Is it possible to find all subdomains for a certain domain?

No, there's no way other than bruteforcing.

And if you try that, you'll likely find yourself blacklisted.


Try this brute force script in Linux: It uses reverse DNS lookup (one name per IP), so it can't find virtual hosts (when at one IP more then one name).

vi /tmp/dnsscan.sh

Type i and paste this:

#!/bin/bash
IPPFX=$1
for i in `seq 1 255` ; do LIST="$LIST ${IPPFX}.$i" ; done
for i in $LIST ; do
    ENTRY="`host $i`"
    [ $? -ne 0 ] && continue
    ENTRY=`echo "$ENTRY" l sed -e 's/.* //' -e 's/\.$//'`
    echo -e "$i\t$ENTRY"
done

Then type [Esc]:wq and run

chmod 777 /tmp/dnsscan.sh

Then:

/tmp/dnsscan.sh your.ipv4.address

Replace your.ipv4.address with IPv4 without last octet!

For example http://www.wikipedia.org have next IP address: 208.80.152.201, so you need execute this:

/tmp/dnsscan.sh 208.80.152

Result will be:

208.80.152.1    vrrp-gw-100.wikimedia.org
208.80.152.2    rr.pmtpa.wikimedia.org
208.80.152.3    upload.pmtpa.wikimedia.org
208.80.152.5    m.pmtpa.wikimedia.org
208.80.152.6    owa.wikimedia.org
208.80.152.7    payments.wikimedia.org
208.80.152.10   lvs-svc-test.wikimedia.org
... so on

If you need to find virtual hosts try Bing.com with real IP:

Example: http://www.bing.com/search?q=**IP:208.80.152.201


Your client should have access and in some way control on the nameservers, that are authoritative for his domains.

Why not asking the DNS admin for a zone download/export?