14

Is there a way to query our internal DNS entries to discover all the CNAME entries that point to a particular server?

Edit: We're a Windows environment, Server 2003.

MadHatter
  • 78,442
  • 20
  • 178
  • 229
PhilPursglove
  • 422
  • 2
  • 7
  • 17

5 Answers5

9

You didn't specify what your environment is but if you're using Unix I think a combination of dig and grep should work. ns.example.com should be the hostname of your nameserver, example.com is the domain your host is part of, and HOST is the host that you want to find all the CNAME records for. That's actually a tab character in the grep command, not literally <TAB> (you may have to adjust the grep string).

Also your nameserver needs to to be configured to allow zone transfers, the particulars of which will be implementation dependent.

dig @ns.example.com example.com axfr |grep 'CNAME<tab>HOST$'

Or if you're on Windows you could use nslookup:

C:\> nslookup
> name ns.example.com
> ls -a example.com FILE

This should output all of the records for the domain example.com that ns.example.com "knows about" to FILE. You can then use whatever tool you want to sort through the text file looking for the corresponding CNAMES.

Or with this untested (but seemly correct looking) perl script:

#!/usr/bin/perl

use Net::DNS;

($target, $zone) = @ARGV;

$res = new Net::DNS::Resolver;
foreach $rr ($res->axfr($zone)) {
     print $rr->name."\n" if (($rr->type eq "CNAME") && ($rr->rdatastr eq $target."."));
}

A couple of points for completeness:

  • As @womble stated, there's no equivalent of a PTR record for a CNAME. You'll have to use some contextual awareness by sorting through all the zone information for CNAMES that correspond to the A records of your host.
  • This only works for your DNS server (and if you have permission to view zone information). There's no way to "trace" CNAMES for your host that belong on other zones.
  • As @BillThor states, there are other ways to aliases a hostname beyond CNAMES. Again, you'll need some contextual awareness.
5

If you have access to your DNS configuration, it is rather trivial to discover this data. However, anyone can have a CNAME pointing to your server. You won't be able to trace these.

As @wombie has pointed out you can't do a reverse lookup for CNAMES. There is no PTR equivalent for CNAMES, and even if there where it is likely only some records would exist. A quick check of a random selection of domains would show PTR records often don't point back to the A record. Likewise, doing reverse lookups of PTR records for random addresses often doesn't find the corresponding A record.

EDIT: CNAMEs are not the only way to alias a system. DNS allows multiple A records to point the the same address. Functionally this is the same as adding a CNAME but the method is different. Same problems apply outside your domain. To search for the various A records you would search for the IP address(es) of the system in question.

BillThor
  • 27,354
  • 3
  • 35
  • 69
4

The DNS protocol does not allow you to do that sort of "reverse" lookup. You'll need to go out of protocol, such as using the grep suggestions provided by kce.

womble
  • 95,029
  • 29
  • 173
  • 228
2

use powershell:

check for the Primaryname on your Microsoft DNS Server:

Get-WmiObject -Namespace 'root\MicrosoftDNS' -Class MicrosoftDNS_AType -Filter "IPAddress = 'xx.xx.xx.xx (IP)'" -ComputerName mydnsservername

get all cnames for that host from your Microsoft DNS server:

Get-WmiObject -Namespace 'root\MicrosoftDNS' -Class MicrosoftDNS_CNAMEType -Filter "primaryname = 'primaryname from first query terminated with a dot.'" -ComputerName mydnsservername|select ownername, primaryname

1
  1. Find all of the zones served by your machines.
  2. For each zone, use dnscmd to export the zone data:
    dnscmd a.ns.example.com /zoneexport zone.example.com some-filename-for-this-zone
  3. Search the exported files for CNAME resource records that point to the target domain name.
JdeBP
  • 3,970
  • 17
  • 17