45

I cannot list them using dig/nslookup/host.

Paweł Gościcki
  • 1,100
  • 1
  • 15
  • 18
  • 2
    You cannot crawl an entire domain without previously knowing all its RR. For a discussion about this feature, see the work related to `NSEC3` design (listed in [RFC5155, section 1.1](http://tools.ietf.org/html/rfc5155#section-1.1)) – Manu H Oct 08 '14 at 06:50

2 Answers2

33

There are two ways, both require administrator access or trust to the DNS records:

  • Perform a zone transfer (AXFR) on the domain to retrieve all records for the domain. The DNS administrator needs to explicitly allow AXFR transfers to your IP address from your chosen DNS server. You can perform such a transfer like this: dig @ns1.google.com google.com AXFR
  • Directly view the zonefile on the relevant DNS server. You need administrator access to the DNS server for this.
Alex J
  • 2,804
  • 2
  • 21
  • 24
12

With proper permissions on the DNS, grep for cname records:

host -t axfr my.dom.com dns.my.dom.com | grep -i cname
gimel
  • 1,193
  • 7
  • 9