For mail:
First, just look up the MX records – those define which servers incoming mail is routed through.
$ dig gmail.com MX
gmail.com. 3412 IN MX 5 gmail-smtp-in.l.google.com.
gmail.com. 3412 IN MX 10 alt1.gmail-smtp-in.l.google.com.
If you must start with an empty domain, you'll receive mail fine as long as you have MX records in place.
Now for the whole domain.
There's a small chance that the domain allows zone transfers, so try that:
Look up the domain's authoritative nameservers:
$ dig gnu.org NS
gnu.org. 298 IN NS ns1.gnu.org.
gnu.org. 298 IN NS ns2.gnu.org.
Windows: nslookup -q=ns gnu.org
Request a zone transfer from one of them, using the special "AXFR" query type:
$ dig gnu.org AXFR @ns1.gnu.org
gnu.org. 300 IN SOA ns1.gnu.org. hostmaster.gnu.org. 2014031109 3600 120 1209600 3600
gnu.org. 300 IN MX 10 eggs.gnu.org.
gnu.org. 300 IN A 208.118.235.148
alpha.gnu.org. 300 IN A 208.118.235.21
alpha.gnu.org. 300 IN AAAA 2001:4830:134:3::c
anoncvs.gnu.org. 300 IN CNAME savannah.gnu.org.
.....
Windows has a separate command inside nslookup
:
C:\> nslookup
> server ns1.gnu.org
> ls -a gnu.org
Another method is NSEC walking, though it works only with DNSSEC-signed domains and only those using regular NSEC (not NSEC3).
- Note, however, if the domain is DNSSEC-signed, then having all subdomains is not enough – you must also obtain the DNSSEC signing keys from the current admins! So the very fact that this method works already makes it useless (except for a last-resort backup).
Anyway. Since NSEC records must (by definition) contain the 'next' existing domain name, you can look up NSEC for the domain root and follow the chain until you go full circle. ldns has a tool for this:
$ ldns-walk -f isc.org
...
backdraft.isc.org. 7200 IN A 149.20.50.14
backupproxy.isc.org. 7200 IN A 149.20.48.23
banana.isc.org. 7200 IN A 149.20.64.69
banana.isc.org. 7200 IN AAAA 2001:4f8:0:2::69
bcn1.isc.org. 3600 IN NS ams.sns-pb.isc.org.
...
Those are the only automated methods. If neither works, you will need to convince the current domain admins to send you the data.
Honestly I cannot even imagine them refusing to give you at least a list of subdomains; doesn't the regular "domain management" panel show them anyway?
1This host is outside the domain so you probably get only very few hosts and not entire domain – Romeo Ninov – 2015-02-05T12:10:19.280
1...if zone transfers are allowed at all. – a CVn – 2015-02-05T12:10:40.800
Oddly, that site seems to be convinced that my domain is not "real domain" enough because it's not directly under a TLD, despite it having its own nameservers and even WHOIS entries. – user1686 – 2015-02-05T12:23:50.587
It apparently does not even attempt either a zone transfer or a NXT walk, and this answer has the same problem as an earlier (now deleted) answer that one effectively needs to already know the zone database contents in order to make use of it. – JdeBP – 2015-02-05T12:29:59.123
@JdeBP: The second form, "DNS Record Lookup", does use a zone transfer first (with
ANY
as fallback). – user1686 – 2015-02-05T12:42:47.5731It's the totally silent fallback that fooled me when I checked it. Still, going to the self-service management UI of the old provider remains the best answer. (-: – JdeBP – 2015-02-05T12:59:16.377
It found exactly zero of the subdomains of my domain. Doesn't seem to be very useful. – Mark – 2015-02-05T22:35:19.597