How do I get a list of all subdomains of a domain?

If you can't get this information from DNS (e.g. you aren't authorized) then one alternative is to use Wolfram Alpha.

  1. Enter the domain into the search box and run the search. (E.g. stackexchange.com)

Wolfram - Homepage

  1. In the 3rd section from the top (named "Web statistics for all of stackexchange.com") click Subdomains

Wolfram - Subdomains button

  1. In the Subdomains section click More

Wolfram - More subdomains button

You will be able to see a list of sub-domains there. Although I suspect it does not show ALL sub-domains.


You can use:

$ host -l example.com

Under the hood, this uses the AXFR query mentioned above. You might not be allowed to do this though. In that case, you'll get a transfer failed message.


The hint (using axfr) only works if the NS you're querying (ns1.foo.example in your example) is configured to allow AXFR requests from the IP you're using; this is unlikely, unless your IP is configured as a secondary for the domain in question.

Basically, there's no easy way to do it if you're not allowed to use axfr. This is intentional, so the only way around it would be via brute force (i.e. dig a.example.com, dig b.example.com, ...), which I can't recommend, as it could be viewed as a denial of service attack.