How to request/acquire all records from a DNS?

I want to see what nodes exist under a certain domain from within the domain. Short of querying every valid IP address within that domain, is there a way to get all records/map the network?

Typically zone transfers are denied if the server is properly configured. You can do a zone transfer via dig:

dig @127.0.0.1 domain.com. AXFR

You can also use nslookup:

nslookup -query=AXFR domain.com 127.0.0.1

If you are not the administrator, you might be better off contacting your IT department for further details.

As warner mentioned (that's becoming familiar), zone transfers are othen denied for security reasons. If the name servers aren't something you have access to you can attempt to discover the most common subdomains of a given domain using one of the popular DNS bruteforce scripts. They work by performing DNS requests against a local nameserver using a user supplied dictionary list. Dictionary lists exist solely for this purpose.

• Note if this reply is against the user agreement just delete it, sorry. *

WS-DNS-BFX is one such script (perl and threaded I believe).

Using the nslookup command that @warner provided above, I was not able to retrieve the records that I was looking for.

Based on some answers from this post, I was able to retrieve them using nslookup in interactive mode.

$ nslookup
> ls -d mydomain.com

I also found an alternative to the dig command here.

host -l mydomain.com