How do I find all the subdomains of a domain name? – Gandi News (2024)

There are several reasons you might want to be able to find all subdomains of a domain, but in general, those reasons boil down to either mounting some kind of attack on a website (which we don’t condone) or protecting yourself from such an attack, including auditing your subdomains to ensure there are no unused subdomains laying around in your DNS zone file.

You might also be hoping to get full list of all the services a domain name points to, for example, to transfer it to another DNS provider.

In this article, we’ll be taking a look at what a subdomain is, on a technical level, and how you can or cannot (and why not!) get a global picture of a domain name’s subdomains.

What is a subdomain?

Let’s start with basics.

When you register a domain name, the domain registry (that is, the entity that manages delegating domain names in a particular top-level domain name, or TLD, also sometimes referred to more colloquially as an extension or domain ending) delegates the authority over the DNS zone of that domain name to you.

Remember: the domain name system is hierarchical. That means that root domain authority is concentrated with IANA, the part of ICANN responsible for delegating top-level domain names out to registries, who then delegate authority out to people buying domain names.

That means that if you register the domain name, the .com registry delegates you authority over and any other “child branch” of that domain tree, so to speak.

And just like .com has the authority from IANA to create any new .com that someone requests, you also have the authority to create any new child branch to the ‘’ tree.

So you could make,, or, or

These child branches, of course, are what we call subdomains.

How to create a subdomain

The way you create a subdomain in a domain name that you have registered is simply a question of associating that subdomain to a resource in your DNS zone file. The type of DNS record that you’ll use might depend on what type of resource you’re actually associating to it.

However, there is one DNS record type that is by far the most common used for subdomains: the CNAME record.

A CNAME is a “Canonical Name” record. As opposed to other DNS record types that create a one-to-one relationship between a subdomain and a resource (such as an A record), a CNAME actually turns a subdomain into an Alias of another domain name. In other words, it maps that subdomain onto another domain.

This actually gives it much greater flexibility, and that’s why the CNAME record type is by far the most commonly used record type for creating subdomains.

What can you do with a subdomain?

Subdomains can be used for any resource. Most commonly, they are used to define separate namespaces, like separate but related websites, or denote something about the structure of a website. For example, it’s not uncommon to see implementations like for a given website’s online shop or checkout system and for a hosted webmail service. In the early days of the World Wide Web, the www subdomain was used for the website associated to a domain name, while the bare domain (without subdomain) was more “general” use (such as for a mail service).

Subdomains are also often used as a way to “extend” DNS beyond the basic services. This is the case with DomainKeys Identified Mail, or DKIM. DKIM is a system that uses DNS to authenticate an email sender using public key authentication. The public key part of the authentication is stored in the DNS in a TXT type record.

A DKIM record uses subdomains as a part of the syntax of storing this key. All DKIM records are TXT records on a subdomain of the subdomain _domainkey (for example

Another example of this is domain control verification via DNS for the purposes of creating an SSL/TLS certificate.

In this case, an SSL/TLS Certificate Authority (CA) asks that someone requesting the creation of an SSL/TLS certificate verify that they are indeed the owner of the domain name in question (or an employee/representative of the owner).

The CA requests that the certificate requestor add a particular CNAME record to their DNS zone file which effectively creates a subdomain (typically on a random string of characters, such as ’12a345b6c78d90efg1234hi56j’) that points to a specific, similar random-character subdomain of their own domain name.

There are no doubt other interesting use cases for subdomains, but this gives you a general idea of some of the ways subdomains can be used.

In summary, it’s important to know that a subdomain is a “child branch” of a given domain name. In the hierarchical system of DNS, it is part of the ‘namespace’ delegated to the owner of a domain name when they register that domain name with a registry.

There are several uses for subdomains. Specifically, they are often used for standalone websites with some connection to the website hosted at the bare domain or specific services offered by a website, but not always. In those cases, though, typically a CNAME record is used. Sometimes they are created in order to use DNS to verify a domain name in some form or another, or for other use cases.

In any case, subdomains are created in the DNS zone file of a domain name.

Now we’re ready to move on to talking about how you can identify the subdomains of a given domain name.

Where can you find all the subdomains of a domain name?

In the zone file

From the above explanation, you probably already figured out the best way to determine the subdomains of a given domain name is by looking in the DNS zone.

If you are the owner or administrator of a domain name — and specifically you have access to that domain’s DNS zone file — this is trivial. You just need to look at the DNS zone file.

If you manage your DNS at a registrar like Gandi, this is available from your registrar’s interface.

How to find your DNS zone file at Gandi [ link to : ]

You should be able to sort your list of DNS records by ‘Name’ and thereby get a list of all the subdomains (subdomains will be everything that isn’t @).

You can also sort by ‘Type’ and look only at those with the CNAME type if you want to exclude TXT records and MX records.

Another way you can get a list of all your subdomains using Gandi’s interface that’s particularly useful with domain names that have a large number of subdomains, when you want a list of all the subdomains of multiple domain names, or both, is using our DNS export feature.

You can use this feature to create and download a CSV file of your domain’s entire zone file, or the zone files of multiple domain names. Then, you just need to sort the columns either by name or record type.

Can you query the DNS for all subdomains?

The short answer is: no. You can’t just query the DNS for a list of all the subdomains of a particular domain.

When you query the DNS, such as when you request a webpage in your browser, or in your Terminal window using the commands `host`, `dig`, or `nslookup` (these are in most cases functionally the same, so we won’t get into the differences here). These work for when you’re querying a domain or subdomain that is already known. If you’re trying to get a list of all subdomains, though, the point is that the subdomains are not already known. When you query the DNS, it’s implied that you already know the domain or subdomain that you’re looking for.

There is one partial exception to this, however.

Can you get a list of all subdomains via zone transfer?

Technically, yes. And this is the partial exception mentioned above. You technically can get a list of all subdomains if your query uses zone transfer (aka AXFR).

For this query you would use `host`, using the modifiers -a and -l:

host -a -l

In this example, `-a` is equivalent to `ANY` — that is, it signals that the output will be verbose and `-l` signifies the use of zone transfer. In other words, the command uses zone transfer to list all hosts in a domain, which is to say, all subdomains.

There’s a huge problem with this method, though, and that’s the question of permissions.

Zone transfer — aka AXFR — as a general rule, is disabled for most requestors.

Why is zone transfer disabled on most domains?

First let’s talk about what zone transfer is.

Zone transfer, or AXFR (the A in AXFR means “Authoritative,” and the XFR signifies “Transfer”) is a protocol for replicating a DNS zone file.

The main use case for AXFR is when duplicating a DNS zone between a primary nameserver and a secondary nameserver. That is to say, your domain name registration requires at least two DNS nameservers — a primary, and a secondary. There can be more, but this is the baseline requirement. Since the secondary is a backup, a zone transfer can be used to transfer the entire contents of the zone file to the secondary name server.

In the beginning of DNS, or at least the zone transfer protocol, there was little reason to restrict the use of this protocol. But soon it became clear that being able to map out a domain name’s entire zone provides potential attackers with way too much information out in the open to be safe.

In particular, if someone wants to spoof or poison your DNS, having a complete copy of the zone file will be very useful for them.

So, as a security by obscurity practice, the zone transfer protocol is now almost universally restricted on DNS servers either by IP address or by signing the zone transfers. But some attackers will still try to subvert these restrictions — and succeed.

What ways besides DNS lookups can you use to find subdomains?

At this point, we’ll note that the legitimate use cases for getting a list of all subdomains of a domain name starts to get thin. If you can’t access the zone file, chances are your main reason for trying to list all your subdomains is some kind of audit, possibly a security audit or a penetration test.

Since un-secured subdomains can be a serious security risk, it’s worth knowing what other options are available in case you need them.

Without direct access to the zone file, however, you can only ever be sure of having a partial list of subdomains.

Brute force/guessing

The most obvious and the most difficult strategy is just to use brute force, that is, by guessing.

There are some subdomains that are defined for virtually every domain name, such as www, and others that are very common, like shop or mail. But by going through and trying a DNS query using `dig`, `nslookup`, or `host` for as many possible subdomains, you might find some hidden ones. You might try using a script, otherwise this can be time consuming.

Can you use reverse DNS lookups to find subdomains?

One method of finding hidden subdomains is by first identifying the IP address they might point to and target ip ranges. If you are able to find some subdomains just by guessing, say and, and you notice that these point to different IP addresses within the same range, you could reasonably assume that other subdomains may use other IP addresses in the same range.

To lookup the domain name that corresponds to an IP address, you have to do the reverse of a DNS lookup, or in other words, a reverse DNS lookup. You can use the same commands we used above to do DNS lookups: `dig` and `host`. With `host` you just need to do a command like `host 123.45.678.910` to do a reverse DNS lookup. With `dig`, you would need to add `-x` so your query would be `dig -x 123.45.678.910`.

This method is far from fool-proof, though. If you use any CNAMEs for your subdomains, doing a reverse DNS lookup is not going to help identify them because the CNAME, as explained above, is an alias, so the IP address will be associated with the domain the CNAME points to.

What other ways are there to find subdomains?

It’s also worth mentioning that there are many online tools around, subdomain finder tools, that can be used to find subdomains, usually by crawling the web for records of subdomains and subdomain information.

You can find a list of tools that can search for subdomains here.

Finding a list of all subdomains

There are a number of reasons you might want to get a list of all the subdomains of a particular domain name, especially if you are the owner of that domain name. Generally, you would want to get such a list as part of some kind of audit of your domain name and the resources connected to it, and this is especially true with security audits.

Ultimately, the best way to get a list of all subdomains of a domain name is by having access to the DNS zone file of that domain name. Just having access, though, doesn’t necessarily make it easy. If you can’t use the Zone Transfer protocol to directly copy a domain name’s zone, you can often view it in your DNS service management’s website (or registrar, or hosting provider, depending on where you have your DNS). Your provider might also offer services like Gandi’s DNS export feature, where you can download a CSV file of one or more of your DNS zones, making a comprehensive list of your subdomains on one or more domain names possible.

If you don’t have access to the zone file, though, it will be more difficult — but not impossible. There are a number of different methods you can use, including guessing/brute force, reverse DNS lookups, and specialized online tools. To get the most comprehensive list, you’ll probably have to combine all three.

In the end, the ability to create an infinite number of subdomains on a given domain name is one of the immensely valuable aspects of registering a domain name. However, subdomains can also be a liability, so it’s important to take care to ensure un-secured subdomains don’t cause you problems down the line.

Tagged in DNSDomain names

How do I find all the subdomains of a domain name? – Gandi News (2024)


How do I find all the subdomains of a domain name? – Gandi News? ›

You just need to look at the DNS zone file. If you manage your DNS at a registrar like Gandi, this is available from your registrar's interface. You should be able to sort your list of DNS records by 'Name' and thereby get a list of all the subdomains (subdomains will be everything that isn't @).

What search phrase can be used to find subdomains of a website? ›

By search engines

These operators are often referred to as Google Dorks. We can use site: operator in Google search to find all the Subdomains that Google has found for a Domain. Lets take an example on “”.

How many subdomains does a domain have? ›

Characteristics and Parameters of a Subdomain

A domain can have up to 500 subdomains. You can create multiple levels of subdomains such as,, etc. Each subdomain can be up to 255 characters long, but for multi level subdomains, each level can only be 63 characters long.

Where is the subdomain? ›

A subdomain always sits before the root domain in the URL. A subdirectory always sits after. Another slight difference between the two is how they affect the nested structure of your site.

Are subdomains included with the domain? ›

Subdomains are used to expand the use of a single domain, these do not need to be purchased separately to your domain; if you own a domain then you can add a subdomain to this. This method is commonly used for Moodle and Totara site setups.

Do subdomains affect main domain SEO? ›

Subdomains aren't directly bad for SEO, but they're not always the most strategic choice. Google states that subdomains and subdirectories are both fine, but subdomains are crawled and tracked separately.

What is the best tool to find subdomains? ›

Here are ten highly effective options.
  • Google Dorking. Google Dorking is a passive subdomain enumeration technique using Google's advanced search operators, like "site:" to find information about a target, including subdomains. ...
  • Sublist3r. ...
  • Amass. ...
  • Recon-ng. ...
  • SubDomainizer. ...
  • Pentest Tools Subdomain Finder. ...
  • ...
  • Shodan.
May 13, 2024

How do I find all the subsites of a website? ›

You can usually locate it in the root or footer section of the website. For example, the XML sitemap URL could be ““. Once you click on the sitemap, you will find all pages & subpages of a website. You can use different sitemap generation tools if you don't have an existing sitemap.

Do subdomains show up on Google search? ›

Once you have completed all steps, the subdomain and its sitemap are added to the Google Search Console. Depending on the website size, it may take a little while before the subdomain becomes visible in Google search results.

Does hostname include subdomains? ›

A hostname can consist of many sub-domains. For example, In theory, a hostname could include 126 levels of subdomain.

What does a subdomain URL look like? ›

While a subdomain will appear before your TLD, a subdirectory link will include the subdirectory name after the original TLD. For example: Subdomain example: Subdirectory example:

Are subdomains still used? ›

This helps you to create a different look, feel, and functionality for your online store than your main website. You'll come across subdomains like these all over the internet. They're incredibly common. To see whether your site is using any subdomains, crawl your website with Semrush's Site Audit tool.

What is an example of a subdomain in a domain name system? ›

In the Domain Name System (DNS) hierarchy, a subdomain is a domain that is a part of another (main) domain. For example, if a domain offered an online store as part of their website , it might use the subdomain .

What are subdomain names? ›

What is a subdomain name? A subdomain name is a piece of additional information added to the beginning of a website's domain name. It allows websites to separate and organize content for a specific function — such as a blog or an online store — from the rest of your website.

How to list all DNS records in nslookup? ›

Using nslookup online is very simple. Enter a domain name in the search bar above and hit 'enter'. This will take you to an overview of DNS records for the domain name you specified.

Can I list my domain on multiple sites? ›

One domain can be mapped to only one website at any given time. But different domains can point to the same website. If you buy a domain name of your own, you can add any number of subdomains you want, and have them point to different websites.

How do I find the DNS record of a subdomain? ›

How to check the DNS records for a specific domain?
  1. Lookup A record: nslookup -type=A
  2. Lookup NS record: nslookup -type=NS
  3. Lookup MX record: nslookup -type=MX
  4. Lookup CNAME record: nslookup -type=CNAME

What is subdomain enumeration? ›

Subdomain enumeration is the process of listing out all the valid subdomains that are part of the larger domain.

Top Articles
Latest Posts
Article information

Author: Foster Heidenreich CPA

Last Updated:

Views: 5708

Rating: 4.6 / 5 (56 voted)

Reviews: 87% of readers found this page helpful

Author information

Name: Foster Heidenreich CPA

Birthday: 1995-01-14

Address: 55021 Usha Garden, North Larisa, DE 19209

Phone: +6812240846623

Job: Corporate Healthcare Strategist

Hobby: Singing, Listening to music, Rafting, LARPing, Gardening, Quilting, Rappelling

Introduction: My name is Foster Heidenreich CPA, I am a delightful, quaint, glorious, quaint, faithful, enchanting, fine person who loves writing and wants to share my knowledge and understanding with you.