You might find yourself in a situation that you would like to know all the listed sub-domains in a domain. If you are the administrator of the DNS server you will not have much trouble of finding the information, if you are not the administrator of the server you can have a hard time finding out the sub-domains for a domain.
First, find out the name server or servers for a domain using the dig command:
root# dig wikipedia.com soa|grep SOA
; <<>> DiG 9.7.3 <<>> wikipedia.com SOA
;wikipedia.com. IN SOA
wikipedia.com. 82145 IN SOA ns0.wikimedia.org. hostmaster.wikimedia.org. 2011111000 43200 7200 1209600 3600
Knowing the name of the name server (ns0.wikimedia.org) we can query for the subdomains:
root# dig @ns0.wikimedia.org wikipedia.com axfr
; <<>> DiG 9.7.3 <<>> @ns0.wikimedia.org wikipedia.com axfr
; (1 server found)
;; global options: +cmd
wikipedia.com. 86400 IN SOA ns0.wikimedia.org. hostmaster.wikimedia.org. 2011111000 43200 7200 1209600 3600
wikipedia.com. 3600 IN A 208.80.152.201
wikipedia.com. 86400 IN NS ns0.wikimedia.org.
wikipedia.com. 86400 IN NS ns1.wikimedia.org.
wikipedia.com. 86400 IN NS ns2.wikimedia.org.
wikipedia.com. 3600 IN MX 50 lists.wikimedia.org.
wikipedia.com. 3600 IN MX 10 mchenry.wikimedia.org.
aa.wikipedia.com. 3600 IN CNAME wikipedia-lb.wikimedia.org.
--cut
zu.wap.wikipedia.com. 3600 IN CNAME wikipedia-lb.wikimedia.org.
wikipedia.com. 86400 IN SOA ns0.wikimedia.org. hostmaster.wikimedia.org. 2011111000 43200 7200 1209600 3600
;; Query time: 27199 msec
;; SERVER: 208.80.152.130#53(208.80.152.130)
;; WHEN: Sat Jan 21 13:06:17 2012
;; XFR size: 2658 records (messages 29, bytes 52894)
This is how you can get a complete list of all subdomains listed at a domain server. However, this will only work in cases that a domain server is allowing you to request a zone transfer.Not all dns servers will allow axfr protocol queiries. Those will return:
; (1 server found)
;; global options: +cmd
; Transfer failed.