Find DNS Host Records | Subdomain Finder | HackerTarget.com (2024)

Find all Forward DNS (A) records for a domain. Enter a domain name and search for all subdomains associated with that domain. A handy reconnaissance tool when assessing an organisations security.

Valid Input 8.8.8.8 1.1.1.1-50 1.1.1.1/24 example.com

Recon: Find your targets with a DNS (A) record search

Use this hostname search to find all the forward DNS records (A recrds) for an organisation. A number of limits apply to FREE users including number of results and number of daily queries. Remove limits with a Membership or try the Domain profiler tool to get a full listing with additional meta data from the discovered hosts.

A forward DNS record (or A record) is used to determine an IP address from a human readable hostname. By searching all forward DNS records for a domain, attackers (or security penetration testers) can begin to understand the layout of an organisations Internet footprint. This type of reconnaissance can discover a wide range of hosts from multiple IP net blocks that can contain a wide range of services. With a good understanding of the perimeter the discovered systems can be assessed for security weak spots. The more hosts found the wider the potential attack surface.

Subdomain Enumeration Limits

Membership FREE USER
Queries / day# based on Plan50
Max # of Results500'000500
Data Set UpdatesHourlyWeekly

With a membership get up to half a million results from a single query. A gold mine of data for security analysts, network defenders and other cyber security professionals.

Updates to the DNS Data set are applied regularly from multiple sources. With a membership access newly discovered subdomains every hour.

Find DNS Host Records | Subdomain Finder | HackerTarget.com (1)

Forward DNS Hostname Search

The only function within the DNS protocol to identify all (A) records associated with a domain is to perform a DNS Zone Transfer. This zone transfer is a process that allows replication of DNS data between two DNS servers. However, it is deemed to be a security risk to leak all that DNS data so a properly configured DNS server should not allow a DNS zone transfer to non-authorized hosts.

Since it is likely that a DNS zone transfer will not work, we need another way to identify all the hosts associated with a domain. This discovery process can use a number of resources such as search engines, DNS data sets, brute forcing or crawling to enumerate subdomains.

Subdomain Enumeration from Search Engines

Search engines are a popular subdomain enumeration technique. Advantages of this method are that it is a passive search, in other words you are not sending any traffic to the target network or DNS servers. The search engine returns a list of results that contain the domain you are searching on. An example using Google is to perform the following query:

site:example.com

This will show all results from Google that contain the domain site.com. As it is likely that there are many results on www.example.com we can refine the search with the following query.

site:example.com -site:www.example.com

This will filter the www.example.com domain from the results, perhaps revealing a number of more interesting subdomains to target.

Brute Forcing Subdomains

A number of DNS enumeration tools and scripts are available that will simply take a list of keywords (potential subdomains) and attempt to resolve these against the target domain. This is not an entirely passive undertaking as the DNS resolution goes to the target domains DNS server and results in many failed lookups.

If someone is closely monitoring the DNS server of the target domain they will be able to detect that someone is performing a brute force subdomain scan against the domain.

There are a number of tools that can perform this enumeration, if you have Nmap installed there is an NSE script that will perform a DNS subdomain brute force (dns-brute).

DNS and SSL Data Sets for Subdomain Enumeration

Find DNS Host Records | Subdomain Finder | HackerTarget.com (2)The data we use to find host records here at hackertarget.com is sourced from a number of excellent projects as well as Internet search engines.

Scans.io is a project supported by Rapid 7 that compiles Internet scan data as well as DNS data sets, including both forward and reverse DNS records. By searching through the Forward DNS data set we can find all subdomains in the list that match a domain name query.

Another project is the censys.io project. This project from the University of Michigan also compiles a large amount of Internet scan data as well SSL data. Searching the SSL records can reveal host names of target domains. There is an API available or the full data sets can be downloaded.

Certificate transparency logs are yet another excellent source of host data. A project that allows browsers to confirm the validity of SSL certificates in near real time. Certificate transparency also happens to be an excellent source for performing reconnaissance against target domains.

Related IP Tools

We have a number of other related tools in our IP Tools suite that may be of interest. The Reverse DNS Lookup enables searching reverse PTR records for a domain and the Reverse IP search identifies hosts sharing an IP address. By combining these tools it should be possible to get a very good indication of where an organisations Internet systems are located both from IP address and physical location if used in conjunction with GeoIP lookups.

Domain Profiler for Attack Surface Discovery

Find DNS Host Records | Subdomain Finder | HackerTarget.com (3)

Use the Domain Profiler tool to perform automated reconnaissance against a domain name. This provides a quick overview of an organisations Internet facing infrastructure within a few minutes.

Results are collected passively; no packets are sent against the target IP ranges resulting in a very stealthy way to assess an organizations perimeter.

Learn More

Scan Membership

Forward DNS search API

Rather than using the form above you can also access the forward DNS tool using the API. The output is simply plain text and will include the IP address and the forward DNS host name. Data from the tool can be easily imported into a spreadsheet or other tool for reference purposes.

https://api.hackertarget.com/hostsearch/?q=example.com

This query will display the forward DNS records discovered using the data sets outlined above.

The API is simple to use and aims to be a quick reference tool; like all our IP Tools there is a limit of 50 queries per day. Remove limits with a Full Membership.

For those who need to send more packets upgrade to HackerTarget.com Enterprise Plans.

Automated Security Vulnerability Scans.

Discover. Investigate. Learn.

Use Cases

Website Recon?

Fingerprint Web App
Technologies in Bulk

Whatweb / Wappalyzer

Remove limits with a full membership

More info available

Membership

Find DNS Host Records | Subdomain Finder | HackerTarget.com (2024)

FAQs

How do I find out where my DNS records are hosted? ›

Find the DNS host

Go to https://who.is/ and search for your domain. In the search results, the section labeled Name Servers shows the location of your DNS host.

How do I look up a DNS record? ›

How Do I Perform a DNS Lookup Using Command-Line Tools?
  1. Open Command Prompt.
  2. Enter nslookup domain.com to perform a DNS lookup for the domain.

How do I get a list of DNS records? ›

Using nslookup online is very simple. Enter a domain name in the search bar above and hit 'enter'. This will take you to an overview of DNS records for the domain name you specified. Behind the scenes, NsLookup.io will query a DNS server for DNS records without caching the results.

How do I trace a DNS lookup command? ›

Access your command prompt. Use the command nslookup (this stands for Name Server Lookup) followed by the domain name or IP address you want to trace. Press enter. This command will simply query the Name Service for information about the specified IP address or domain name.

Can you check DNS history? ›

DNS Trails (now owned by SecurityTrails), a top-tier tool for accessing DNS history, offers users: Access to a vast database of DNS records. 50 API queries with a free account. Historical DNS records with daily updates on domain data.

How do I view DNS logs? ›

To view the log location of the DNS server:
  1. Open Server Manager and from the Tools menu, select DNS server management application.
  2. From the left-pane, expand DNS and select a protocol (for example, IPv4).
  3. Right-click IPv4 and then select Properties.
  4. In the Properties dialog box, select the Debug Logging tab.
Jun 1, 2023

What command is used to lookup DNS records? ›

Type nslookup and hit Enter. The displayed information will be your local DNS server and its IP address. You can specify the DNS server (IP address), type of record, and domain name. Note: all the screenshots below are for Windows OS but the same commands will work in Terminal for Mac.

How do I trace a DNS issue? ›

Dig command

The 'dig' command, which stands for 'Domain Information Groper,' is a handy command-line tool used in the DNS name resolution process. It sends a DNS query to a specified DNS server and gets a response. It's a useful tool for finding DNS-related issues. With this command you can see all the DNS records.

How do I open DNS history? ›

The most efficient way to check DNS records of the domain is to use a terminal with the command nslookup. This command will run on almost all operating systems (Windows, Linux, and macOS).

How do I retrieve old DNS records? ›

If you want to recover lost DNS records, follow this steps:
  1. Open up securitytrails.com.
  2. Enter your domain name.
  3. Move to the Historical Data block.
  4. Choose your DNS record type.
  5. Your old and current DNS records values should be displayed and ordered by date on the left side, as you see below.

How to use command dig? ›

How to Use the Dig Command?
  1. Open Command Prompt or Terminal: Depending on your operating system (OS), open the Command Prompt (Windows) or Terminal (MacOS/Linux).
  2. Install Dig (if not already installed): ...
  3. Run the Dig Command: In the Command Prompt or Terminal, type dig followed by the domain name you want to query.

How to find DNS server of a website? ›

Additionally, Microsoft Windows has nslookup, a built-in command-line tool for checking DNS records. To access nslookup, open a command prompt window by opening the Windows Start Menu or pressing the Windows key on your keyboard. Then, just type “nslookup” while the Start Menu is open.

How do I check my DNS records? ›

Use a website that gathers domain information, like WHOIS lookup, to look up public information about your name server. Search your domain name. Enter your domain name in the search field, such as mywebsite.com, and look up the domain information. Look for Name Server information in search results.

What is a dig tool? ›

Description. The dig (domain information groper) command is a flexible tool for interrogating DNS name servers. It performs DNS lookups and displays the answers that are returned from the queried name server(s).

How do you run a DNS lookup? ›

Follow these steps to do it right:
  1. Open the command prompt.
  2. Type nslookup followed by the IP address and press 'Enter. ' For example, it can be nslookup 8.8. 8.8.
  3. Now, the command prompt will return the DNS name and the associated IP you entered.
Jul 12, 2024

How do I know where my DNS is coming from? ›

You can run command nslookup -d2 domain name (for example: nslookup www.google.com) to check the process of resolution in detail including DNS client queries which DNS server.

Where is my DNS host file? ›

The hosts file for all recent versions of Windows including Windows 7, 8, 10, 11 & Windows Server is located in C:\Windows\System32\Drivers\etc\hosts .

Where are DNS servers hosted? ›

As mentioned earlier, the ISP's DNS server is part of the network configuration you get from DHCP as soon as you go online. These servers reside in your ISP's data centers, and they handle requests as follows: If it has the domain name and IP address in its database, it resolves the name itself.

Where are DNS records stored on server? ›

DNS record types are records that provide important information about a hostname or domain. These records include the current IP address for a domain. Also, DNS records are stored in text files (zone files) on the authoritative DNS server.

References

Top Articles
Diablo 4 Paragon Boards
🔥 Die besten Builds Diablo 4 Season 4 Rangliste (Tier-List)
Mchoul Funeral Home Of Fishkill Inc. Services
Toa Guide Osrs
Global Foods Trading GmbH, Biebesheim a. Rhein
Pet For Sale Craigslist
Using GPT for translation: How to get the best outcomes
Sound Of Freedom Showtimes Near Governor's Crossing Stadium 14
Chicago Neighborhoods: Lincoln Square & Ravenswood - Chicago Moms
Phone Number For Walmart Automotive Department
Is Csl Plasma Open On 4Th Of July
Athletic Squad With Poles Crossword
Think Of As Similar Crossword
Green Bay Press Gazette Obituary
Bhad Bhabie Shares Footage Of Her Child's Father Beating Her Up, Wants Him To 'Get Help'
MADRID BALANZA, MªJ., y VIZCAÍNO SÁNCHEZ, J., 2008, "Collares de época bizantina procedentes de la necrópolis oriental de Carthago Spartaria", Verdolay, nº10, p.173-196.
Toonily The Carry
Zoebaby222
Obituary | Shawn Alexander | Russell Funeral Home, Inc.
Buying risk?
What to do if your rotary tiller won't start – Oleomac
Funny Marco Birth Chart
Local Collector Buying Old Motorcycles Z1 KZ900 KZ 900 KZ1000 Kawasaki - wanted - by dealer - sale - craigslist
Dr Adj Redist Cadv Prin Amex Charge
G Switch Unblocked Tyrone
Msu 247 Football
Why Is 365 Market Troy Mi On My Bank Statement
Van Buren County Arrests.org
Decosmo Industrial Auctions
Bellin Patient Portal
California Online Traffic School
Foodsmart Jonesboro Ar Weekly Ad
'Insidious: The Red Door': Release Date, Cast, Trailer, and What to Expect
Expression Home XP-452 | Grand public | Imprimantes jet d'encre | Imprimantes | Produits | Epson France
Fuse Box Diagram Honda Accord (2013-2017)
Earthy Fuel Crossword
Street Fighter 6 Nexus
Craigslist Free Puppy
Here’s how you can get a foot detox at home!
Omnistorm Necro Diablo 4
Craigslist - Pets for Sale or Adoption in Hawley, PA
1Exquisitetaste
No Boundaries Pants For Men
Gotrax Scooter Error Code E2
Deepwoken: How To Unlock All Fighting Styles Guide - Item Level Gaming
Sandra Sancc
Argus Leader Obits Today
Wwba Baseball
Okta Hendrick Login
Grandma's Portuguese Sweet Bread Recipe Made from Scratch
Haunted Mansion Showtimes Near The Grand 14 - Ambassador
Latest Posts
Article information

Author: Mr. See Jast

Last Updated:

Views: 5639

Rating: 4.4 / 5 (55 voted)

Reviews: 94% of readers found this page helpful

Author information

Name: Mr. See Jast

Birthday: 1999-07-30

Address: 8409 Megan Mountain, New Mathew, MT 44997-8193

Phone: +5023589614038

Job: Chief Executive

Hobby: Leather crafting, Flag Football, Candle making, Flying, Poi, Gunsmithing, Swimming

Introduction: My name is Mr. See Jast, I am a open, jolly, gorgeous, courageous, inexpensive, friendly, homely person who loves writing and wants to share my knowledge and understanding with you.