this but they make you enter the ip of the domain first:
- find out the ip (there's a good ff plugin which does this but I can't post the link cos this is my first post here!)
- do an ip search on robotex: http://www.robtex.com/ip/
- in the results page that follows click on the domain you're interested in>
- you are taken to a page that lists all subdomains + a load of other information such as mail server info
A:
If you can't get this information from DNS (e.g. you aren't authorized) then one alternative is to use Wolfram Alpha.
- Enter the domain into the search box and run the search. E.g. icims.com
- In the 3rd section from the top (named "Web statistics for all of icims.com") click "Subdomains"
- In the Subdomains section click "More"
You will be able to see a list of sub-domains there. Although I suspect it does not show ALL sub-domains.
Paul Melici
2010-05-19 13:36:33
+1
A:
You can also use that website : http://www.wholinks.org/report.php (very fast)
pedro
2010-07-06 22:43:39
A:
You can use this site to find subdomains Find subdomains
This tool will try a zone transfer and also query search engines for list of subdomains.
AleX
2010-09-15 09:09:32
A:
i have tested wolfram with alibaba.com : 30 subdomains displayed ... with wholinks.org : 1.434 subdomains and with magicnet : unable to answer ...
On tripod.com : wolfram : 10 - wholinks : 15,108 - magicnet : unable to answer ...
... !
Pedro
2010-10-12 01:50:46