I want to find out all the subdomains of a given domain. I found a hint which tells me to dig the authoritative Nameserver with the following option:
dig @ns1.foo.example example.com axfr
But this never works. Has anyone a better idea/approach
Asked
Active
Viewed 6e+01k times
276
Stephen Ostermiller
- 23,933
- 14
- 88
- 109
cgicgi
- 2,879
- 2
- 18
- 5
-
11Also see here for an updated list of tools: http://security.stackexchange.com/q/35078/18541 – NULLZ May 07 '13 at 00:30
-
18site:*.meteor.com/ -site:www.meteor.com – Dipesh KC Nov 22 '15 at 02:29
-
8I wish there were a stack exchange just to learn from each other the best ways to get information out of the Internet.Thanks @DipeshKc – Jason D. May 30 '16 at 20:02
-
1pentest-tools.com/reconnaissance/find-subdomains-of-domain – A-S Jun 10 '17 at 16:26
-
3[http://archive.is/*.example.com](http://archive.is/*.example.com) might help you out. – phil294 Sep 02 '17 at 20:36
-
3https://crt.sh/?q=%25.domain.com for ssl-protected subdomains. – simlev Jan 10 '18 at 14:26
-
Some of the answers here point to major search engines, but you could also use commoncrawl.org WARC files. Some of their [tutorials](http://commoncrawl.org/the-data/tutorials/) explain how the search engines look at an entire internet full of addresses and find things, from which you might be able to back out an approach (and therefore modify / script it, versus just “rely on google”). HTH. – isomorphismes Jul 30 '18 at 14:47
-
If you are PDNS administrator, you can enable AXFR requests, or `pdnsutil list-zone example.com`. Of course this will work only if you are host these domains. – Eugen Konkov Nov 05 '22 at 22:36
8 Answers
163
The hint (using axfr) only works if the NS you're querying (ns1.foo.example in your example) is configured to allow AXFR requests from the IP you're using; this is unlikely, unless your IP is configured as a secondary for the domain in question.
Basically, there's no easy way to do it if you're not allowed to use axfr. This is intentional, so the only way around it would be via brute force (i.e. dig a.example.com, dig b.example.com, ...), which I can't recommend, as it could be viewed as a denial of service attack.
Stephen Ostermiller
- 23,933
- 14
- 88
- 109
TimB
- 5,714
- 2
- 26
- 30
-
2
-
10Netcraft solution: http://searchdns.netcraft.com/?restriction=site+contains&host=stackoverflow.com – warfish Jan 29 '14 at 12:02
-
25I tried every answer on this page and nothing worked. The question is protected so I can't add another answer, but the tool on this site was the only thing that worked for me: https://pentest-tools.com/reconnaissance/find-subdomains-of-domain – ACK_stoverflow Apr 25 '14 at 21:57
-
3@ACK_stoverflow - That tells me I have 4 subdomains , when I know there are over 100 – Tom Stickel Apr 25 '17 at 05:48
-
2
-
@steven-m-vascellaro Per the answer from @victor-klos below, using ```host -l mydomain.com``` will fail with ```Transfer failed``` if AXFR is not supported. On Windows (using ```nslookup -query=AXFR mydomain.com```), you'll get hit with ```Format error``` or something similar. – jmcker Jan 17 '19 at 22:41
-
@Anorov underscores are allowed in domain names but not in hostnames. see the relevant RFCs – törzsmókus Feb 23 '21 at 12:27
-
1
126
If you can't get this information from DNS (e.g. you aren't authorized) then one alternative is to use Wolfram Alpha.
- Enter the domain into the search box and run the search. (E.g.
stackexchange.com)
- In the 3rd section from the top (named "Web statistics for all of stackexchange.com") click Subdomains
- In the Subdomains section click More
You will be able to see a list of sub-domains there. Although I suspect it does not show ALL sub-domains.
Stevoisiak
- 23,794
- 27
- 122
- 225
Paul Melici
- 1,295
- 1
- 8
- 2
-
42It appears this doesn't work anymore, atleast not as described. – Nick Pickering Dec 17 '12 at 08:57
-
6This worked for me today, listed 6 subdomains of the domain I was interested in. – Liam May 29 '13 at 09:36
-
4it appears only certain domains (like google.com) will offer a [subdomain] option. – Ross Smith II Jun 13 '13 at 00:36
-
14Their subdomain information seems to be taken from Alexa.com, e.g. http://www.alexa.com/siteinfo/stackoverflow.com – Rob W Dec 27 '13 at 11:23
-
11or you could use this website: https://pentest-tools.com/reconnaissance/find-subdomains-of-domain# – Abd Ul Aziz May 10 '14 at 21:38
-
1Guys can also check out http://www.similarweb.com/ it gives a list of subdomains of a specific website whose stats you are looking for – David Okwii Apr 23 '15 at 07:17
-
-
23Just use google "site:" search and add known domains as negative matches until it stops finding new domains. E.g., After applying this strategy a few times for domain `realtimerendering.com`, my google search looks like this: `site:realtimerendering.com -"www.realtimerendering.com" -"kesen.realtimerendering.com" -"erich.realtimerendering.com" -"advances.realtimerendering.com"` – ahcox Oct 15 '15 at 18:02
-
-
1
-
1
-
1I had the same requirement but no joy with the above. For me, this did the trick (not guaranteed to be comprehensive; but good enough): https://dnsdumpster.com/. – JohnLBevan Aug 02 '18 at 14:40
-
This would only work if web servers running on those subdomains were somehow exposed through search engines. – nurettin Oct 22 '18 at 09:01
50
You can use:
$ host -l example.comUnder the hood, this uses the AXFR query mentioned above. You might not be allowed to do this though. In that case, you'll get a transfer failed message.
Stephen Ostermiller
- 23,933
- 14
- 88
- 109
Victor Klos
- 501
- 4
- 2
-
2For Windows users, you can try `nslookup domain.com`. (`host` is [not available on Windows](https://stackoverflow.com/q/21520191/3357935)) – Stevoisiak Jun 21 '18 at 16:14
30
dig example.com soadig @ns.SOA.example example.com axfr
Stephen Ostermiller
- 23,933
- 14
- 88
- 109
Miroslav Mirkov
- 301
- 3
- 2
7
You can only do this if you are connecting to a DNS server for the domain -and- AXFR is enabled for your IP address. This is the mechanism that secondary systems use to load a zone from the primary. In the old days, this was not restricted, but due to security concerns, most primary name servers have a whitelist of: secondary name servers + a couple special systems.
If the nameserver you are using allows this then you can use dig or nslookup.
For example:
#nslookup
>ls example.com
NOTE: because nslookup is being deprecated for dig and other newere tools, some versions of nslookup do not support "ls", most notably macOS X's bundled version.
Stephen Ostermiller
- 23,933
- 14
- 88
- 109
benc
- 1,381
- 5
- 31
- 39
7
robotex tools which are free will let you do this but they make you enter the ip of the domain first:
- find out the ip (there's a good ff plugin which does this but I can't post the link cos this is my first post here!)
- do an ip search on robotex: http://www.robtex.com/ip/
- in the results page that follows click on the domain you're interested in>
- you are taken to a page that lists all subdomains + a load of other information such as mail server info
techjacker
- 1,348
- 2
- 13
- 13
6
In Windows nslookup the command is
ls -d example.com > outfile.txt
which stores the subdomain list in outfile.txt
few domains these days allow this
Stephen Ostermiller
- 23,933
- 14
- 88
- 109
Midhat
- 17,454
- 22
- 87
- 114
-
6ls? Isn't that a *nix command? Shouldn't it be nslookup -d somedomain.com > outfile.txt – Alex KeySmith Jul 30 '15 at 11:05
-
14"ls" is a valid command from the nslookup prompt. From a CMD prompt, enter nslookup first, then you can enter ls -d ...... as suggested – Paul Walker Nov 25 '16 at 15:50
-
1I ran `nslookup` on Windows 10 PowerShell as Admin and then `ls -d somedomain.com > outfile.txt` and got "Unrecognized command". – Ryan Jul 20 '19 at 00:12
4
If the DNS server is configured properly, you won't be able to get the entire domain. If for some reason is allows zone transfers from any host, you'll have to send it the correct packet to make that request. I suspect that's what the dig statement you included does.
Steve Moyer
- 5,663
- 1
- 24
- 34