Experts insights

How do I find all the subdomains of a domain name?

A hand with a marker marking a webpage displayed on a laptop

There are several reasons you might want to be able to list all the subdomains of a domain name, but in general, those reasons boil down to either mounting some kind of attack on a website (which we don’t condone) or protecting yourself from such an attack, including auditing your subdomains to ensure there are no unused subdomains laying around in your DNS zone file.

You might also be hoping to get full list of all the services a domain name points to, for example, to transfer it to another DNS provider.

In this article, we’ll be taking a look at what a subdomain is, on a technical level, and how you can or cannot (and why not!) get a global picture of a domain name’s subdomains.

What is a subdomain?

Let’s start with basics.

When you register a domain name, the domain registry (that is, the entity that manages delegating domain names in a particular top-level domain name, or TLD, also sometimes referred to more colloquially as an extension or domain ending) delegates the authority over the DNS zone of that domain name to you.

Remember: the domain name system is hierarchical. That means that root domain authority is concentrated with IANA, the part of ICANN responsible for delegating top-level domain names out to registries, who then delegate authority out to people buying domain names.

That means that if you register the domain name example.com, the .com registry delegates you authority over example.com and any other “child branch” of that domain tree, so to speak.

And just like .com has the authority from IANA to create any new .com that someone requests, you also have the authority to create any new child branch to the ‘example.com’ tree.

So you could make foo.example.com, www.example.com, or www.foo.example.com, or www.foo.www.foo.example.com.

These child branches, of course, are what we call subdomains.

How to create a subdomain

The way you create a subdomain in a domain name that you have registered is simply a question of associating that subdomain to a resource in your DNS zone file. The type of DNS record that you’ll use might depend on what type of resource you’re actually associating to it.

However, there is one DNS record type that is by far the most common used for subdomains: the CNAME record.

A CNAME is a “Canonical Name” record. As opposed to other DNS record types that create a one-to-one relationship between a subdomain and a resource (such as an A record), a CNAME actually turns a subdomain into an Alias of another domain name. In other words, it maps that subdomain onto another domain.

This actually gives it much greater flexibility, and that’s why the CNAME record type is by far the most commonly used record type for creating subdomains.

What can you do with a subdomain?

Subdomains can be used for any resource. Most commonly, they are used to define separate namespaces, like separate but related websites, or denote something about the structure of a website. For example, it’s not uncommon to see implementations like shop.example.com for a given website’s online shop or checkout system and mail.example.com for a hosted webmail service. In the early days of the World Wide Web, the www subdomain was used for the website associated to a domain name, while the bare domain (without subdomain) was more “general” use (such as for a mail service).

Subdomains are also often used as a way to “extend” DNS beyond the basic services. This is the case with DomainKeys Identified Mail, or DKIM. DKIM is a system that uses DNS to authenticate an email sender using public key authentication. The public key part of the authentication is stored in the DNS in a TXT type record.

A DKIM record uses subdomains as a part of the syntax of storing this key. All DKIM records are TXT records on a subdomain of the subdomain _domainkey (for example selector._domainkey.example.com).

Another example of this is domain control verification via DNS for the purposes of creating an SSL/TLS certificate.

In this case, an SSL/TLS Certificate Authority (CA) asks that someone requesting the creation of an SSL/TLS certificate verify that they are indeed the owner of the domain name in question (or an employee/representative of the owner).

The CA requests that the certificate requestor add a particular CNAME record to their DNS zone file which effectively creates a subdomain (typically on a random string of characters, such as ’12a345b6c78d90efg1234hi56j’) that points to a specific, similar random-character subdomain of their own domain name.

There are no doubt other interesting use cases for subdomains, but this gives you a general idea of some of the ways subdomains can be used.

In summary, it’s important to know that a subdomain is a “child branch” of a given domain name. In the hierarchical system of DNS, it is part of the ‘namespace’ delegated to the owner of a domain name when they register that domain name with a registry.

There are several uses for subdomains. Specifically, they are often used for standalone websites with some connection to the website hosted at the bare domain or specific services offered by a website, but not always. In those cases, though, typically a CNAME record is used. Sometimes they are created in order to use DNS to verify a domain name in some form or another, or for other use cases.

In any case, subdomains are created in the DNS zone file of a domain name.

Now we’re ready to move on to talking about how you can identify the subdomains of a given domain name.

Where can you find all the subdomains of a domain name?

In the zone file

From the above explanation, you probably already figured out the best way to determine the subdomains of a given domain name is by looking in the DNS zone.

If you are the owner or administrator of a domain name — and specifically you have access to that domain’s DNS zone file — this is trivial. You just need to look at the DNS zone file.

If you manage your DNS at a registrar like Gandi, this is available from your registrar’s interface.

How to find your DNS zone file at Gandi [ link to : https://docs.gandi.net/en/domain_names/common_operations/dns_records.html#editing-your-dns-records ]

You should be able to sort your list of DNS records by ‘Name’ and thereby get a list of all the subdomains (subdomains will be everything that isn’t @).

You can also sort by ‘Type’ and look only at those with the CNAME type if you want to exclude TXT records and MX records.

Another way you can get a list of all your subdomains using Gandi’s interface that’s particularly useful with domain names that have a large number of subdomains, when you want a list of all the subdomains of multiple domain names, or both, is using our DNS export feature.

You can use this feature to create and download a CSV file of your domain’s entire zone file, or the zone files of multiple domain names. Then, you just need to sort the columns either by name or record type.

Can you query the DNS for all subdomains?

The short answer is: no. You can’t just query the DNS for a list of all the subdomains of a particular domain.

When you query the DNS, such as when you request a webpage in your browser, or in your Terminal window using the commands `host`, `dig`, or `nslookup` (these are in most cases functionally the same, so we won’t get into the differences here). These work for when you’re querying a domain or subdomain that is already known. If you’re trying to get a list of all subdomains, though, the point is that the subdomains are not already known. When you query the DNS, it’s implied that you already know the domain or subdomain that you’re looking for.

There is one partial exception to this, however.

Can you get a list of all subdomains via zone transfer?

Technically, yes. And this is the partial exception mentioned above. You technically can get a list of all subdomains if your query uses zone transfer (aka AXFR).

For this query you would use `host`, using the modifiers -a and -l:

host -a -l example.com

In this example, `-a` is equivalent to `ANY` — that is, it signals that the output will be verbose and `-l` signifies the use of zone transfer. In other words, the command uses zone transfer to list all hosts in a domain, which is to say, all subdomains.

There’s a huge problem with this method, though, and that’s the question of permissions.

Zone transfer — aka AXFR — as a general rule, is disabled for most requestors.

Why is zone transfer disabled on most domains?

First let’s talk about what zone transfer is.

Zone transfer, or AXFR (the A in AXFR means “Authoritative,” and the XFR signifies “Transfer”) is a protocol for replicating a DNS zone file.

The main use case for AXFR is when duplicating a DNS zone between a primary nameserver and a secondary nameserver. That is to say, your domain name registration requires at least two DNS nameservers — a primary, and a secondary. There can be more, but this is the baseline requirement. Since the secondary is a backup, a zone transfer can be used to transfer the entire contents of the zone file to the secondary name server.

In the beginning of DNS, or at least the zone transfer protocol, there was little reason to restrict the use of this protocol. But soon it became clear that being able to map out a domain name’s entire zone provides potential attackers with way too much information out in the open to be safe.

In particular, if someone wants to spoof or poison your DNS, having a complete copy of the zone file will be very useful for them.

So, as a security by obscurity practice, the zone transfer protocol is now almost universally restricted on DNS servers either by IP address or by signing the zone transfers. But some attackers will still try to subvert these restrictions — and succeed.

What ways besides DNS lookups can you use to find subdomains?

At this point, we’ll note that the legitimate use cases for getting a list of all subdomains of a domain name starts to get thin. If you can’t access the zone file, chances are your main reason for trying to list all your subdomains is some kind of audit, possibly a security audit or a penetration test.

Since un-secured subdomains can be a serious security risk, it’s worth knowing what other options are available in case you need them.

Without direct access to the zone file, however, you can only ever be sure of having a partial list of subdomains.

Brute force/guessing

The most obvious and the most difficult strategy is just to use brute force, that is, by guessing.

There are some subdomains that are defined for virtually every domain name, such as www, and others that are very common, like shop or mail. But by going through and trying a DNS query using `dig`, `nslookup`, or `host` for as many possible subdomains, you might find some hidden ones. You might try using a script, otherwise this can be time consuming.

Can you use reverse DNS lookups to find subdomains?

One method of finding hidden subdomains is by first identifying the IP address they might point to. If you are able to find some subdomains just by guessing, say mail.example.com and www.example.com, and you notice that these point to different IP addresses within the same range, you could reasonably assume that other subdomains may use other IP addresses in the same range.

To lookup the domain name that corresponds to an IP address, you have to do the reverse of a DNS lookup, or in other words, a reverse DNS lookup. You can use the same commands we used above to do DNS lookups: `dig` and `host`. With `host` you just need to do a command like `host 123.45.678.910` to do a reverse DNS lookup. With `dig`, you would need to add `-x` so your query would be `dig -x 123.45.678.910`.

This method is far from fool-proof, though. If you use any CNAMEs for your subdomains, doing a reverse DNS lookup is not going to help identify them because the CNAME, as explained above, is an alias, so the IP address will be associated with the domain the CNAME points to.

What other ways are there to find subdomains?

It’s also worth mentioning that there are many online tools around that can be used to find subdomains, usually by crawling the web for records of subdomains.

You can find a list of tools that can search for subdomains here.

Finding a list of all subdomains

There are a number of reasons you might want to get a list of all the subdomains of a particular domain name, especially if you are the owner of that domain name. Generally, you would want to get such a list as part of some kind of audit of your domain name and the resources connected to it, and this is especially true with security audits.

Ultimately, the best way to get a list of all subdomains of a domain name is by having access to the DNS zone file of that domain name. Just having access, though, doesn’t necessarily make it easy. If you can’t use the Zone Transfer protocol to directly copy a domain name’s zone, you can often view it in your DNS service management’s website (or registrar, or hosting provider, depending on where you have your DNS). Your provider might also offer services like Gandi’s DNS export feature, where you can download a CSV file of one or more of your DNS zones, making a comprehensive list of your subdomains on one or more domain names possible.

If you don’t have access to the zone file, though, it will be more difficult — but not impossible. There are a number of different methods you can use, including guessing/brute force, reverse DNS lookups, and specialized online tools. To get the most comprehensive list, you’ll probably have to combine all three.

In the end, the ability to create an infinite number of subdomains on a given domain name is one of the immensely valuable aspects of registering a domain name. However, subdomains can also be a liability, so it’s important to take care to ensure un-secured subdomains don’t cause you problems down the line.