tags:

views:

4873

answers:

5
+3  Q: 

Is it possible to find all DNS subdomains for a given domain name?

Anyone knows if it's possible to find all A records, CNAME or subzone records configured for a domain name?

For example, domain.com:

www IN CNAME domain.com.
subdomain1 IN CNAME domain.com.
subdomain2 IN CNAME domain.com. 

subdomain1 IN A 123.4.56.78.
subdomain2 IN A 123.4.56.79.

I want to keep a sub-domain private where I'll run an admin application (it will be password protected and on a special port, but I would prefer to keep it as private as possible).

+1  A: 

It used to be possible with:

host -a domain.com
csl  2008-11-20 14:45:41
No, it was 'host -a -l domain.com'
Alnitak  2008-11-26 15:46:15
+3  A: 

Using zone transfer, i.e.: (in nslookup)

ls -d google.com

If you have your own DNS server, there will be zone transfer security settings (usually by IP). Otherwise, just try it and see if it works.

Mark  2008-11-20 14:49:07
I tried to use nslookup to get the records but it seems that my dns server is doing it's job correctly: *** Can't list domain domain.com: Query refused The DNS server refused to transfer the zone domain.com to your computer. ....
smartins  2008-11-20 15:33:16
+2  A: 

Like others have said, what you want is a so called zone-transfer. If it is your own domain you can configure the DNS server to give it to you. If it is for some other domain you probably don't get it, since most DNS-admins consider it a security threat.

Even if an individual record isn't a problem (thats what the DNS it therefore) it could be a problem if an evil person gets a list of all your records: It could simplify an attack.

some  2008-11-20 15:00:26
+1  A: 

Preventing zone-transfers is a function of the server administration, and as others have said is typically disabled these days for security reasons.

When the time comes to add DNSSEC, make sure you use the new NSEC3 format records (from RFC 5155) rather than the original NSEC format as the latter allows for zone enumeration.

Note that preventing zone enumeration really is just security-via-obscurity. If someone finds your subdomain you'll still need additional security at the application layer.

As for your example records:

www IN CNAME domain.com.
subdomain1 IN CNAME domain.com.
subdomain2 IN CNAME domain.com. 
subdomain1 IN A 123.4.56.78.
subdomain2 IN A 123.4.56.79.
  1. You can't mix CNAME records and other RRtypes in the same entity
  2. The trailing dots in the A records are invalid
  3. It's best not to use a CNAME back to the domain for the WWW record

You need:

$ORIGIN domain.com
@      IN SOA ...
       IN A   123.4.56.78
www    IN A   123.4.56.78
sub1   IN A   123.4.56.79

(where sub1.domain.com is the hidden site)

Alnitak  2008-11-26 15:59:52
The example I indicated was taken from an article just to illustrate what I wanted to ask. I actually use DNS Server from Windows 2003 Server. Also, thanks for the pointer on DNSSEC.
smartins  2008-11-27 15:36:28
+1  A: 

If name servers allow zone transfers you can use this page http://www.magic-net.nl/dns-lookup.php to find all subdomains in given zone.

15 oct. I`m have modified my tool. Now it checks first 6 name servers for zone transfers and, if no one allow zone transfers, uses search engeines Reverse lookup and subdomains search

Nik  2009-10-04 17:24:15

related questions

How do I setup an MX record for a sub-domain?
Wildcards in a hosts file
Best DNS with API access.
How to gain SSL load balancing!!!
How do I get a list of all subdomains of a domain?
Using glibc, why does my gethostbyname fail after I/DHCP has changed the DNS server?
How does my shared host's nameserver resolve http://servername.com/~username/ to my top level domain?
Regular expression to match hostname or IP Address?
Can I lookup the IP address of a hostname from javascript?
DNS- Route DNS for subfolder to different server?
Python + DNS : Cannot get RRSIG records: No Answer
Hosting a website on your own server
Does a caching-nameserver usually cache the negative DNS response SERVFAIL
Blocking part of a website
How can I find the current DNS server?
How to use getaddrinfo_a to do async resolve with glibc
Setting Nameservers - how?
Redirect from domain name to a dotted quad hosted box
Redirecting ".local" subdomain to unicast DNS
Does the PHP mail() function work if I don't own the MX record
How do I find the authoritative name-server for a domain name?
How to redirect siteA to siteB with A or CNAME records
How do I prevent dnsmasq from appending my domain name to invalid domain requests?
Reverse DNS in Ruby?
How to make subdomain user accounts in a webapp