Is there a way I can find all domain names that have a CNAME with a given value?

Question

Is there a tool using which I can run a query that returns all domain names that have a CNAME with a given value (e.g. something.example.com)?

Answer 1

This answer is also "no", but it focuses a little more on the why.

The target of a CNAME alias (or a NS delegation for that matter) receives no information from the other nameserver. The second nameserver receives queries as a result, but none of those queries convey any information that would indicate that such an action had taken place. You also have no way to control who does so!

Likewise, there is no central "registry" that is constantly updated with this kind of information. The root and TLD (top level domain) nameservers maintain a registry of who is managing all of the domains on the internet, but they have no information regarding the contents of those domains.

Answer 2

Yes. dig example.com axfr will perform a zone transer (or ls -d example.com if you use nslookup). You can then parse for CNAME records in the zone you just transferred. However, zone transfers aren't typically allowed willy nilly, so you'll need to allow transfer of the zone. You have the power to do that, right? Of course you do. Because only bad people scan for DNS records in zones that they don't have authority over.

Answer 3

No, there is not.

The main reason being that many/most domains (or rather, Name Servers) will not give you a list of all the records (names) they have. You'd have to brute-force all possible names on all domain servers everywhere.