Find all subdomains of a given subdomain with dig

To find out what subdomains some domain has we can use standard DNS lookup utility - dig.
First we need to know what nameserver takes care for given domain. Then we send AXFR query ( http://en.wikipedia.org/wiki/DNS_zone_transfer ) to that nameserver.

# let's dig the server
dig example.com
# from the DNS answer we are interested in the authority section
#example.com.  79275 IN NS a.iana-servers.net.
#example.com.  79275 IN NS b.iana-servers.net.
# now we find out all subdomains
dig @a.iana-servers.net example.com axfr
# in this example we get "Transfer failed." but some NS could return something like
#dev.example.com. 1800 IN A
#dev2.example.com. 1800 IN A

Note that some DNS servers don't answer to AXFR queris and return "; Transfer failed".

No comments:

Post a Comment