-1

How can find out that how many sub-domain has a specific domain name? I used a trick that in Google by site:*.domainname.com command read total backed result. Is it accurate?

hesam
  • 21
  • 2
  • 1
    No, that's not accurate - it'll only tell you about the ones Google knows about. There could be essentially infinitely many ones Google isn't aware of. Hell, they could have a wildcard subdomain. To accurately know the number of subdomains requires knowledge of the site's DNS setup - a third-party can't accurately figure this out. – ceejayoz Jun 17 '13 at 15:17
  • This question has an answer at Security SE: http://security.stackexchange.com/questions/35078/how-can-i-find-subdomains-of-a-site – Deer Hunter Jun 17 '13 at 15:42
  • 1
    @DeerHunter [The answer at IT Security](http://security.stackexchange.com/questions/35078/how-can-i-find-subdomains-of-a-site) is incorrect. I can trivially demonstrate that the recommended procedure does not list ***all*** subdomains by creating a subdomain with no web links to it. – voretaq7 Jun 17 '13 at 15:54
  • 1
    @heasm - Why do you want this information? What *specific* problem are you trying to solve? – voretaq7 Jun 17 '13 at 15:56
  • 1
    @voretaq7 - Of course, you are right and for an arbitrary subdomain name [Rook's solution](https://github.com/TheRook/subbrute) is not exhaustive. Yet it is a possibly useful tool for the OP. Please keep in mind that **using this utility or any other network reconnaissance software may get one blacklisted**. – Deer Hunter Jun 17 '13 at 16:04
  • @DeerHunter There are lots of useful tools - I've yet to see one that's comprehensive though. Even the `AXFR` solution breaks on fairly common configurations. (This is one of those Great Unsolved Problems that happens when you have hierarchical delegation - clearly the solution is that we should go back to distributing ***THE*** hosts file.) – voretaq7 Jun 17 '13 at 16:09
  • @voretaq7 - actually I want estimate users of sites, like users of tumblr.com. – hesam Jun 17 '13 at 16:49

1 Answers1

7

In theory, you can query the DNS server for a zone transfer (AXFR) request to get the whole zone file.

In practice, however, this is not going to work against a domain that isn't your own: this option is usually not enabled from Internet at large.

Stephane
  • 6,432
  • 3
  • 26
  • 47
  • Taking this further, even if you control the domain (say `example.com`) you cannot guarantee that you know the contents of any *delegated* subdomains. If you allow someone else to serve records for `foo.example.com` and you can't get their zone information (through a zone transfer or other means) you cannot enumerate *all* of the subdomains with certainty. – voretaq7 Jun 17 '13 at 15:56