When working with internal networks or troubleshooting DNS configurations, administrators often need to view all DNS records in a domain. This becomes particularly useful when:
- Locating forgotten hosts in a corporate network
- Auditing DNS configurations
- Migrating DNS servers
- Troubleshooting service discovery issues
The most straightforward approach is using the dig command with the ANY query type:
dig mycompany.example ANYHowever, this method has limitations as it only returns records available through standard DNS queries, not necessarily all zone records.
For a complete list, you'll need to attempt a zone transfer if permitted:
dig @nameserver mycompany.example AXFRReplace nameserver with your DNS server's IP or hostname. Note that most DNS servers restrict zone transfers for security reasons.
For internal corporate DNS where you have appropriate permissions:
dig @ns1.mycompany.example mycompany.example AXFRIf successful, this returns all records including:
- A records (hostname to IP mapping)
- CNAME records (aliases)
- MX records (mail servers)
- TXT records (various configurations)
When zone transfers are blocked, you can use these approaches:
# Bruteforce subdomains (requires wordlist)
for sub in $(cat subdomains.txt); do dig $sub.mycompany.example; done
# Query specific record types
dig mycompany.example A
dig mycompany.example MX
dig mycompany.example TXTFor regular audits, you might want to create a script:
#!/bin/bash
DOMAIN="mycompany.example"
RECORD_TYPES="A AAAA MX TXT CNAME NS SOA"
for type in $RECORD_TYPES; do
echo "=== $type Records ==="
dig $DOMAIN $type +short
echo
doneRemember that:
- Zone transfers should be properly secured
- Only authorized personnel should perform these operations
- Consider using DNS logging to track such queries
To verify if your DNS server allows zone transfers:
dig mycompany.example SOA
# Then check the primary nameserver
dig @primary-ns mycompany.example AXFRWhen dealing with multiple nameservers:
dig @ns1.mycompany.example mycompany.example ANY
dig @ns2.mycompany.example mycompany.example ANYWhen managing an internal DNS server for a domain like mycompany.example, you might need to retrieve all DNS records to locate a specific machine or troubleshoot issues. The dig command is a powerful tool for querying DNS servers, but listing all records requires specific techniques.
The dig command is commonly used to query DNS servers. To list all records for a domain, you can use the AXFR (Zone Transfer) request. However, most DNS servers restrict zone transfers for security reasons.
dig @dns-server mycompany.example AXFR
If zone transfers are allowed, this command will return all records. But in most cases, you'll need alternative methods.
When AXFR isn't available, you can query specific record types individually:
# Query A records
dig @dns-server mycompany.example A
# Query MX records
dig @dns-server mycompany.example MX
# Query TXT records
dig @dns-server mycompany.example TXT
# Query NS records
dig @dns-server mycompany.example NS
For internal DNS where you have permission, you can attempt to enumerate records:
for type in A AAAA MX TXT NS SOA SRV; do
dig @dns-server mycompany.example $type +noall +answer
done
Some DNS servers support wildcard queries:
dig @dns-server '*.mycompany.example' ANY
Always ensure you have proper authorization before attempting to enumerate DNS records. Unauthorized zone transfers or brute-force attempts may violate security policies.
Here's a complete script to query common record types for an internal domain:
#!/bin/bash
DOMAIN="mycompany.example"
DNSSERVER="internal-dns.mycompany.example"
echo "=== DNS Records for $DOMAIN ==="
echo
RECORD_TYPES="A AAAA MX TXT NS SOA SRV CNAME"
for type in $RECORD_TYPES; do
echo "--- $type Records ---"
dig @$DNSSERVER $DOMAIN $type +noall +answer
echo
done
Save this as dns_enum.sh, make it executable (chmod +x dns_enum.sh), and run it to get a comprehensive list of DNS records.