How do I find all the subdomains of a domain name? – Gandi News (2024)

There are several reasons you might want to be able to find all subdomains of a domain, but in general, those reasons boil down to either mounting some kind of attack on a website (which we don’t condone) or protecting yourself from such an attack, including auditing your subdomains to ensure there are no unused subdomains laying around in your DNS zone file.

You might also be hoping to get full list of all the services a domain name points to, for example, to transfer it to another DNS provider.

In this article, we’ll be taking a look at what a subdomain is, on a technical level, and how you can or cannot (and why not!) get a global picture of a domain name’s subdomains.

What is a subdomain?

Let’s start with basics.

When you register a domain name, the domain registry (that is, the entity that manages delegating domain names in a particular top-level domain name, or TLD, also sometimes referred to more colloquially as an extension or domain ending) delegates the authority over the DNS zone of that domain name to you.

Remember: the domain name system is hierarchical. That means that root domain authority is concentrated with IANA, the part of ICANN responsible for delegating top-level domain names out to registries, who then delegate authority out to people buying domain names.

That means that if you register the domain name example.com, the .com registry delegates you authority over example.com and any other “child branch” of that domain tree, so to speak.

And just like .com has the authority from IANA to create any new .com that someone requests, you also have the authority to create any new child branch to the ‘example.com’ tree.

So you could make foo.example.com, www.example.com, or www.foo.example.com, or www.foo.www.foo.example.com.

These child branches, of course, are what we call subdomains.

How to create a subdomain

The way you create a subdomain in a domain name that you have registered is simply a question of associating that subdomain to a resource in your DNS zone file. The type of DNS record that you’ll use might depend on what type of resource you’re actually associating to it.

However, there is one DNS record type that is by far the most common used for subdomains: the CNAME record.

A CNAME is a “Canonical Name” record. As opposed to other DNS record types that create a one-to-one relationship between a subdomain and a resource (such as an A record), a CNAME actually turns a subdomain into an Alias of another domain name. In other words, it maps that subdomain onto another domain.

This actually gives it much greater flexibility, and that’s why the CNAME record type is by far the most commonly used record type for creating subdomains.

What can you do with a subdomain?

Subdomains can be used for any resource. Most commonly, they are used to define separate namespaces, like separate but related websites, or denote something about the structure of a website. For example, it’s not uncommon to see implementations like shop.example.com for a given website’s online shop or checkout system and mail.example.com for a hosted webmail service. In the early days of the World Wide Web, the www subdomain was used for the website associated to a domain name, while the bare domain (without subdomain) was more “general” use (such as for a mail service).

Subdomains are also often used as a way to “extend” DNS beyond the basic services. This is the case with DomainKeys Identified Mail, or DKIM. DKIM is a system that uses DNS to authenticate an email sender using public key authentication. The public key part of the authentication is stored in the DNS in a TXT type record.

A DKIM record uses subdomains as a part of the syntax of storing this key. All DKIM records are TXT records on a subdomain of the subdomain _domainkey (for example selector._domainkey.example.com).

Another example of this is domain control verification via DNS for the purposes of creating an SSL/TLS certificate.

In this case, an SSL/TLS Certificate Authority (CA) asks that someone requesting the creation of an SSL/TLS certificate verify that they are indeed the owner of the domain name in question (or an employee/representative of the owner).

The CA requests that the certificate requestor add a particular CNAME record to their DNS zone file which effectively creates a subdomain (typically on a random string of characters, such as ’12a345b6c78d90efg1234hi56j’) that points to a specific, similar random-character subdomain of their own domain name.

There are no doubt other interesting use cases for subdomains, but this gives you a general idea of some of the ways subdomains can be used.

In summary, it’s important to know that a subdomain is a “child branch” of a given domain name. In the hierarchical system of DNS, it is part of the ‘namespace’ delegated to the owner of a domain name when they register that domain name with a registry.

There are several uses for subdomains. Specifically, they are often used for standalone websites with some connection to the website hosted at the bare domain or specific services offered by a website, but not always. In those cases, though, typically a CNAME record is used. Sometimes they are created in order to use DNS to verify a domain name in some form or another, or for other use cases.

In any case, subdomains are created in the DNS zone file of a domain name.

Now we’re ready to move on to talking about how you can identify the subdomains of a given domain name.

Where can you find all the subdomains of a domain name?

In the zone file

From the above explanation, you probably already figured out the best way to determine the subdomains of a given domain name is by looking in the DNS zone.

If you are the owner or administrator of a domain name — and specifically you have access to that domain’s DNS zone file — this is trivial. You just need to look at the DNS zone file.

If you manage your DNS at a registrar like Gandi, this is available from your registrar’s interface.

How to find your DNS zone file at Gandi [ link to : https://docs.gandi.net/en/domain_names/common_operations/dns_records.html#editing-your-dns-records ]

You should be able to sort your list of DNS records by ‘Name’ and thereby get a list of all the subdomains (subdomains will be everything that isn’t @).

You can also sort by ‘Type’ and look only at those with the CNAME type if you want to exclude TXT records and MX records.

Another way you can get a list of all your subdomains using Gandi’s interface that’s particularly useful with domain names that have a large number of subdomains, when you want a list of all the subdomains of multiple domain names, or both, is using our DNS export feature.

You can use this feature to create and download a CSV file of your domain’s entire zone file, or the zone files of multiple domain names. Then, you just need to sort the columns either by name or record type.

Can you query the DNS for all subdomains?

The short answer is: no. You can’t just query the DNS for a list of all the subdomains of a particular domain.

When you query the DNS, such as when you request a webpage in your browser, or in your Terminal window using the commands `host`, `dig`, or `nslookup` (these are in most cases functionally the same, so we won’t get into the differences here). These work for when you’re querying a domain or subdomain that is already known. If you’re trying to get a list of all subdomains, though, the point is that the subdomains are not already known. When you query the DNS, it’s implied that you already know the domain or subdomain that you’re looking for.

There is one partial exception to this, however.

Can you get a list of all subdomains via zone transfer?

Technically, yes. And this is the partial exception mentioned above. You technically can get a list of all subdomains if your query uses zone transfer (aka AXFR).

For this query you would use `host`, using the modifiers -a and -l:

host -a -l example.com

In this example, `-a` is equivalent to `ANY` — that is, it signals that the output will be verbose and `-l` signifies the use of zone transfer. In other words, the command uses zone transfer to list all hosts in a domain, which is to say, all subdomains.

There’s a huge problem with this method, though, and that’s the question of permissions.

Zone transfer — aka AXFR — as a general rule, is disabled for most requestors.

Why is zone transfer disabled on most domains?

First let’s talk about what zone transfer is.

Zone transfer, or AXFR (the A in AXFR means “Authoritative,” and the XFR signifies “Transfer”) is a protocol for replicating a DNS zone file.

The main use case for AXFR is when duplicating a DNS zone between a primary nameserver and a secondary nameserver. That is to say, your domain name registration requires at least two DNS nameservers — a primary, and a secondary. There can be more, but this is the baseline requirement. Since the secondary is a backup, a zone transfer can be used to transfer the entire contents of the zone file to the secondary name server.

In the beginning of DNS, or at least the zone transfer protocol, there was little reason to restrict the use of this protocol. But soon it became clear that being able to map out a domain name’s entire zone provides potential attackers with way too much information out in the open to be safe.

In particular, if someone wants to spoof or poison your DNS, having a complete copy of the zone file will be very useful for them.

So, as a security by obscurity practice, the zone transfer protocol is now almost universally restricted on DNS servers either by IP address or by signing the zone transfers. But some attackers will still try to subvert these restrictions — and succeed.

What ways besides DNS lookups can you use to find subdomains?

At this point, we’ll note that the legitimate use cases for getting a list of all subdomains of a domain name starts to get thin. If you can’t access the zone file, chances are your main reason for trying to list all your subdomains is some kind of audit, possibly a security audit or a penetration test.

Since un-secured subdomains can be a serious security risk, it’s worth knowing what other options are available in case you need them.

Without direct access to the zone file, however, you can only ever be sure of having a partial list of subdomains.

Brute force/guessing

The most obvious and the most difficult strategy is just to use brute force, that is, by guessing.

There are some subdomains that are defined for virtually every domain name, such as www, and others that are very common, like shop or mail. But by going through and trying a DNS query using `dig`, `nslookup`, or `host` for as many possible subdomains, you might find some hidden ones. You might try using a script, otherwise this can be time consuming.

Can you use reverse DNS lookups to find subdomains?

One method of finding hidden subdomains is by first identifying the IP address they might point to and target ip ranges. If you are able to find some subdomains just by guessing, say mail.example.com and www.example.com, and you notice that these point to different IP addresses within the same range, you could reasonably assume that other subdomains may use other IP addresses in the same range.

To lookup the domain name that corresponds to an IP address, you have to do the reverse of a DNS lookup, or in other words, a reverse DNS lookup. You can use the same commands we used above to do DNS lookups: `dig` and `host`. With `host` you just need to do a command like `host 123.45.678.910` to do a reverse DNS lookup. With `dig`, you would need to add `-x` so your query would be `dig -x 123.45.678.910`.

This method is far from fool-proof, though. If you use any CNAMEs for your subdomains, doing a reverse DNS lookup is not going to help identify them because the CNAME, as explained above, is an alias, so the IP address will be associated with the domain the CNAME points to.

What other ways are there to find subdomains?

It’s also worth mentioning that there are many online tools around, subdomain finder tools, that can be used to find subdomains, usually by crawling the web for records of subdomains and subdomain information.

You can find a list of tools that can search for subdomains here.

Finding a list of all subdomains

There are a number of reasons you might want to get a list of all the subdomains of a particular domain name, especially if you are the owner of that domain name. Generally, you would want to get such a list as part of some kind of audit of your domain name and the resources connected to it, and this is especially true with security audits.

Ultimately, the best way to get a list of all subdomains of a domain name is by having access to the DNS zone file of that domain name. Just having access, though, doesn’t necessarily make it easy. If you can’t use the Zone Transfer protocol to directly copy a domain name’s zone, you can often view it in your DNS service management’s website (or registrar, or hosting provider, depending on where you have your DNS). Your provider might also offer services like Gandi’s DNS export feature, where you can download a CSV file of one or more of your DNS zones, making a comprehensive list of your subdomains on one or more domain names possible.

If you don’t have access to the zone file, though, it will be more difficult — but not impossible. There are a number of different methods you can use, including guessing/brute force, reverse DNS lookups, and specialized online tools. To get the most comprehensive list, you’ll probably have to combine all three.

In the end, the ability to create an infinite number of subdomains on a given domain name is one of the immensely valuable aspects of registering a domain name. However, subdomains can also be a liability, so it’s important to take care to ensure un-secured subdomains don’t cause you problems down the line.

Tagged in DNSDomain names

How do I find all the subdomains of a domain name? – Gandi News (2024)

FAQs

How do I find all the subdomains of a domain name? – Gandi News? ›

In the zone file

Is there a way to find all subdomains? ›

The Deep scan uses multiple techniques to find subdomains fast and effectively:
  1. DNS records (NS, MX, TXT, AXFR)
  2. Enumeration using built-in wordlists, plus the option to use your own.
  3. External APIs search.
  4. Public search engine queries (Google search, Bing)
  5. Word mutation techniques.
  6. Searching in SSL certificates.

What search phrase can be used to find subdomains of a website? ›

By search engines

These operators are often referred to as Google Dorks. We can use site: operator in Google search to find all the Subdomains that Google has found for a Domain. Lets take an example on “site:vulnweb.com”.

How do I query DNS for all subdomains? ›

Using a terminal and the command nslookup is the most effective way to search a domain's DNS records. On almost all operating systems, this command works perfectly and displays all DNS records for the domain. To show how to use the command, here's a sample nslookup command for each record type.

Which website provide information about subdomains? ›

Sublist3r is a python-based tool for listing subdomains of a website. It can collect subdomains from various search engines like Google, Yahoo, Bing etc. Moreover, it can also find subdomains from the list of domain names, allowing you to discover subdomains in batches.

What is the best tool to find subdomains? ›

The Best Subdomain Enumeration Tools
  • Amass. ...
  • Recon-ng. ...
  • SubDomainizer. ...
  • Pentest Tools Subdomain Finder. ...
  • crt.sh. ...
  • Shodan. ...
  • PureDNS. ...
  • ffuf (Fuzz Faster U Fool) ffuf is a fast web fuzzer written in Go and used for brute forcing.
May 13, 2024

How many subdomains does a domain have? ›

Characteristics and Parameters of a Subdomain

A domain can have up to 500 subdomains. You can create multiple levels of subdomains such as store.product.yoursite.com, test.forum.yoursite.com, etc. Each subdomain can be up to 255 characters long, but for multi level subdomains, each level can only be 63 characters long.

What is the Google command to find the subdomains of a website? ›

We can use the "site" operator in the search bar to find all the subdomains that Google has indexed for a domain. Google also supports the minus operator to exclude any subdomains we are not interested in.

How do I find all subsites of a website? ›

You can usually locate it in the root or footer section of the website. For example, the XML sitemap URL could be “www.example.com/sitemap.xml“. Once you click on the sitemap, you will find all pages & subpages of a website.

Do subdomains show up on Google search? ›

The short answer is yes, Google can and will index and rank subdomains unless you explicitly take steps to ensure they're excluded from its index. Google's entire business model is based on discovering content. The same goes for all search engines.

What is a CNAME record for all subdomains? ›

A CNAME record is an alias for a subdomain. When you configure a CNAME record for a subdomain, DNS queries are no longer sent for the subdomain but for the domain or subdomain specified in the CNAME record to the appropriate name server.

Do subdomains have their own DNS records? ›

Yes, each subdomain has its own DNS record and environment separated from the primary domain.

How do I see all the DNS for a domain? ›

Open Command Prompt. Enter nslookup domain.com to perform a DNS lookup for the domain.

What is the most used subdomain? ›

The most common subdomain is “www” or “world wide web.” The subdirectory points users to the main directory of a website—in other words, where your homepage and other core pages live. Other subdomains work to create distinct parts of a site. For example, Google's root domain is www.google.com.

Are subdomains included with the domain? ›

Subdomains are used to expand the use of a single domain, these do not need to be purchased separately to your domain; if you own a domain then you can add a subdomain to this. This method is commonly used for Moodle and Totara site setups.

What are common URL subdomains? ›

8 examples of subdomains
  • Shop. You can create a "shop" subdomain to add an online store section to your website. ...
  • Store. Similar to "shop," the "store" subdomain is another option for an online store. ...
  • Blog. "Blog" is another popular subdomain name. ...
  • Support. ...
  • Help. ...
  • 6. Mail. ...
  • 7. News. ...
  • Resources.
Jun 24, 2022

How do I find subdomains in Analytics? ›

Go to GA4 admin > Data Streams > Select your web data stream > Configure Tag Settings > Show More > List unwanted referrals and then enter your main domain there. For example, if your subdomains are subdomain1.example.com and subdomain2.example.com, then enter example.com in the settings of GA4.

What is a subfinder? ›

subfinder is a subdomain enumeration tool written in the Go programming language. Subfinder is used for discovering passive subdomains of websites by using digital sources like Censys, Chaos, Recon. dev, Shodan, Spyse, Virustotal, and many other passive online sources.

Do subdomains count for SEO? ›

Optimize Your Subdomains & Subdirectories for SEO

Both can be SEO-friendly. Whether you decide to use subdomains or subdirectories, you need to optimize them for the best chance of ranking in search engines.

References

Top Articles
Latest Posts
Recommended Articles
Article information

Author: Dean Jakubowski Ret

Last Updated:

Views: 5539

Rating: 5 / 5 (70 voted)

Reviews: 93% of readers found this page helpful

Author information

Name: Dean Jakubowski Ret

Birthday: 1996-05-10

Address: Apt. 425 4346 Santiago Islands, Shariside, AK 38830-1874

Phone: +96313309894162

Job: Legacy Sales Designer

Hobby: Baseball, Wood carving, Candle making, Jigsaw puzzles, Lacemaking, Parkour, Drawing

Introduction: My name is Dean Jakubowski Ret, I am a enthusiastic, friendly, homely, handsome, zealous, brainy, elegant person who loves writing and wants to share my knowledge and understanding with you.