How can I list ALL DNS records?
The short answer is that it's usually not possible, unless you control the domain.
Option 1: ANY query
When you query for ANY, you will get a list of all records at that level but not below.
# try this
dig google.com any
This may return A records, TXT records, NS records, MX records, etc if the domain name is exactly "google.com". However, it will not return child records (e.g., www.google.com). More precisely, you MAY get these records if they exist.
The name server does not have to return these records if it chooses not to do so (for example, to reduce the size of the response). Most DNS servers reject ANY queries.
Option 2: AXFR query
An AXFR is a zone transfer, and is likely what you want. However, these are typically restricted and not available unless you control the zone. You'll usually conduct a zone transfer directly from the authoritative server (the @ns1.google.com below) and often from a name server that may not be published (a stealth name server).
# This will return "Transfer failed"
dig @ns1.google.com google.com axfr
If you have control of the zone, you can set it up to get transfers that are protected with a TSIG key. This is a shared secret the client can send to the server to authorize the transfer.
Option 3: Scrape with a script
Another option is to scrape all DNS records with a script. You'd have to iterate through all the DNS record types, and also through common subdomains, depending on your needs.
Option 4: Use specialized tooling
There are some online tools that enumerate subdomains, and online tools that list all DNS records for a DNS name. Note that subdomain enumeration is usually not exhaustive.
I've improved Josh's answer. I've noticed that dig
only shows entries already present in the queried nameserver's cache, so it's better to pull an authoritative nameserver from the SOA (rather than rely on the default nameserver). I've also disabled the filtering of wildcard IPs because usually I'm usually more interested in the correctness of the setup.
The new script takes a -x
argument for expanded output and a -s NS
argument to choose a specific nameserver: dig -x example.com
#!/bin/bash
set -e; set -u
COMMON_SUBDOMAINS="www mail mx a.mx smtp pop imap blog en ftp ssh login"
EXTENDED=""
while :; do case "$1" in
--) shift; break ;;
-x) EXTENDED=y; shift ;;
-s) NS="$2"; shift 2 ;;
*) break ;;
esac; done
DOM="$1"; shift
TYPE="${1:-any}"
test "${NS:-}" || NS=$(dig +short SOA "$DOM" | awk '{print $1}')
test "$NS" && NS="@$NS"
if test "$EXTENDED"; then
dig +nocmd $NS "$DOM" +noall +answer "$TYPE"
wild_ips=$(dig +short "$NS" "*.$DOM" "$TYPE" | tr '\n' '|')
wild_ips="${wild_ips%|}"
for sub in $COMMON_SUBDOMAINS; do
dig +nocmd $NS "$sub.$DOM" +noall +answer "$TYPE"
done | cat #grep -vE "${wild_ips}"
dig +nocmd $NS "*.$DOM" +noall +answer "$TYPE"
else
dig +nocmd $NS "$DOM" +noall +answer "$TYPE"
fi