How can I list ALL DNS records

Question

Is there any way I can list ALL DNS records for a domain   I know about such things as dig and nslookup but they only go so far  For example  if I ve got a subdomain A record as  test A somedomain co uk   then unless I specifically ask for it  eg    dig any test somedomain co uk   I can t see it   Is there any way  other than looking at the records by going to the DNS manager  to see exactly what all the DNS records are

User · Answer

I ve improved Josh s answer  I ve noticed that dig only shows entries already present in the queried nameserver s cache  so it s better to pull an authoritative nameserver from the SOA  rather than rely on the default nameserver   I ve also disabled the filtering of wildcard IPs because usually I m usually more interested in the correctness of the setup   The new script takes a -x argument for expanded output and a -s NS argument to choose a specific nameserver  dig -x example com     bin bash set -e  set -u COMMON SUBDOMAINS  www mail mx a mx smtp pop imap blog en ftp ssh login  EXTENDED     while    do case   1  in   --  shift  break      -x  EXTENDED y  shift      -s  NS   2   shift 2         break    esac  done DOM   1   shift TYPE    1 -any    test    NS -      NS   dig  short  SOA   DOM    awk   print  1    test   NS   amp  amp  NS    NS   if test   EXTENDED   then   dig  nocmd  NS   DOM   noall  answer   TYPE    wild ips   dig  short   NS      DOM    TYPE    tr   n         wild ips    wild ips       for sub in  COMMON SUBDOMAINS  do     dig  nocmd  NS   sub  DOM   noall  answer   TYPE    done   cat   grep -vE    wild ips     dig  nocmd  NS     DOM   noall  answer   TYPE  else   dig  nocmd  NS   DOM   noall  answer   TYPE  fi

User · Answer

Many DNS servers refuse    ANY    queries  So the only way is to query for every type individually  Luckily there are sites that make this simpler  For example  https   www nslookup io shows the most popular record types by default  and has support for all existing record types

User · Answer

What you want is called a zone transfer  You can request a zone transfer using dig -t axfr   A zone is a domain and all of the domains below it that are not delegated to another server   Note that zone transfers are not always supported  They re not used in normal lookup  only in replicating DNS data between servers  but there are other protocols that can be used for that  such as rsync over ssh   there may be a security risk from exposing names  and zone transfer responses cost more to generate and send than usual DNS lookups

User · Answer

In the absence of the ability to do zone transfers  I wrote this small bash script  dg      bin bash COMMON SUBDOMAINS  www mail smtp pop imap blog en ftp ssh login  if      2      x      then     dig  nocmd   1   noall  answer    3 -any       wild ips    dig  short     1     3 -any     tr   n            wild ips    wild ips         for sub in    COMMON SUBDOMAINS       do         dig  nocmd   sub  1   noall  answer    3 -any       done   grep -vE    wild ips       dig  nocmd     1   noall  answer    3 -any   else     dig  nocmd   1   noall  answer    2 -any   fi   Now I use dg example com to get a nice  clean list of DNS records  or dg example com x to include a bunch of other popular subdomains   grep -vE    wild ips   filters out records that could be the result of a wildcard DNS entry such as   10800 IN A 1 38 216 82  Otherwise  a wildcard entry would make it appear as if there were records for each  COMMON SUBDOMAN   Note  This relies on ANY queries  which are blocked by some DNS providers such as CloudFlare

User · Answer

There is no easy way to get all DNS records for a domain in one instance  You can only view certain records for example  if you wanna see an A record for a certain domain you can use the command  dig a type of record  domain com  This is the same for all the other type of records you wanna see for that domain    If your not familiar with the command line interface  you can also use a site like mxtoolbox com  Wich is very handy tool for getting records of a domain   I hope this answers your question

User · Answer

For Windows   You may find the need to check the status of your domains DNS records  or check the Name Servers to see which records the servers are pulling      Launch Windows Command Prompt by navigating to Start   Command Prompt or via Run   CMD  Type NSLOOKUP and hit Enter   The default Server is set to your local DNS  the Address will be your local IP  Set the DNS Record type you wish to lookup by typing set type    where    is the record type  then hit Enter   You may use ANY  A  AAAA  A AAAA  CNAME  MX  NS  PTR  SOA  or SRV as the record type  Now enter the domain name you wish to query then hit Enter    In this example  we will use Managed com    NSLOOKUP will now return the record entries for the domain you entered  You can also change the Name Servers which you are querying   This is useful if you are checking the records before DNS has fully propagated   To change the Name Server type server  name server    Replace  name server  with the Name Servers you wish to use   In this example  we will set these as NSA managed com    Once changed  change the query type  Step 3  if needed then enter new a new domain  Step 4     For Linux   1  Check DNS Records Using Dig Command Dig stands for domain information groper is a flexible tool for interrogating DNS name servers  It performs DNS lookups and displays the answers that are returned from the name server s  that were queried  Most DNS administrators use dig to troubleshoot DNS problems because of its flexibility  ease of use and clarity of output  Other lookup tools tend to have less functionality than dig   2  Check DNS Records Using NSlookup Command Nslookup is a program to query Internet domain name servers  Nslookup has two modes interactive and non-interactive   Interactive mode allows the user to query name servers for information about various hosts and domains or to print a list of hosts in a domain   Non-interactive mode is used to print just the name and requested information for a host or domain  It   s network administration tool which will help them to check and troubleshoot DNS related issues   3  Check DNS Records Using Host Command host is a simple utility for performing DNS lookups  It is normally used to convert names to IP addresses and vice versa  When no arguments or options are given  host prints a short summary of its command line arguments and options

User · Answer

host -a works well  similar to dig any   EG     host -a google com Trying  google com     - gt  gt HEADER lt  lt - opcode  QUERY  status  NOERROR  id  10403    flags  qr rd ra  QUERY  1  ANSWER  18  AUTHORITY  0  ADDITIONAL  0      QUESTION SECTION   google com             IN  ANY     ANSWER SECTION  google com      1165    IN  TXT  v spf1 include  spf google com ip4 216 73 93 70 31 ip4 216 73 93 72 31  all  google com      53965   IN  SOA ns1 google com  dns-admin google com  2014112500 7200 1800 1209600 300 google com      231 IN  A   173 194 115 73 google com      231 IN  A   173 194 115 78 google com      231 IN  A   173 194 115 64 google com      231 IN  A   173 194 115 65 google com      231 IN  A   173 194 115 66 google com      231 IN  A   173 194 115 67 google com      231 IN  A   173 194 115 68 google com      231 IN  A   173 194 115 69 google com      231 IN  A   173 194 115 70 google com      231 IN  A   173 194 115 71 google com      231 IN  A   173 194 115 72 google com      128 IN  AAAA    2607 f8b0 4000 809  1001 google com      40766   IN  NS  ns3 google com  google com      40766   IN  NS  ns4 google com  google com      40766   IN  NS  ns1 google com  google com      40766   IN  NS  ns2 google com

User · Answer

When you query for ANY you will get a list of all records at that level but not below     try this dig google com any   This may return A records  TXT records  NS records  MX records  etc if the domain name is exactly  google com   However  it will not return child records  e g   www google com   More precisely  you MAY get these records if they exist  The name server does not have to return these records if it chooses not to do so  for example  to reduce the size of the response    An AXFR is a zone transfer and is likely what you want  However  these are typically restricted and not available unless you control the zone  You ll usually conduct a zone transfer directly from the authoritative server  the  ns1 google com below  and often from a name server that may not be published  a stealth name server      This will return  Transfer failed  dig  ns1 google com google com axfr   If you have control of the zone  you can set it up to get transfers that are protected with a TSIG key  This is a shared secret the the client can send to the server to authorize the transfer

User · Answer

A zone transfer is the only way to be sure you have all the subdomain records  If the DNS is correctly configured you should not normally be able to perform an external zone transfer  The scans io project has a database of DNS records that can be downloaded and searched for subdomains  This requires downloading the 87GB of DNS data  alternatively you can try the online search of the data at https   hackertarget com find-dns-host-records

[dns] How can I list ALL DNS records?

Examples related to dns