Network: Finding subdomains of a domain

(last edit: 2000-11-22) Ok you want to find ALL the subdomains/cnames of a domain. You can do this by using the command 'dig' or 'host'. Using dig Let's say you want to find all the subdomains/cnames of 'lowlife.org': First you have to find the authoritive nameserver of the domain: user@host:/#dig lowlife.org ; <<>> DiG 8.2 <<>> lowlife.org ;; res options: init recurs defnam dnsrch ;; got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 4 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0 ;; QUERY SECTION: ;; lowlife.org, type = A, class = IN ;; AUTHORITY SECTION: lowlife.org. 1D IN SOA ns0.demon.nl. hostmaster.demon.nl. ( 2000801000 ; serial 6H ; refresh 30M ; retry 2W ; expiry 1D ) ; minimum Here you can see that the authoritive nameserver is 'ns0.demon.nl'. Oke now lets look at the subdomains/cnames: user@host:/#dig @ns0.demon.nl lowlife.org axfr ; <<>> DiG 8.2 <<>> @ns0.demon.nl lowlife.org axfr ; (1 server found) $ORIGIN lowlife.org. @ 1D IN SOA ns0.demon.nl. hostmaster.demon.nl. ( 2000801000 ; serial 6H ; refresh 30M ; retry 2W ; expiry 1D ) ; minimum 1D IN NS ns0.demon.nl. 1D IN NS ns0.demon.co.uk. 1D IN MX 10 punt.mail.nl.demon.net. 1D IN MX 40 relay-2.mail.nl.demon.net. 1D IN MX 60 relay-1.mail.demon.net. 1D IN MX 60 relay-2.mail.demon.net. demon 1D IN CNAME www middelburg 1D IN A 212.92.68.205 freebsd 1D IN CNAME www localhost 1D IN A 127.0.0.1 www 1D IN A 195.11.225.234 1D IN MX 10 punt.mail.nl.demon.net. 1D IN MX 40 relay-2.mail.nl.demon.net. 1D IN MX 60 relay-1.mail.demon.net. 1D IN MX 60 relay-2.mail.demon.net. project 1D IN A 145.92.3.32 sentinel 1D IN CNAME www * 1D IN MX 10 punt.mail.nl.demon.net. 1D IN MX 40 relay-2.mail.nl.demon.net. 1D IN MX 60 relay-1.mail.demon.net. 1D IN MX 60 relay-2.mail.demon.net. @ 1D IN SOA ns0.demon.nl. hostmaster.demon.nl. ( 2000801000 ; serial 6H ; refresh 30M ; retry 2W ; expiry 1D ) ; minimum ;; Received 23 answers (23 records). ;; FROM: lowlife.support.nl.demon.net to SERVER: 194.159.73.5 ;; WHEN: Thu Sep 14 10:24:28 2000 And tataaaaa: you see the subdomains: localhost, middelburg, www and project and the cnames: demon, freebsd and sentinel. man dig Dig (domain information groper) is a flexible command line tool which can be used to gather information from the Domain Name System servers. All query options are accessible from the command line. The usual simple use of dig will take the form: dig @server domain query-type query-class query-type is the type of information (DNS query type) that you are re- questing. If omitted, the default is ``a'' (T_A = address). The following types are recognized: a T_A network address any T_ANY all/any information about specified domain mx T_MX mail exchanger for the domain ns T_NS name servers soa T_SOA zone of authority record hinfo T_HINFO host information axfr T_AXFR zone transfer (must ask an authoritative server) txt T_TXT arbitrary number of strings (See RFC 1035 for the complete list.) query-class is the network class requested in the query. If omitted, the default is ``in'' (C_IN = Internet). The following classes are recognized: in C_IN Internet class domain any C_ANY all/any class information (See RFC 1035 for the complete list.) Note: ``Any'' can be used to specify a class and/or a type of query. Dig will parse the first occurrence of ``any'' to mean query-type = T_ANY. To specify query-class = C_ANY, you must either specify ``any'' twice, or set query-class using the -c option (see below). Using host Use host like this: user@host:/#host -l -t any lowlife.org lowlife.org start of authority ns0.demon.nl hostmaster.demon.nl( 2000801000 ;serial (version) 21600 ;refresh period 1800 ;retry refresh this often 1209600 ;expiration period 86400 ;minimum TTL ) lowlife.org name server ns0.demon.nl lowlife.org name server ns0.demon.co.uk lowlife.org mail is handled (pri=10) by punt.mail.nl.demon.net lowlife.org mail is handled (pri=40) by relay-2.mail.nl.demon.net lowlife.org mail is handled (pri=60) by relay-1.mail.demon.net lowlife.org mail is handled (pri=60) by relay-2.mail.demon.net demon.lowlife.org is a nickname for www.lowlife.org middelburg.lowlife.org has address 212.92.68.205 freebsd.lowlife.org is a nickname for www.lowlife.org localhost.lowlife.org has address 127.0.0.1 www.lowlife.org mail is handled (pri=10) by punt.mail.nl.demon.net www.lowlife.org mail is handled (pri=40) by relay-2.mail.nl.demon.net www.lowlife.org mail is handled (pri=60) by relay-1.mail.demon.net www.lowlife.org mail is handled (pri=60) by relay-2.mail.demon.net www.lowlife.org has address 195.11.225.234 project.lowlife.org has address 145.92.3.32 *.lowlife.org mail is handled (pri=10) by punt.mail.nl.demon.net *.lowlife.org mail is handled (pri=40) by relay-2.mail.nl.demon.net *.lowlife.org mail is handled (pri=60) by relay-1.mail.demon.net *.lowlife.org mail is handled (pri=60) by relay-2.mail.demon.net sentinel.lowlife.org is a nickname for www.lowlife.org lowlife.org start of authority ns0.demon.nl hostmaster.demon.nl( 2000801000 ;serial (version) 21600 ;refresh period 1800 ;retry refresh this often 1209600 ;expiration period 86400 ;minimum TTL ) Oke this is allot of info if you're just interested in the cnames/subdomains try this: user@host:/#host -l lowlife.org lowlife.org name server ns0.demon.nl lowlife.org name server ns0.demon.co.uk middelburg.lowlife.org has address 212.92.68.205 localhost.lowlife.org has address 127.0.0.1 www.lowlife.org has address 195.11.225.234 project.lowlife.org has address 145.92.3.3 Which just gives you the subdomains and try this: user@host:/#host -l -t cname lowlife.org demon.lowlife.org is a nickname for www.lowlife.org freebsd.lowlife.org is a nickname for www.lowlife.org sentinel.lowlife.org is a nickname for www.lowlife.org for the cnames. man host host - look up host names using domain server Host looks for information about Internet hosts. It gets this information from a set of interconnected servers that are spread across the country. -t querytype Allows you to specify a particular querytype of information to be looked up. The arguments are defined in the man page for named(8). Currently-supported types include: ``a'', ``ns'', ``md'', ``mf'', ``cname'', ``soa'', ``mb'', ``mg'', ``mr'', ``null'', ``wks'', ``ptr'', ``hinfo'', ``minfo'', ``mx'', ``uinfo'', ``uid'', ``gid'', ``unspec''. Additional- ly, the wildcard, which may be written as either ``any'' or ``*'', can be used to specify any (all) of the above types. Types must be given in lower case. Note that the default is to look first for ``a'', and then ``mx'', except that if the verbose option is turned on, the default is only ``a''. The ``-t'' option is particularly useful for filtering informa- tion returned by host; see the explanation of the ``-l'' op- tion, below, for more information. -l List a complete domain; e.g.: host -l rutgers.edu will give a listing of all hosts in the rutgers.edu domain. The ``-t'' option is used to filter what information is pre- sented, as you would expect. The default is address informa- tion, which also include PTR and NS records. The command host -l -v -t any rutgers.edu will give a complete download of the zone data for rut- gers.edu, in the official master file format. (However the SOA record is listed twice, for arcane reasons.) NOTE: ``-l'' is implemented by doing a complete zone transfer and then filtering out the information that you have asked for. This command should be used only if it is absolutely necessary.

Click here to go back to the index.