| |
Network: Finding subdomains of a domain(last edit: 2000-11-22)
Ok you want to find ALL the subdomains/cnames of a domain. You can do this by using the
command 'dig' or 'host'.
Using dig
Let's say you want to find all the subdomains/cnames of 'lowlife.org':
First you have to find the authoritive nameserver of the domain:
user@host:/#dig lowlife.org
; <<>> DiG 8.2 <<>> lowlife.org
;; res options: init recurs defnam dnsrch
;; got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 4
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;; QUERY SECTION:
;; lowlife.org, type = A, class = IN
;; AUTHORITY SECTION:
lowlife.org. 1D IN SOA ns0.demon.nl. hostmaster.demon.nl. (
2000801000 ; serial
6H ; refresh
30M ; retry
2W ; expiry
1D ) ; minimum
Here you can see that the authoritive nameserver is 'ns0.demon.nl'.
Oke now lets look at the subdomains/cnames:
user@host:/#dig @ns0.demon.nl lowlife.org axfr
; <<>> DiG 8.2 <<>> @ns0.demon.nl lowlife.org axfr
; (1 server found)
$ORIGIN lowlife.org.
@ 1D IN SOA ns0.demon.nl. hostmaster.demon.nl. (
2000801000 ; serial
6H ; refresh
30M ; retry
2W ; expiry
1D ) ; minimum
1D IN NS ns0.demon.nl.
1D IN NS ns0.demon.co.uk.
1D IN MX 10 punt.mail.nl.demon.net.
1D IN MX 40 relay-2.mail.nl.demon.net.
1D IN MX 60 relay-1.mail.demon.net.
1D IN MX 60 relay-2.mail.demon.net.
demon 1D IN CNAME www
middelburg 1D IN A 212.92.68.205
freebsd 1D IN CNAME www
localhost 1D IN A 127.0.0.1
www 1D IN A 195.11.225.234
1D IN MX 10 punt.mail.nl.demon.net.
1D IN MX 40 relay-2.mail.nl.demon.net.
1D IN MX 60 relay-1.mail.demon.net.
1D IN MX 60 relay-2.mail.demon.net.
project 1D IN A 145.92.3.32
sentinel 1D IN CNAME www
* 1D IN MX 10 punt.mail.nl.demon.net.
1D IN MX 40 relay-2.mail.nl.demon.net.
1D IN MX 60 relay-1.mail.demon.net.
1D IN MX 60 relay-2.mail.demon.net.
@ 1D IN SOA ns0.demon.nl. hostmaster.demon.nl. (
2000801000 ; serial
6H ; refresh
30M ; retry
2W ; expiry
1D ) ; minimum
;; Received 23 answers (23 records).
;; FROM: lowlife.support.nl.demon.net to SERVER: 194.159.73.5
;; WHEN: Thu Sep 14 10:24:28 2000
And tataaaaa: you see the subdomains: localhost, middelburg, www and project
and the cnames: demon, freebsd and sentinel.
man dig
Dig (domain information groper) is a flexible command line tool which can
be used to gather information from the Domain Name System servers.
All query options are accessible from the command line.
The usual simple use of dig will take the form:
dig @server domain query-type query-class
query-type is the type of information (DNS query type) that you are re-
questing. If omitted, the default is ``a'' (T_A = address).
The following types are recognized:
a T_A network address
any T_ANY all/any information about specified domain
mx T_MX mail exchanger for the domain
ns T_NS name servers
soa T_SOA zone of authority record
hinfo T_HINFO host information
axfr T_AXFR zone transfer (must ask an authoritative
server)
txt T_TXT arbitrary number of strings
(See RFC 1035 for the complete list.)
query-class
is the network class requested in the query. If omitted, the
default is ``in'' (C_IN = Internet). The following classes
are recognized:
in C_IN Internet class domain
any C_ANY all/any class information
(See RFC 1035 for the complete list.)
Note: ``Any'' can be used to specify a class and/or a type of
query. Dig will parse the first occurrence of ``any'' to
mean query-type = T_ANY. To specify query-class = C_ANY, you
must either specify ``any'' twice, or set query-class using
the -c option (see below).
Using host
Use host like this:
user@host:/#host -l -t any lowlife.org
lowlife.org start of authority ns0.demon.nl hostmaster.demon.nl(
2000801000 ;serial (version)
21600 ;refresh period
1800 ;retry refresh this often
1209600 ;expiration period
86400 ;minimum TTL
)
lowlife.org name server ns0.demon.nl
lowlife.org name server ns0.demon.co.uk
lowlife.org mail is handled (pri=10) by punt.mail.nl.demon.net
lowlife.org mail is handled (pri=40) by relay-2.mail.nl.demon.net
lowlife.org mail is handled (pri=60) by relay-1.mail.demon.net
lowlife.org mail is handled (pri=60) by relay-2.mail.demon.net
demon.lowlife.org is a nickname for www.lowlife.org
middelburg.lowlife.org has address 212.92.68.205
freebsd.lowlife.org is a nickname for www.lowlife.org
localhost.lowlife.org has address 127.0.0.1
www.lowlife.org mail is handled (pri=10) by punt.mail.nl.demon.net
www.lowlife.org mail is handled (pri=40) by relay-2.mail.nl.demon.net
www.lowlife.org mail is handled (pri=60) by relay-1.mail.demon.net
www.lowlife.org mail is handled (pri=60) by relay-2.mail.demon.net
www.lowlife.org has address 195.11.225.234
project.lowlife.org has address 145.92.3.32
*.lowlife.org mail is handled (pri=10) by punt.mail.nl.demon.net
*.lowlife.org mail is handled (pri=40) by relay-2.mail.nl.demon.net
*.lowlife.org mail is handled (pri=60) by relay-1.mail.demon.net
*.lowlife.org mail is handled (pri=60) by relay-2.mail.demon.net
sentinel.lowlife.org is a nickname for www.lowlife.org
lowlife.org start of authority ns0.demon.nl hostmaster.demon.nl(
2000801000 ;serial (version)
21600 ;refresh period
1800 ;retry refresh this often
1209600 ;expiration period
86400 ;minimum TTL
)
Oke this is allot of info if you're just interested in the cnames/subdomains try this:
user@host:/#host -l lowlife.org
lowlife.org name server ns0.demon.nl
lowlife.org name server ns0.demon.co.uk
middelburg.lowlife.org has address 212.92.68.205
localhost.lowlife.org has address 127.0.0.1
www.lowlife.org has address 195.11.225.234
project.lowlife.org has address 145.92.3.3
Which just gives you the subdomains and try this:
user@host:/#host -l -t cname lowlife.org
demon.lowlife.org is a nickname for www.lowlife.org
freebsd.lowlife.org is a nickname for www.lowlife.org
sentinel.lowlife.org is a nickname for www.lowlife.org
for the cnames.
man host
host - look up host names using domain server
Host looks for information about Internet hosts. It gets this information from a set
of interconnected servers that are spread across the country.
-t querytype
Allows you to specify a particular querytype of information
to be looked up. The arguments are defined in the man page
for named(8). Currently-supported types include: ``a'',
``ns'', ``md'', ``mf'', ``cname'', ``soa'', ``mb'', ``mg'',
``mr'', ``null'', ``wks'', ``ptr'', ``hinfo'', ``minfo'',
``mx'', ``uinfo'', ``uid'', ``gid'', ``unspec''. Additional-
ly, the wildcard, which may be written as either ``any'' or
``*'', can be used to specify any (all) of the above types.
Types must be given in lower case. Note that the default is
to look first for ``a'', and then ``mx'', except that if the
verbose option is turned on, the default is only ``a''. The
``-t'' option is particularly useful for filtering informa-
tion returned by host; see the explanation of the ``-l'' op-
tion, below, for more information.
-l List a complete domain; e.g.:
host -l rutgers.edu
will give a listing of all hosts in the rutgers.edu domain.
The ``-t'' option is used to filter what information is pre-
sented, as you would expect. The default is address informa-
tion, which also include PTR and NS records. The command
host -l -v -t any rutgers.edu
will give a complete download of the zone data for rut-
gers.edu, in the official master file format. (However the
SOA record is listed twice, for arcane reasons.)
NOTE: ``-l'' is implemented by doing a complete zone transfer
and then filtering out the information that you have asked
for. This command should be used only if it is absolutely
necessary.
Click here to go back to the index.
|