How to list all CNAME records for a given domain?

There are two ways, both require administrator access or trust to the DNS records:

  • Perform a zone transfer (AXFR) on the domain to retrieve all records for the domain. The DNS administrator needs to explicitly allow AXFR transfers to your IP address from your chosen DNS server. You can perform such a transfer like this: dig @ns1.google.com google.com AXFR
  • Directly view the zonefile on the relevant DNS server. You need administrator access to the DNS server for this.

With proper permissions on the DNS, grep for cname records:

host -t axfr my.dom.com dns.my.dom.com | grep -i cname