Is there any way I can list ALL DNS records for a domain?
I know about such things as dig and nslookup but they only go so far. For example, if I've got a subdomain A record as
test A somedomain.co.uk
then unless I specifically ask for it, eg.
dig any test.somedomain.co.uk
I can't see it.
Is there any way (other than looking at the records by going to the DNS manager) to see exactly what all the DNS records are?
This question is related to
dns
What you want is called a zone transfer. You can request a zone transfer using dig -t axfr.
A zone is a domain and all of the domains below it that are not delegated to another server.
Note that zone transfers are not always supported. They're not used in normal lookup, only in replicating DNS data between servers; but there are other protocols that can be used for that (such as rsync over ssh), there may be a security risk from exposing names, and zone transfer responses cost more to generate and send than usual DNS lookups.
In the absence of the ability to do zone transfers, I wrote this small bash script, dg:
#!/bin/bash
COMMON_SUBDOMAINS=(www mail smtp pop imap blog en ftp ssh login)
if [[ "$2" == "x" ]]; then
dig +nocmd "$1" +noall +answer "${3:-any}"
wild_ips="$(dig +short "*.$1" "${3:-any}" | tr '\n' '|')"
wild_ips="${wild_ips%|}"
for sub in "${COMMON_SUBDOMAINS[@]}"; do
dig +nocmd "$sub.$1" +noall +answer "${3:-any}"
done | grep -vE "${wild_ips}"
dig +nocmd "*.$1" +noall +answer "${3:-any}"
else
dig +nocmd "$1" +noall +answer "${2:-any}"
fi
Now I use dg example.com to get a nice, clean list of DNS records, or dg example.com x to include a bunch of other popular subdomains.
grep -vE "${wild_ips}" filters out records that could be the result of a wildcard DNS entry such as * 10800 IN A 1.38.216.82. Otherwise, a wildcard entry would make it appear as if there were records for each $COMMON_SUBDOMAN.
Note: This relies on ANY queries, which are blocked by some DNS providers such as CloudFlare.
A zone transfer is the only way to be sure you have all the subdomain records. If the DNS is correctly configured you should not normally be able to perform an external zone transfer.
The scans.io project has a database of DNS records that can be downloaded and searched for subdomains. This requires downloading the 87GB of DNS data, alternatively you can try the online search of the data at https://hackertarget.com/find-dns-host-records/
I've improved Josh's answer. I've noticed that dig only shows entries already present in the queried nameserver's cache, so it's better to pull an authoritative nameserver from the SOA (rather than rely on the default nameserver). I've also disabled the filtering of wildcard IPs because usually I'm usually more interested in the correctness of the setup.
The new script takes a -x argument for expanded output and a -s NS argument to choose a specific nameserver: dig -x example.com
#!/bin/bash
set -e; set -u
COMMON_SUBDOMAINS="www mail mx a.mx smtp pop imap blog en ftp ssh login"
EXTENDED=""
while :; do case "$1" in
--) shift; break ;;
-x) EXTENDED=y; shift ;;
-s) NS="$2"; shift 2 ;;
*) break ;;
esac; done
DOM="$1"; shift
TYPE="${1:-any}"
test "${NS:-}" || NS=$(dig +short SOA "$DOM" | awk '{print $1}')
test "$NS" && NS="@$NS"
if test "$EXTENDED"; then
dig +nocmd $NS "$DOM" +noall +answer "$TYPE"
wild_ips=$(dig +short "$NS" "*.$DOM" "$TYPE" | tr '\n' '|')
wild_ips="${wild_ips%|}"
for sub in $COMMON_SUBDOMAINS; do
dig +nocmd $NS "$sub.$DOM" +noall +answer "$TYPE"
done | cat #grep -vE "${wild_ips}"
dig +nocmd $NS "*.$DOM" +noall +answer "$TYPE"
else
dig +nocmd $NS "$DOM" +noall +answer "$TYPE"
fi
There is no easy way to get all DNS records for a domain in one instance. You can only view certain records for example, if you wanna see an A record for a certain domain you can use the command: dig a(type of record) domain.com. This is the same for all the other type of records you wanna see for that domain.
If your not familiar with the command line interface, you can also use a site like mxtoolbox.com. Wich is very handy tool for getting records of a domain.
I hope this answers your question.
Many DNS servers refuse ‘ANY’ queries. So the only way is to query for every type individually. Luckily there are sites that make this simpler. For example, https://www.nslookup.io shows the most popular record types by default, and has support for all existing record types.
host -a works well, similar to dig any.
EG:
$ host -a google.com
Trying "google.com"
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 10403
;; flags: qr rd ra; QUERY: 1, ANSWER: 18, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;google.com. IN ANY
;; ANSWER SECTION:
google.com. 1165 IN TXT "v=spf1 include:_spf.google.com ip4:216.73.93.70/31 ip4:216.73.93.72/31 ~all"
google.com. 53965 IN SOA ns1.google.com. dns-admin.google.com. 2014112500 7200 1800 1209600 300
google.com. 231 IN A 173.194.115.73
google.com. 231 IN A 173.194.115.78
google.com. 231 IN A 173.194.115.64
google.com. 231 IN A 173.194.115.65
google.com. 231 IN A 173.194.115.66
google.com. 231 IN A 173.194.115.67
google.com. 231 IN A 173.194.115.68
google.com. 231 IN A 173.194.115.69
google.com. 231 IN A 173.194.115.70
google.com. 231 IN A 173.194.115.71
google.com. 231 IN A 173.194.115.72
google.com. 128 IN AAAA 2607:f8b0:4000:809::1001
google.com. 40766 IN NS ns3.google.com.
google.com. 40766 IN NS ns4.google.com.
google.com. 40766 IN NS ns1.google.com.
google.com. 40766 IN NS ns2.google.com.
For Windows:
You may find the need to check the status of your domains DNS records, or check the Name Servers to see which records the servers are pulling.
Launch Windows Command Prompt by navigating to Start > Command Prompt or via Run > CMD.
Type NSLOOKUP and hit Enter. The default Server is set to your local DNS, the Address will be your local IP.
Set the DNS Record type you wish to lookup by typing set type=## where ## is the record type, then hit Enter. You may use ANY, A, AAAA, A+AAAA, CNAME, MX, NS, PTR, SOA, or SRV as the record type.
Now enter the domain name you wish to query then hit Enter.. In this example, we will use Managed.com.
NSLOOKUP will now return the record entries for the domain you entered.
You can also change the Name Servers which you are querying. This is useful if you are checking the records before DNS has fully propagated. To change the Name Server type server [name server]. Replace [name server] with the Name Servers you wish to use. In this example, we will set these as NSA.managed.com.
Once changed, change the query type (Step 3) if needed then enter new a new domain (Step 4.)
For Linux:
1) Check DNS Records Using Dig Command Dig stands for domain information groper is a flexible tool for interrogating DNS name servers. It performs DNS lookups and displays the answers that are returned from the name server(s) that were queried. Most DNS administrators use dig to troubleshoot DNS problems because of its flexibility, ease of use and clarity of output. Other lookup tools tend to have less functionality than dig.
2) Check DNS Records Using NSlookup Command Nslookup is a program to query Internet domain name servers. Nslookup has two modes interactive and non-interactive.
Interactive mode allows the user to query name servers for information about various hosts and domains or to print a list of hosts in a domain.
Non-interactive mode is used to print just the name and requested information for a host or domain. It’s network administration tool which will help them to check and troubleshoot DNS related issues.
3) Check DNS Records Using Host Command host is a simple utility for performing DNS lookups. It is normally used to convert names to IP addresses and vice versa. When no arguments or options are given, host prints a short summary of its command line arguments and options.
Source: Stackoverflow.com