1
I'm running a security experiment and I need to identify domains that point to a particular subdomain. I was wondering if there's a way for me to find the cname's for all domains in a list somewhere?
Or do I have to dig the whole .com list, and grep through to find every instance of the cname?
Amin Shah Gilani
Posted 2016-10-15T04:51:53.533
Reputation: 135
3
I was wondering if there's a way for me to find the cname's for all domains in a list somewhere?
No. There is no proper way of doing so. The CNAME entries are stored in zone files, which are stored in different nameservers. And there is no general way of getting the whole zone file from a nameserver. Unless you have access to all the nameservers in the world, you can't find all CNAMES pointing to a domain (which you obviously can't have).
Or do I have to dig the whole .com list, and grep through to find every instance of the cname?
Even if you download the zone file for a TLD (Yes, that's possible: http://jordan-wright.com/blog/2015/09/30/how-to-download-a-list-of-all-registered-domain-names/), all you'll get is a list of nameservers used for all the second level domains. Then you'll need to go through every nameserver in the list and recursively ask for its zone file, which they won't provide in most cases.
One feasible workaround in your case would be to log activity of users.
If you are the owner of the particular subdomain for which you want
CNAMEs and a web server is hosted on that server, you can log the
HOST header in the HTTP request to get a possible CNAME entry.
If you are network administrator of your network (i.e. you have access to the local DNS server), you can all log DNS queries which are resolved to the desired CNAMEs.
Tanmay Tiwari
Posted 2016-10-15T04:51:53.533
Reputation: 46
0
As an end user, where nameservers are not correctly set up, you can't walk the DNS to get a list of all the resource records (which is, I think, what you are asking).
If the domain name is not correctly set up (or if you have elevated privs, which I assume you don't), you can do a "Zone Transfer" which will dump the contents of the zone - look here, but, under Linux, its as simple as doing a dig axfr domain.name @dns.server.name
If you have access to the box or can intercept network traffic where "the particular subdomain", and if the target traffic is "http", you can sniff the http headers to get a list of requests (if you run the web server, you can create a log file to produce this info which you can search through)
Lastly, if you have a list of domains, and you know the subdomain you are looking for for each domain, its possible to write a script to query the subdomain for each domain, and log that. (But I suspect this is not what you are asking ?)
davidgo
Posted 2016-10-15T04:51:53.533
Reputation: 49 152