How to know all the available information under a domain

domain-name-system

If I run dig gmail.com A I get

; <<>> DiG 9.16.1 <<>> gmail.com A
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 34113
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;gmail.com.         IN  A

;; ANSWER SECTION:
gmail.com.      198 IN  A   216.58.208.101

;; Query time: 16 msec
;; SERVER: 62.179.104.196#53(62.179.104.196)
;; WHEN: Sun Nov 15 11:41:30 CET 2020
;; MSG SIZE  rcvd: 54

If I run dig gmail.com MX

; <<>> DiG 9.16.1 <<>> gmail.com MX
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 2168
;; flags: qr rd ra; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;gmail.com.         IN  MX

;; ANSWER SECTION:
gmail.com.      3600    IN  MX  40 alt4.gmail-smtp-in.l.google.com.
gmail.com.      3600    IN  MX  10 alt1.gmail-smtp-in.l.google.com.
gmail.com.      3600    IN  MX  20 alt2.gmail-smtp-in.l.google.com.
gmail.com.      3600    IN  MX  5 gmail-smtp-in.l.google.com.
gmail.com.      3600    IN  MX  30 alt3.gmail-smtp-in.l.google.com.

;; Query time: 116 msec
;; SERVER: 62.179.104.196#53(62.179.104.196)
;; WHEN: Sun Nov 15 11:41:55 CET 2020
;; MSG SIZE  rcvd: 161

Without trial and error is there a way, a command to run that shows the other records that are available (apart from A and MX records)?


Solution 1:

If the domain you are asking for allows "zone transfers", which nearly all of them don't do, you can get all of its registers with:

dig axfr @your.dnsserver.example

However, if you try that command with some domain which isn't yours you'll get something like this:

$ dig axfr google.com @8.8.8.8

; <<>> DiG 9.10.3-P4-Ubuntu <<>> axfr google.com @8.8.8.8
;; global options: +cmd
; Transfer failed.

The data contained in a DNS zone may be sensitive from an operational security aspect. This is because information such as server hostnames may become public knowledge, which can be used to discover information about an organization and even provide a larger attack surface. That's why zone transfer are forbidden.

You can check here what a zone transfer is: https://en.wikipedia.org/wiki/DNS_zone_transfer

On the other hand, there are some tools which provide you valuable information about a domain such as:

  • https://dnsdumpster.com/
  • https://www.nmmapper.com/sys/tools/subdomainfinder/
  • https://spyse.com/search/subdomain
  • https://www.htbridge.com/ssl/

Related

HTTPS session resumption sometimes partially working
How do I properly launch a dbus-monitor --session as root?
AD Group added to Local Admins not working on domain-joined PC - adding a user directly to local admins does?
Jenkins Github Branch Source Plugin Failing with Github Token after today's Github auth changes
After hard drive updated to SSD and memory upgrade Windows freezes and throw BSoD en less than 30 minutes, it works fine under Linux
Generated systemd unit does not start on boot
How to use start command in bash on Windows
CPU being used up by some background process
How to disable the mouse wheel scrolling in mpv?
How to Calculate Next N-Year-versarry in Excel
How to disable the popup of Google translate in chrome while it still translates
How do I disown/detach a process from the Git Bash terminal that come with Git's Windows installer?