How do I get a list of all subdomains of a domain? [closed]

Question

The hint (using axfr) only works if the NS you're querying (ns1.foo.bar in your example) is configured to allow AXFR requests from the IP you're using; this is unlikely, unless your IP is configured as a secondary for the domain in question.

Basically, there's no easy way to do it if you're not allowed to use axfr. This is intentional, so the only way around it would be via brute force (i.e. dig a.some_domain.com, dig b.some_domain.com, ...), which I can't recommend, as it could be viewed as a denial of service attack.

If you can't get this information from DNS (e.g. you aren't authorized) then one alternative is to use Wolfram Alpha.

1. Enter the domain into the search box and run the search. (E.g. stackexchange.com)

2. In the 3rd section from the top (named "Web statistics for all of stackexchange.com") click Subdomains

3. In the Subdomains section click More

You will be able to see a list of sub-domains there. Although I suspect it does not show ALL sub-domains.

You can use:

$ host -l domain.com

Under the hood, this uses the AXFR query mentioned above. You might not be allowed to do this though. In that case, you'll get a transfer failed message.

1. dig somedomain.com soa
2. dig @ns.SOA.com somedomain.com axfr

robotex tools which are free will let you do this but they make you enter the ip of the domain first:

1. find out the ip (there's a good ff plugin which does this but I can't post the link cos this is my first post here!)
2. do an ip search on robotex: http://www.robtex.com/ip/
3. in the results page that follows click on the domain you're interested in>
4. you are taken to a page that lists all subdomains + a load of other information such as mail server info

You can only do this if you are connecting to a DNS server for the domain -and- AXFR is enabled for your IP address. This is the mechanism that secondary systems use to load a zone from the primary. In the old days, this was not restricted, but due to security concerns, most primary name servers have a whitelist of: secondary name servers + a couple special systems.

If the nameserver you are using allows this then you can use dig or nslookup.

For example:

#nslookup

>ls domain.com

NOTE: because nslookup is being deprecated for dig and other newere tools, some versions of nslookup do not support "ls", most notably Mac OS X's bundled version.