286

My company runs an internal DNS for mycompany.example

There is a machine on the network that I need to find, but I’ve forgotten its name. If I could see a list, it would probably jog my memory.

How can I list all of the domain records for mycompany.example?

Improve this question
5
  • Possible duplicate of How to list all CNAME records for a given domain? Commented Dec 5, 2018 at 15:15
  • Related: stackoverflow.com/questions/19322962/… Commented Sep 19, 2021 at 4:25
  • I posted an answer at serverfault.com/questions/16101/… which notes that if you dig for a CNAME, e.g., dig +nocmd www.stackexchange.com +noall +answer you obtain verification of www being the CNAME aliasing stackexchange.com Commented May 5, 2023 at 14:12
  • @OrangeDog Beware of this, now we have CNAME centric answers here. Commented Mar 19, 2024 at 19:59
  • Literally none of these answers show subdomain records in 2024… Commented Aug 25, 2024 at 10:51

12 Answers 12

Reset to default
269

Answer

The short answer to your specific question of listing CNAMEs is that you cannot without permission to do zone transfers (see How to list all CNAME records for a given domain?).

That said, if your company's DNS server still supports the ANY query, you can use dig to list the other records by doing:

dig +noall +answer +multiline yourdomain.yourtld any

These ... +noall +answer +multiline ... are strictly optional and are simply output formatting flags to make the output more easily human readable (see dig man page).

Example

$ dig +noall +answer +multiline bad.horse any

Returns:

bad.horse. 7200 IN A 162.252.205.157 bad.horse. 7200 IN CAA 0 issue "letsencrypt.org" bad.horse. 7200 IN CAA 0 iodef "mailto:[email protected]" bad.horse. 7200 IN MX 10 mx.sandwich.net. bad.horse. 7200 IN NS a.sn1.us. bad.horse. 7200 IN NS b.sn1.us. bad.horse. 7200 IN SOA a.sn1.us. n.sn1.us. ( 2017032202 ; serial 1200 ; refresh (20 minutes) 180 ; retry (3 minutes) 1209600 ; expire (2 weeks) 60 ; minimum (1 minute) )

Caveats (RFC8482)

Note that, since around 2019, most public DNS servers have stopped answering most DNS ANY queries usefully. For background on that, see: RFC8482 - Saying goodbye to ANY

If ANY queries do not enumerate multiple records, the only option is to request each record type (e.g. A, CNAME, or MX) individually.

Improve this answer
8
  • 7
    any is no good on some DNS servers IN HINFO "ANY obsoleted" "See draft-ietf-dnsop-refuse-any" Commented Nov 1, 2017 at 19:51
  • 3
    The question has nothing to do with CNAME records... Commented Oct 7, 2018 at 17:44
  • 6
    for me, dig @8.8.8.8 +nocmd yourdomain.example any +multiline +noall +answer lists more records Commented Feb 16, 2019 at 8:44
  • 1
    This command returns 0 answer records on any of 8 domains I tried. Commented Apr 26, 2019 at 20:47
  • 4
    Since ANY queries are no longer honored by most DNS servers, it's much simpler to use an online tool like nslookup.io, which will query every record type individually and display all the DNS records in one overview. Commented Aug 24, 2020 at 13:21
107

A much easier command to remember (and more informative) is:

> dig google.com ANY

Which returns the following:

; <<>> DiG 9.8.3-P1 <<>> google.com ANY ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 31013 ;; flags: qr rd ra; QUERY: 1, ANSWER: 22, AUTHORITY: 0, ADDITIONAL: 3 ;; QUESTION SECTION: ;google.com. IN ANY ;; ANSWER SECTION: google.com. 17 IN A 74.125.225.72 google.com. 17 IN A 74.125.225.73 google.com. 17 IN A 74.125.225.78 google.com. 17 IN A 74.125.225.64 google.com. 17 IN A 74.125.225.65 google.com. 17 IN A 74.125.225.66 google.com. 17 IN A 74.125.225.67 google.com. 17 IN A 74.125.225.68 google.com. 17 IN A 74.125.225.69 google.com. 17 IN A 74.125.225.70 google.com. 17 IN A 74.125.225.71 google.com. 86400 IN NS ns1.google.com. google.com. 86400 IN NS ns2.google.com. google.com. 86400 IN NS ns3.google.com. google.com. 86400 IN NS ns4.google.com. google.com. 66641 IN SOA ns1.google.com. dns-admin.google.com. 2013082900 7200 1800 1209600 300 google.com. 177 IN MX 40 alt3.aspmx.l.google.com. google.com. 177 IN MX 50 alt4.aspmx.l.google.com. google.com. 177 IN MX 10 aspmx.l.google.com. google.com. 177 IN MX 20 alt1.aspmx.l.google.com. google.com. 177 IN MX 30 alt2.aspmx.l.google.com. google.com. 287 IN AAAA 2607:f8b0:4009:803::1007 ;; ADDITIONAL SECTION: ns1.google.com. 3924 IN A 216.239.32.10 ns2.google.com. 64508 IN A 216.239.34.10 ns3.google.com. 64508 IN A 216.239.36.10 ;; Query time: 77 msec ;; SERVER: 10.6.23.4#53(10.6.23.4) ;; WHEN: Fri Sep 13 14:26:09 2013 ;; MSG SIZE rcvd: 506
Improve this answer
5
  • 34
    This is not what the question is asking for. It's asking for all of the records within the 'google.com.' domain, not just the records for 'google.com.'. There is nothing in your query listing anything not 'google.com.' except for the glue records (A records for the name servers). Commented Sep 13, 2013 at 20:01
  • 7
    Perfect command. Succinct and easy to remember, thanks for posting! Commented Jun 21, 2014 at 14:24
  • 1
    Now the only answer from google.com to ANY queries is: google.com. 14400 IN CNAME forcesafesearch.google.com. (gist.github.com/Dorian/afb136672c91fc89df572a4b0f8106dd) Commented Sep 13, 2016 at 14:17
  • 13
    The IETF proposes to refuse ANY. I get: HINFO "Please stop asking for ANY" "See draft-ietf-dnsop-refuse-any" Commented Nov 6, 2016 at 8:40
  • The proposal to refuse ANY requests is now RFC 8482. Commented Dec 8, 2020 at 13:18
68

Try:

dig @ns.example.com -tAXFR example.com

This may or may not work. Many DNS servers will deny a DNS Zone Transfer like this. For more information, see How the AXFR protocol works

Improve this answer
2
  • 6
    You're on the right track, but that syntax doesn't work for me. What works is dig @ns.example.com -tAXFR example.com where ns.example.com is a primary nameserver for the zone, and where the DNS admin has enabled zone transfer requests from the host or IP you're querying from. Without AXFR permission there is no way to query ALL DNS records in a zone. I'm not sure, but I don't believe AXFR requests can be done recursively, hence the need to query the zone's top-level nameserver directly, which is what the @ns.example.com part of the syntax does. The actual hostname will vary. Commented Apr 26, 2019 at 21:01
  • 1
    Yes @Jim you’re right, you may need to specify an authoritative nameserver to query. Commented Apr 27, 2019 at 15:02
29

You can also use host DNS lookup utility with -l switch:

host -l example.com

Of course you need DNS zone transfer rights for this to work.

Improve this answer
2
  • 1
    same as dig -t AXFR domain.name Commented Jan 15, 2012 at 23:33
  • 16
    @XXL ... except a lot easier to remember.... +1 Commented Dec 9, 2012 at 20:20
6 
dig domain ANY

should give you all records. I write should because it depends on the DNS-Server used. dig gmx.de ANY with my Telekom-DNS DNS-Servers 217.237.148.102 17.237.151.115 and only gives

;; ANSWER SECTION: gmx.de. 65970 IN DS 26497 8 2 E7A00568AC320816600195F536B6BF2EEB06B0B2728146536FA53B22 45DDA66D gmx.de. 65970 IN RRSIG DS 8 2 86400 20190812150105 20190805150105 47740 de. iKcp0dWmv1o/p4e31njqplr7noJE98ZEMfzjnSZ3XLqGvtSX8gVTBLVI yId8uMLvN/9NkRfzxELFiO9K3+x95lJnPrE0VpZoaGFpjYNIUOQhq7Xb tvWEXYH8y7XUw+VkSIJa3DQS7P/cNFGJ1/BinKIYtDn46PPNtdxFB+Tp Ee8=

Whereas dig gmx.de MX gives

;; ANSWER SECTION: gmx.de. 474 IN MX 10 mx00.emig.gmx.net. gmx.de. 474 IN MX 10 mx01.emig.gmx.net.

use dig gmx.de ANY @8.8.8.8 to query Google DNS and you get a long list.

;; ANSWER SECTION: gmx.de. 23 IN A 82.165.229.87 gmx.de. 23 IN A 82.165.230.36 gmx.de. 23 IN RRSIG A 8 2 30 20190818065308 20190804065308 43065 gmx.de. Uh+KdZt/0mpk1JCjUmLFVHNaNnlv8zNRAc7ME0b9D/ULGHPmO6Ate9nG vFhcBC2c2ktJuqEw5pNieIVMLmkj9v7yzmccK0f1PwGgoW6IkuHxYVuN ExrWBpb0bHubF6xjMi8h3+JUd+kOEQdBX8XRAcVaxE9NTHkgqrFaZXjt NsICB0Hjq+LP7GfYTrRkaKsW9je5X6sfuBDDCtrc7MFJIm94Cm8mwD2d nVxD+1Bye+EXUbUjnaqjmJjXviK1GSaSRqiCcNd8TjBisBRQoKloxam9 NCikIMMEO5fAtAALtogxUtB3Znln0bKj7gTrOH21c5qC8LFyr7eVZoEN X9QXVQ== gmx.de. 21593 IN NS ns-gmx.ui-dns.de. gmx.de. 21593 IN NS ns-gmx.ui-dns.biz. gmx.de. 21593 IN NS ns-gmx.ui-dns.com. gmx.de. 21593 IN NS ns-gmx.ui-dns.org. gmx.de. 21593 IN RRSIG NS 8 2 86400 20190818065308 20190804065308 43065 gmx.de. xY3gZxt47huiUseFZsbj4026RqGDZBuUCY9tv2CQmmpGUIH+YQLmQFKV xzZBS9MTnOIr2s4MMUbav7O/IaaCFlXb44gv4lCbjtSABQWF92rVZ1Js 89clPvLN5LUyzwBuEyx9Ew1dVvRGyJhG0icPPa6iFmpQvSLqwEEhck/H jOkFI99rWfM+gQRcYVvONlN5PP2idWOzeJpmg+BeSNDCTvtqFqMd+adS +uqooQarjcu6w3nGcOCnbdp//Ie2oXwXrVDDD3ntgJqktc4ggTaDoBnX Fbq2LXNejmHmM0VhmPRAAHGRyhjaaIVso8rqETz8fHTDNiS1k20mdF62 JyalPQ== gmx.de. 21593 IN SOA ns-gmx.ui-dns.org. dnsadmin.1und1.de. 2013084217 28800 7200 604800 600 gmx.de. 21593 IN RRSIG SOA 8 2 86400 20190818065308 20190804065308 43065 gmx.de. C4Rhhfennofs0+Si8LyTs9FlMDXzaExKK60jFNvusx8ti06Vj7WPPXm8 +lc69v0AKGXzjnBqdR/Th8cTOC3eTwT/vJvV9k/UVJfN9/e8ASOjKY0P mHbBgH0VRqU1nHYOzVzuJkO2UIrZdMxIZYQ1gXmYK/4L2QL+iGUhTTJX /GKQKxRGi2YzgohpBx7Jtl3kYCcUudSq0zz3t2C7W6K6AKZC4B8cjOZU t+U678I1TRerLAzlaDmP2NbNrBhdG9CpUio4mW50X+59u2H4/NaGZ4Gm +LmeqLa6o88N6hutILfmyBLZGWD+j7mzDTjdXD2dvuIpjrQsHznvL7ZT ltQb4g== gmx.de. 893 IN MX 10 mx00.emig.gmx.net. gmx.de. 893 IN MX 10 mx01.emig.gmx.net. gmx.de. 893 IN RRSIG MX 8 2 900 20190818065308 20190804065308 43065 gmx.de. g9qdLpwVTbLxaTa3CfSOTEZfUZWEf5RwCjaiquSpTQYgYEe+zDiGtd7I CnCQIgBVJIZUTBsXCbuPdd0qZzmGe8W2z9j/cz3WbQyf9ZIJrxZPDzV/ tnpB3j+GKmHkbuYg9CRw1ILpDBnvw6syV/z03nlH99eXWAee9b7S1Muk fIf6Xwt41hqyAof144jM/6GSaKfe4T1Rgc07i9LneHdt9n/C60Jo4aj9 bJ2Hdg9W1Fnd9aPg8xTt6Q+Ahz4kUR2hQSmwHLZnq36pIhkJkqxV+YPu etFtfERwyVW1eDPmG68tXqo4clBmtIzF0HqgxB0cdn8SgdlXs9lFqTgT 8RK+Rg== gmx.de. 293 IN TXT "v=spf1 redirect=gmx.net" gmx.de. 293 IN TXT "google-site-verification=8jV5RCya962H1ur14xR3xWCFUBsExt_YibC3HkuJ9X8" gmx.de. 293 IN TXT "_telesec-domain-validation=D0B26BF4EFFDD17671E1967D1CC7F1DA06B99F496A3C52F2A7F81E7A70F463FD" gmx.de. 293 IN RRSIG TXT 8 2 300 20190818065308 20190804065308 43065 gmx.de. tyRidjkmugwBfjjxcZgwXJk9ny/tEUD0unfvDUc0w8L7iG/QgXI5BnvO 0wU7EcwmJLkEyWUDu88KGiFK/HByW6oNpenz+1ZKD1uFKCOXccMClEHQ tbDDOkMmCCLzk17Jnz06oyhAVv50vNChtaCjKTz/+9IQi8LHyIi3KqNO C0doOvaaWjbF+C3Y7HZD7+PNjBXNmnvPjrTpxDsShcrVLYm6n38tNerk nZCD6gtFVnsSNy/zG2Ro+bma5oQMCkRPTUtWeVuIC/VitIYizVVqK3DO eDRyRpTe9HaFXXV0614GgxVjimbgsRXG2BcVz+M7410lIs4hjZkpE2+N YxAwsw== gmx.de. 593 IN DNSKEY 256 3 8 AwEAAexRGtsaOHA3h7MCVG0AACIOr9DBpSNjh2N+kti0GYM448B6fyCS UGjA5VKzUq6szDQ4RDgJamDw/0pCWzFEjfKqD4glnyKzyALpkngznkDa 7I9kJo9gLt9BztCvthaMRHNfgDm2Rchfn8ahaPJXcHXMAPAuJmLYPdyd Pa21etNBCgEgmdLWNrY91FeSD40It1wqaw3i8O6yBgmRMz8JZV7kk3dH 2ocaS6WfgpAj+JzyG6CcPurv7zkq5/FQMOjF9vfNjtOhLAFDrm3fe4nW pcD9Gq864myFWDB1hcVjfRZ0370gjuZ5PxLyqlMVdpbKkkPX8L+p0iiM cHlGSKaoBJs= gmx.de. 593 IN DNSKEY 257 3 8 AwEAAadAbK9K4yEQ6DC0jQMWYZH008gPUmBT7xIHPUIezY2/PGj5VTZy zNzpS+02jxaR86jmSo6d9zfpITwlLX730NwKP80D3Tpqu9W4h7x7/P+A ue8vjiqp148y2Ei/PG8/ePHs8C2QAUDMuKDGzffj/Rtji3rirT2p7/Vj vUByaT2+T9zzsenOyKJdULv6uZDUs5vkYBPRUWOXARKGII5sf2qrAo2P tr8bpynJE7CJHNg+UUGwb9ZpQ6lxBvKiFsPDB6kmYzUglfxpknyjs4bH vFsty1O7m6/cGRP+Vkz1vDhPBzENUvULegmMSQc/pzUNfI/LzzJiEu7R ZxP4Djcop/8= gmx.de. 593 IN RRSIG DNSKEY 8 2 600 20190818065308 20190804065308 26497 gmx.de. H2/TQzTV+UEQbe9gqM5SIP/BtcoGrhNnkzwB3mVtFJwLfr2xMrv9HQT5 xKSVLLobjIUxoKq29qPKJ6OIzEMZY72Kcrd1xJ91U/e1aVLjxdUa67Wj ZCcsCxBx/xOWiFDmv6+8qxTmoFeHBg7BD92nRJLXqrzO7jHlIFstfvrJ U31YvlxY9e6o4WqSH3VoDHB8rmN52N6EMbGVwzhZRI2PGsaYv5eeibDp zbqAqJ//O+BIhS5jkdvXbV02erLApjzxe8sXTvAZpmgbH+DNmG8DTBZs 2oU3v+rsgFlwxp22d176mwQoVUWYof8xwEYGMgMuMM32nCu/iqsaW428 Fk5YiA== gmx.de. 593 IN NSEC3PARAM 1 0 24 53DB50B23808A4C2 gmx.de. 593 IN RRSIG NSEC3PARAM 8 2 86400 20190818065308 20190804065308 43065 gmx.de. fnR7VcUl37Nw26t+ZmbwHmjLm/znrBjZkPCVRW6ca25FtAUeOAJ3tdVy faPy0KHf87sfD8NVu134tLC4pd2NP5ELkQZM5jEhpVJF55Og6y1pFSFK +6TFPvXbw93SW3ZhTJOHhU9D/suPvvAfyYtQDvzE7WtHN/u/XfGK9F8/ BJzTUACwer+y7fk8xuUjmOa29Y4oH6/g/AZNkOuvsWZ1npH/StHxOAtM EI0g/XTDJ4w5rji8cdGVcBzhNOfUFhaInVLgeFm6PXd9gXtnzbrkC2ha 3vBT3S4wYEM8YEW6H1A8zHcNS6eA1cuCTHfGPaU1dqoZ4ujOIE05C/YQ YgWOfg== gmx.de. 21593 IN CAA 0 issue "Digicert.com" gmx.de. 21593 IN CAA 0 issue "telesec.de" gmx.de. 21593 IN RRSIG CAA 8 2 86400 20190818065308 20190804065308 43065 gmx.de. TG3BUmiwib0qvBQ127aIAG89SwdD46UuBy0wK1ohOc0xoP36fSh3g30G PUU7OGBCgaCapwzxCON+gGY7xCkD37cZt8ydzBCxFGvWyf0PvObicgrY /DjLuWOOJLJjNv8Ab3mg+vVD0Dki4ZEodrKU9pv8B204afee2OQFFXs7 bfDJrllvqQ8mX8nd6ou5+21+cwldF/uRP/t4GM0qIf1fajZsgmqoHQ8t ARzBWlZix4SlpKoOyvGjjHGnpCTsOWHlWB1UU/SUnmPIGh1dDq/Go+PN z7zT2khWQy2xYJPd4Cg/HHzfBT1CvTg3C25ncj/BEHCcbHnjMNx2vtms OCwyog==

However using QuadNine dig gmx.de ANY @9.9.9.9 we only get

;; ANSWER SECTION: gmx.de. 22680 IN DS 26497 8 2 E7A00568AC320816600195F536B6BF2EEB06B0B2728146536FA53B22 45DDA66D gmx.de. 22680 IN RRSIG DS 8 2 86400 20190812150105 20190805150105 47740 de. iKcp0dWmv1o/p4e31njqplr7noJE98ZEMfzjnSZ3XLqGvtSX8gVTBLVI yId8uMLvN/9NkRfzxELFiO9K3+x95lJnPrE0VpZoaGFpjYNIUOQhq7Xb tvWEXYH8y7XUw+VkSIJa3DQS7P/cNFGJ1/BinKIYtDn46PPNtdxFB+Tp Ee8=

So try different DNS-Servers to really get all DNS-Records or query for specific records directly.

Improve this answer
3
  • The @8.8.8.8 was the thing I was missing from other answers. Thanks! Commented May 25, 2021 at 12:56
  • This is the best answer. Good number of DNS servers do not support ANY any more. Commented Oct 3, 2021 at 21:50
  • Again, this doesn't list all records within the zone (e.g. something.gmx.de), just all records regardless of type for gmx.de itself. Commented Jun 21, 2022 at 20:11
3

The approach you're trying to use won't work. See this question for more information. Assuming you're the admin (if you're not please discuss this with your admin and read the FAQ before posting again) simply look up the zone file.

Improve this answer
2 
dnscmd <ServerName> /zoneprint <Domain>

I found none of the answers so far would work for me, mostly due to zone transfer failures. This command did not run into that issue and presented me with something closer to what I get in the DNS Manager tool.

Improve this answer
3
  • For me this is the best answer. No zone transfer issues, just pipe it to find and you're done. All domain records referencing the server you're interested in. (note ServerName above is the DNS server). Commented Jul 26, 2017 at 15:18
  • 1
    weird, could not brew install dnscmd Commented Nov 7, 2017 at 14:42
  • 3
    dnscmd is windows only: see technet.microsoft.com/en-us/library/cc784399(v=ws.10).aspx Commented Feb 10, 2018 at 9:54
1

Depending on what you want to accomplish, you can likely obtain a large list of subdomains from a different technique not directly related to DNS, but rather use certificate transparency. Services such as crt.sh can do so. E.g.

https://crt.sh/?q=stackoverflow.com

Read more on certificate transparency here: https://en.m.wikipedia.org/wiki/Certificate_Transparency

Improve this answer
1
  • Cute workaround! Note that often organisations wil have an internal CA and use that for issuing certificates with their internal domain name and those won't show up in the certificate transparency system. When they do use a public CA for certificates on internal hosts you might still run into the following crt.sh limit "Sorry, your search results have been truncated. It is not currently possible to sort and paginate large result sets efficiently, so only a random subset is shown below." and will still get an incomplete view. Commented Jan 30, 2024 at 13:52
0

Using dig to see all records, first you need to know - DNS server where domain parking

(example for external dns)# dig @8.8.8.8 google.com ANY

(example for local dns) # dig @192.168.0.1 example.com ANY

Improve this answer
2
  • this answer is a duplicate of the once above?! Any new suggestions either? Commented Jul 25, 2021 at 11:40
  • Using dig example.com ANY I got just the one A record but using dig @8.8.8.8 example.com ANY I got A, NS, SOA, MX and TXT records. So I think is a valid answer. Commented Sep 10, 2024 at 22:54
0

Why not use https://toolbox.googleapps.com/apps/dig/

Here you can check up any domain online very easy

Im not affiliated with any of the above, just putting it our there to help like minded professionals.

Improve this answer
1
  • 2
    Since this is an internal DNS, how would the external tool find the records? Commented Jan 20, 2023 at 21:41
-2

You can also use nslookup tool:

nslookup example.com
Improve this answer
1
  • It just gives you the IP address behind a specific domain or subdomain. Commented May 25, 2021 at 11:23
-7

I ended up using nmap to scan the network.

For example:

nmap -v -sP 192.16.0.0/16
Improve this answer
3
  • 6
    That's a good solution to your problem but not a great answer to the question "List all DNS records in a domain using dig?". You might want to edit your question and change the title. Commented May 5, 2010 at 19:20
  • 18
    nmaping a /16 will generate 256^2 (65536) DNS lookups. I bet your DNS admins love you. Commented May 5, 2010 at 19:27
  • 6
    @markdrayton, although the scan will send out 2^16 ping requests (~50Mb of raw data, filtered out by most network interfaces), it will only perform reverse-DNS lookups for the hosts that are online. Commented Jun 23, 2014 at 19:53

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.