Is it possible to find all DNS subdomains for a given domain name? [closed]

问题

Closed. This question is off-topic. It is not currently accepting answers.

---

Want to improve this question? Update the question so it's on-topic for Stack Overflow.

Closed 8 years ago.

This question exists because it has historical significance, but it is not considered a good, on-topic question for this site, so please do not use it as evidence that you can ask similar questions here.

More info: https://stackoverflow.com/faq

Anyone knows if it's possible to find all A records, CNAME or subzone records configured for a domain name?

For example, domain.com:

www IN CNAME domain.com.
subdomain1 IN CNAME domain.com.
subdomain2 IN CNAME domain.com. 

subdomain1 IN A 123.4.56.78.
subdomain2 IN A 123.4.56.79. 

I want to keep a sub-domain private where I'll run an admin application (it will be password protected and on a special port, but I would prefer to keep it as private as possible).

回答1:

Like others have said, what you want is a so called zone-transfer. If it is your own domain you can configure the DNS server to give it to you. If it is for some other domain you probably don't get it, since most DNS-admins consider it a security threat.

Even if an individual record isn't a problem (thats what the DNS it therefore) it could be a problem if an evil person gets a list of all your records: It could simplify an attack.

回答2:

Using zone transfer, i.e.: (in nslookup)

ls -d google.com

If you have your own DNS server, there will be zone transfer security settings (usually by IP). Otherwise, just try it and see if it works.

回答3:

Preventing zone-transfers is a function of the server administration, and as others have said is typically disabled these days for security reasons.

When the time comes to add DNSSEC, make sure you use the new NSEC3 format records (from RFC 5155) rather than the original NSEC format as the latter allows for zone enumeration.

Note that preventing zone enumeration really is just security-via-obscurity. If someone finds your subdomain you'll still need additional security at the application layer.

As for your example records:

www IN CNAME domain.com.
subdomain1 IN CNAME domain.com.
subdomain2 IN CNAME domain.com. 
subdomain1 IN A 123.4.56.78.
subdomain2 IN A 123.4.56.79.

1. You can't mix CNAME records and other RRtypes in the same entity
2. The trailing dots in the A records are invalid
3. It's best not to use a CNAME back to the domain for the WWW record

You need:

$ORIGIN domain.com
@      IN SOA ...
       IN A   123.4.56.78
www    IN A   123.4.56.78
sub1   IN A   123.4.56.79

(where sub1.domain.com is the hidden site)

回答4:

It used to be possible with:

host -a -l domain.com

回答5:

If name servers allow zone transfers you can use this page http://www.magic-net.info/dns-lookup.dnslookup to find all subdomains in given zone.

15 oct. I`m have modified my tool. Now it checks first 6 name servers for zone transfers and, if no one allow zone transfers, uses search engeines Reverse lookup and subdomains search

来源：https://stackoverflow.com/questions/305495/is-it-possible-to-find-all-dns-subdomains-for-a-given-domain-name