Is there any way I can list ALL DNS records for a domain?
I know about such things as dig and nslookup but they only go so far. For example, if I've got a subdomain A record as
test A somedomain.co.uk
then unless I specifically ask for it, eg.
dig any test.somedomain.co.uk
I can't see it.
Is there any way (other than looking at the records by going to the DNS manager) to see exactly what all the DNS records are?
The easiest and most efficient way to test and troubleshoot DNS is with the command-line utility, known as, Nslookup. With this tool, you can determine the name to IP address mappings, the mail server IP, the authoritative DNS server, and more.
To view the DNS being used by Windows, run a Command Prompt, and type “ipconfig /all” followed by Enter. “DNS Servers” will be listed in the information displayed.
When you query for ANY you will get a list of all records at that level but not below.
# try this dig google.com any
This may return A records, TXT records, NS records, MX records, etc if the domain name is exactly "google.com". However, it will not return child records (e.g., www.google.com). More precisely, you MAY get these records if they exist. The name server does not have to return these records if it chooses not to do so (for example, to reduce the size of the response).
An AXFR is a zone transfer and is likely what you want. However, these are typically restricted and not available unless you control the zone. You'll usually conduct a zone transfer directly from the authoritative server (the @ns1.google.com below) and often from a name server that may not be published (a stealth name server).
# This will return "Transfer failed" dig @ns1.google.com google.com axfr
If you have control of the zone, you can set it up to get transfers that are protected with a TSIG key. This is a shared secret the the client can send to the server to authorize the transfer.
I've improved Josh's answer. I've noticed that dig
only shows entries already present in the queried nameserver's cache, so it's better to pull an authoritative nameserver from the SOA (rather than rely on the default nameserver). I've also disabled the filtering of wildcard IPs because usually I'm usually more interested in the correctness of the setup.
The new script takes a -x
argument for expanded output and a -s NS
argument to choose a specific nameserver: dig -x example.com
#!/bin/bash set -e; set -u COMMON_SUBDOMAINS="www mail mx a.mx smtp pop imap blog en ftp ssh login" EXTENDED="" while :; do case "$1" in --) shift; break ;; -x) EXTENDED=y; shift ;; -s) NS="$2"; shift 2 ;; *) break ;; esac; done DOM="$1"; shift TYPE="${1:-any}" test "${NS:-}" || NS=$(dig +short SOA "$DOM" | awk '{print $1}') test "$NS" && NS="@$NS" if test "$EXTENDED"; then dig +nocmd $NS "$DOM" +noall +answer "$TYPE" wild_ips=$(dig +short "$NS" "*.$DOM" "$TYPE" | tr '\n' '|') wild_ips="${wild_ips%|}" for sub in $COMMON_SUBDOMAINS; do dig +nocmd $NS "$sub.$DOM" +noall +answer "$TYPE" done | cat #grep -vE "${wild_ips}" dig +nocmd $NS "*.$DOM" +noall +answer "$TYPE" else dig +nocmd $NS "$DOM" +noall +answer "$TYPE" fi
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With