0

I had to edit my original question after several answers were submitted. Original question was: how one can find out sub-domains of a domain without brute-force? is there a way to request a domain hosting provider or a name server for sub-domains? as far as I know one can only access a sub-domain if the name is known but if the sub-domain is not known then there is no other way to find it unless you do a brute-force, am I correct?

Edited: The domain or sub-domains I am referring to do not have any robots.txt or TXT records or PTR The they all are hosted with very good hosting provider like Godaddy and other such like providers. So, there is no issue of insecure DNS! Also, the sub-domains have not been shared with any one or used anywhere in internet, these were created only for a test, plus on top of it these sub-domains, the technician and the VPS that these subdomains were pointing too were in the same country.

My understanding was that if a sub-domain is known only with your hosting provider and you and it is not shared with any one there would be no way to find that sub-domain, except brut force.

Reason I am asking this question, I came across to this site “securitytrails.com” that had my sub-domains I was suppressed

For a test I have created a sub-domain “aonfactuurportz.[myDomain]” and after some time it appeared in there.

regards

user188145
  • 9
  • 3
  • Zone transfers on insecure DNS servers is one way. Aside from that, educated guesses, scraping the internet for subdomains linked on other websites or maybe a TXT record. – DKNUCKLES Mar 06 '19 at 18:26
  • 1
    Nobody seems to have mentioned robots.txt. Some people will use that to prevent subdomains from being crawled. – Daisetsu Mar 06 '19 at 19:22
  • 1
    Nobody mentioned robots.txt because it doesn't handle subdomains. – Esa Jokinen Mar 06 '19 at 19:38

2 Answers2

2

There are a bunch of tricks for subdomain discovery:

  • Brute force.
  • The CNAME and PTR DNS records may contain the name of a different subdomain.
  • The MX and SPF records contain information about mail servers, which may be subdomains.
  • Looking at zone transfer records (AXFR). These can contain subdomain names for the purposes of replication.
  • HTTPS certificates for the parent domain or other subdomains may be issued against multiple subdomains. The "Certificate Subject Alt Name" record is the most common place to find them; for example, you can look at Amazon UK's certificate and see "www.amazon.co.uk", "uedata.amazon.co.uk", and "amazon.co.uk" in the subject alt name record.
  • Certificate transparency records can be searched and may turn up subdomains or other associated domains.
  • If you know that a domain points to an IP address within a block of IPs that is owned by the company of interest, you can perform reverse DNS scanning of each IP in that block in order to try to discover new domains.
  • Use whois to identify the owner of the domain (unless they enabled WhoisGuard) and then use a reverse whois service to search for that person's email.
  • Google (or Bing, DDG, StartPage, etc.) for it! You'll often find they indexed a subdomain.

There's a tool called dnsrecon which might be useful in trying some of these tricks out in an automated fashion.

Polynomial
  • 133,763
  • 43
  • 302
  • 380
2

Currently, with properly configured authoritative name servers and zones there's none. There have been a couple:

But there might be traces on search engines:

  • Censys is a search engine designed for that.
  • Find Subdomains on Pentest-Tools combines the previous methods.
  • Regular search engines have indexed a lot. E.g. with Google you could:
  1. Search for site:example.com.
  2. Remove found subdomains with multiple -inurl:subdomain for each.
Community
  • 1
Esa Jokinen
  • 16,725
  • 5
  • 51
  • 56