Finding all domains registered in a nameserver

domain-name-system nameserver

Up until now, I was pretty confident that it was pretty much impossible to list all the domains handled by a nameserver.

But apparently, there exists a couple of websites on the Internet that are able to list all the domains registered in a namerserver.

For example:

  • http://www.gwebtools.com/ns-spy/udns1.ultradns.net

Or all domains pointing to a specific IP :

  • http://www.robtex.com/ip/190.7.200.92.html

(These DNS/IP were picked at random)

Do you know how it's done ?


There are two ways that a domain name => DNS server map can be constructed:

  1. Zone file access: some registries grant access to their zone files to their registrars and other entities. This makes it pretty easy to determine which domains in those zones are delegated to a given DNS server. This is how DomainTools.com provides their Name Server Spy product. This is the most reliable method, but is obviously limited to the zone files that they have access to.
  2. Passive DNS. This involves examining traffic through recursive DNS servers at ISPs and reconstructing zone data based on what's seen. This method lets you discover information from the entire DNS space, but is less reliable as changes take longer to appear in your database, and won't recover information about domains that get little or no queries.

As far as I know they're just building a database of domain names and the associated authoritative name servers. You're just searching that database with their web interface and seeing a list of results that, through "normal" DNS channels would be rather difficult to get (w/o generating a lot of queries). It's a little bit like a telephone "reverse directory"-- it's the same information that DNS gives out to normal SOA lookups, but given to you in a bit of a "backward" manner to facilitate types of searches that would normally be difficult.


It's not actually querying the nameservers. It has a database of domains and just looks to see what the NS records for each domain are. Your original assesment is correct, don't doubt yourself :)


Does this not work off what domain robtex has "seen" before? It doesn't detect what domains are on a NS, it just lists what domains it's looked up before that have that NS.

Related

Powershell: How do I query pwdLastSet and have it make sense?
How to watch logs in real time via Terminal?
How to setup ssh tunnel to forward ssh?
Password Manager that allows syncing accross platforms [closed]
How do I set an MX record in Route53 for a GoDaddy domain?
Windows Update not working on Windows 2012 R2 Standard
Puppet: Node name seems dependent on reverse dns?
Is it good practice or too draconian to reject mails from mailservers with no RDNS
How many files in a directory is too many? (Downloading data from net)
Are DNS records private information?
Using Amazon SES to send mails to specific domains in Zimbra
HAProxy Combined Acls