Login/Register
How do I get a list of all subdomains of a domain? [closed]
Asked Answered
Solved dnssubdomaindignameservers
E

8

284

I want to find out all the subdomains of a given domain. I found a hint which tells me to dig the authoritative nameserver with the following option:

dig @ns1.foo.example example.com axfr

But this never works. Has anyone a better idea/approach?

Esbenshade answered 25/9, 2008 at 7:43 Comment(9)
Also see here for an updated list of tools: security.stackexchange.com/q/35078/18541Potomac
site:*.meteor.com/ -site:www.meteor.comGraham
I wish there were a stack exchange just to learn from each other the best ways to get information out of the Internet.Thanks @DipeshKcTiernan
pentest-tools.com/reconnaissance/find-subdomains-of-domainEvolve
http://archive.is/*.example.com might help you out.Hipbone
crt.sh/?q=%25.domain.com for ssl-protected subdomains.Wintery
Some of the answers here point to major search engines, but you could also use commoncrawl.org WARC files. Some of their tutorials explain how the search engines look at an entire internet full of addresses and find things, from which you might be able to back out an approach (and therefore modify / script it, versus just “rely on google”). HTH.Dripstone
If you are PDNS administrator, you can enable AXFR requests, or pdnsutil list-zone example.com. Of course this will work only if you are host these domains.Karilla
There's a tool for that. It will only list the first 10 or so domains for free. Premium after that. subdomains.whoisxmlapi.comAude
S
165

The hint (using axfr) only works if the NS you're querying (ns1.foo.example in your example) is configured to allow AXFR requests from the IP you're using; this is unlikely, unless your IP is configured as a secondary for the domain in question.

Basically, there's no easy way to do it if you're not allowed to use axfr. This is intentional, so the only way around it would be via brute force (i.e. dig a.example.com, dig b.example.com, ...), which I can't recommend, as it could be viewed as a denial of service attack.

Stupefacient answered 25/9, 2008 at 7:51 Comment(8)
Correct command should be: dig @123.456.789.123 DOMAIN.COM -t axfrAccrue
Netcraft solution: searchdns.netcraft.com/…Welcher
I tried every answer on this page and nothing worked. The question is protected so I can't add another answer, but the tool on this site was the only thing that worked for me: pentest-tools.com/reconnaissance/find-subdomains-of-domainDetonate
@Detonate - That tells me I have 4 subdomains , when I know there are over 100Hyden
How can we check if a domain supports AXFR requests?Piraeus
@steven-m-vascellaro Per the answer from @victor-klos below, using host -l mydomain.com will fail with Transfer failed if AXFR is not supported. On Windows (using nslookup -query=AXFR mydomain.com), you'll get hit with Format error or something similar.Lanceolate
@Anorov underscores are allowed in domain names but not in hostnames. see the relevant RFCsGinzburg
Also crt.sh could give you some subdomainsYulan
H
126

If you can't get this information from DNS (e.g. you aren't authorized) then one alternative is to use Wolfram Alpha.

  1. Enter the domain into the search box and run the search. (E.g. stackexchange.com):

    Wolfram - Homepage

  2. In the 3rd section from the top (named "Web statistics for all of stackexchange.com") click Subdomains:

    Wolfram - Subdomains button

  3. In the Subdomains section, click More:

    Wolfram - More subdomains button

You will be able to see a list of subdomains there. However, I suspect it does not show all subdomains.

Hebron answered 19/5, 2010 at 13:36 Comment(13)
It appears this doesn't work anymore, atleast not as described.Apple
This worked for me today, listed 6 subdomains of the domain I was interested in.Anis
it appears only certain domains (like google.com) will offer a [subdomain] option.Braden
Their subdomain information seems to be taken from Alexa.com, e.g. alexa.com/siteinfo/stackoverflow.comEmpedocles
or you could use this website: pentest-tools.com/reconnaissance/find-subdomains-of-domain#Opalopalesce
Guys can also check out similarweb.com it gives a list of subdomains of a specific website whose stats you are looking forPinette
It doesn't find subdomains I know are there for one example I tried.Payroll
Just use google "site:" search and add known domains as negative matches until it stops finding new domains. E.g., After applying this strategy a few times for domain realtimerendering.com, my google search looks like this: site:realtimerendering.com -"www.realtimerendering.com" -"kesen.realtimerendering.com" -"erich.realtimerendering.com" -"advances.realtimerendering.com"Payroll
@Payroll you should make this an answer. worked for mePatinous
As of today, it worked for me as wellDirection
Thanks. Worked for me today. :)Astrahan
I had the same requirement but no joy with the above. For me, this did the trick (not guaranteed to be comprehensive; but good enough): dnsdumpster.com.Strick
This would only work if web servers running on those subdomains were somehow exposed through search engines.Poach
F
51

You can use:

$ host -l example.com

Under the hood, this uses the AXFR query mentioned above. You might not be allowed to do this though. In that case, you'll get a transfer failed message.

Fatso answered 18/2, 2011 at 17:27 Comment(1)
For Windows users, you can try nslookup domain.com. (host is not available on Windows)Piraeus
E
31
  1. dig example.com soa
  2. dig @ns.SOA.example example.com axfr
Experiment answered 25/2, 2010 at 21:34 Comment(2)
Any suggestion if transfer fails on that?Delight
Which of course does not work if axfr is disabled.Fenny
C
8

You can only do this if you are connecting to a DNS server for the domain -and- AXFR is enabled for your IP address. This is the mechanism that secondary systems use to load a zone from the primary. In the old days, this was not restricted, but due to security concerns, most primary name servers have a whitelist of: secondary name servers + a couple special systems.

If the nameserver you are using allows this then you can use dig or nslookup.

For example:

#nslookup

>ls example.com

NOTE: because nslookup is being deprecated for dig and other newere tools, some versions of nslookup do not support "ls", most notably macOS X's bundled version.

Cowpoke answered 25/9, 2008 at 7:44 Comment(0)
T
7

robotex tools which are free will let you do this but they make you enter the ip of the domain first:

  1. find out the ip (there's a good ff plugin which does this but I can't post the link cos this is my first post here!)
  2. do an ip search on robotex: http://www.robtex.com/ip/
  3. in the results page that follows click on the domain you're interested in>
  4. you are taken to a page that lists all subdomains + a load of other information such as mail server info
Taffeta answered 14/4, 2010 at 11:29 Comment(0)
A
6

In Windows nslookup the command is

ls -d example.com > outfile.txt

which stores the subdomain list in outfile.txt

few domains these days allow this

Adey answered 25/9, 2008 at 7:50 Comment(2)
"ls" is a valid command from the nslookup prompt. From a CMD prompt, enter nslookup first, then you can enter ls -d ...... as suggestedAnti
I ran nslookup on Windows 10 PowerShell as Admin and then ls -d somedomain.com > outfile.txt and got "Unrecognized command".Gowen
A
5

If the DNS server is configured properly, you won't be able to get the entire domain. If for some reason is allows zone transfers from any host, you'll have to send it the correct packet to make that request. I suspect that's what the dig statement you included does.

Adest answered 25/9, 2008 at 7:46 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.