How do I get a list of all subdomains of a domain?

I want to find out all the subdomains of a given domain. I found a hint which tells me to dig the authoritative Nameserver with the following option:

dig @ns1.foo.bar some_domain.com axfr

But this never works. Has anyone a better idea/approach

268
2022-07-20 01:01:37
Source Share
Answers: 3

If the DNS server is configured properly, you won't be able to get the entire domain. If for some reason is allows zone transfers from any host, you'll have to send it the correct packet to make that request. I suspect that's what the dig statement you included does.

4
2022-07-20 15:49:42
Source

The hint (using axfr) only works if the NS you're querying (ns1.foo.bar in your example) is configured to allow AXFR requests from the IP you're using; this is unlikely, unless your IP is configured as a secondary for the domain in question.

Basically, there's no easy way to do it if you're not allowed to use axfr. This is intentional, so the only way around it would be via brute force (i.e. dig a.some_domain.com, dig b.some_domain.com, ...), which I can't recommend, as it could be viewed as a denial of service attack.

153
2022-07-20 15:47:17
Source

In Windows nslookup the command is

ls -d somedomain.com > outfile.txt

which saves the subdomain checklist in outfile.txt

couple of domain names nowadays permit this

10
2022-07-20 15:47:07
Source