2011-11-19

Find all subdomains of a given subdomain with dig

To find out what subdomains some domain has we can use standard DNS lookup utility - dig.
First we need to know what nameserver takes care for given domain. Then we send AXFR query ( http://en.wikipedia.org/wiki/DNS_zone_transfer ) to that nameserver.

# let's dig the server
dig example.com
 
# from the DNS answer we are interested in the authority section
#;; AUTHORITY SECTION:
#example.com.  79275 IN NS a.iana-servers.net.
#example.com.  79275 IN NS b.iana-servers.net.
 
# now we find out all subdomains
dig @a.iana-servers.net example.com axfr
 
# in this example we get "Transfer failed." but some NS could return something like
#dev.example.com. 1800 IN A 1.2.3.4
#dev2.example.com. 1800 IN A 5.6.7.8

Note that some DNS servers don't answer to AXFR queris and return "; Transfer failed".

No comments:

Post a Comment