Let's say you want to find all the subdomains/cnames of 'lowlife.org':
Another way is using spy sites:
http://www.ip2country.cc/?q=##
http://##.websitetrafficspy.com/
http://spyonweb.com/##
http://webmastercoffee.com/en/site/##
http://www.mydnstats.com/index.php?a=search&q=##
http://www.robtex.com/dns/##.html
http://dns.l4x.org/##
http://uptime.netcraft.com/up/graph?site=##
http://sameip.org/ip/##
http://www.hostsearch.cc/##
user@host:/#dig lowlife.org ; <<>> DiG 8.2 <<>> lowlife.org ;; res options: init recurs defnam dnsrch ;; got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 4 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0 ;; QUERY SECTION: ;; lowlife.org, type = A, class = IN ;; AUTHORITY SECTION: lowlife.org. 1D IN SOA ns0.demon.nl. hostmaster.demon.nl. ( 2000801000 ; serial 6H ; refresh 30M ; retry 2W ; expiry 1D ) ; minimum Here you can see that the authoritive nameserver is 'ns0.demon.nl'. Oke now lets look at the subdomains/cnames: user@host:/#dig @ns0.demon.nl lowlife.org axfr ; <<>> DiG 8.2 <<>> @ns0.demon.nl lowlife.org axfr ; (1 server found) $ORIGIN lowlife.org. @ 1D IN SOA ns0.demon.nl. hostmaster.demon.nl. ( 2000801000 ; serial 6H ; refresh 30M ; retry 2W ; expiry 1D ) ; minimum 1D IN NS ns0.demon.nl. 1D IN NS ns0.demon.co.uk. 1D IN MX 10 punt.mail.nl.demon.net. 1D IN MX 40 relay-2.mail.nl.demon.net. 1D IN MX 60 relay-1.mail.demon.net. 1D IN MX 60 relay-2.mail.demon.net. demon 1D IN CNAME www middelburg 1D IN A 212.92.68.205 freebsd 1D IN CNAME www localhost 1D IN A 127.0.0.1 www 1D IN A 195.11.225.234 1D IN MX 10 punt.mail.nl.demon.net. 1D IN MX 40 relay-2.mail.nl.demon.net. 1D IN MX 60 relay-1.mail.demon.net. 1D IN MX 60 relay-2.mail.demon.net. project 1D IN A 145.92.3.32 sentinel 1D IN CNAME www * 1D IN MX 10 punt.mail.nl.demon.net. 1D IN MX 40 relay-2.mail.nl.demon.net. 1D IN MX 60 relay-1.mail.demon.net. 1D IN MX 60 relay-2.mail.demon.net. @ 1D IN SOA ns0.demon.nl. hostmaster.demon.nl. ( 2000801000 ; serial 6H ; refresh 30M ; retry 2W ; expiry 1D ) ; minimum ;; Received 23 answers (23 records). ;; FROM: lowlife.support.nl.demon.net to SERVER: 194.159.73.5 ;; WHEN: Thu Sep 14 10:24:28 2000 And tataaaaa: you see the subdomains: localhost, middelburg, www and project and the cnames: demon, freebsd and sentinel. man dig Dig (domain information groper) is a flexible command line tool which can be used to gather information from the Domain Name System servers. All query options are accessible from the command line. The usual simple use of dig will take the form: dig @server domain query-type query-class query-type is the type of information (DNS query type) that you are re- questing. If omitted, the default is ``a'' (T_A = address). The following types are recognized: a T_A network address any T_ANY all/any information about specified domain mx T_MX mail exchanger for the domain ns T_NS name servers soa T_SOA zone of authority record hinfo T_HINFO host information axfr T_AXFR zone transfer (must ask an authoritative server) txt T_TXT arbitrary number of strings (See RFC 1035 for the complete list.) query-class is the network class requested in the query. If omitted, the default is ``in'' (C_IN = Internet). The following classes are recognized: in C_IN Internet class domain any C_ANY all/any class information (See RFC 1035 for the complete list.) Note: ``Any'' can be used to specify a class and/or a type of query. Dig will parse the first occurrence of ``any'' to mean query-type = T_ANY. To specify query-class = C_ANY, you must either specify ``any'' twice, or set query-class using the -c option (see below). Using host Use host like this: user@host:/#host -l -t any lowlife.org lowlife.org start of authority ns0.demon.nl hostmaster.demon.nl( 2000801000 ;serial (version) 21600 ;refresh period 1800 ;retry refresh this often 1209600 ;expiration period 86400 ;minimum TTL ) lowlife.org name server ns0.demon.nl lowlife.org name server ns0.demon.co.uk lowlife.org mail is handled (pri=10) by punt.mail.nl.demon.net lowlife.org mail is handled (pri=40) by relay-2.mail.nl.demon.net lowlife.org mail is handled (pri=60) by relay-1.mail.demon.net lowlife.org mail is handled (pri=60) by relay-2.mail.demon.net demon.lowlife.org is a nickname for www.lowlife.org middelburg.lowlife.org has address 212.92.68.205 freebsd.lowlife.org is a nickname for www.lowlife.org localhost.lowlife.org has address 127.0.0.1 www.lowlife.org mail is handled (pri=10) by punt.mail.nl.demon.net www.lowlife.org mail is handled (pri=40) by relay-2.mail.nl.demon.net www.lowlife.org mail is handled (pri=60) by relay-1.mail.demon.net www.lowlife.org mail is handled (pri=60) by relay-2.mail.demon.net www.lowlife.org has address 195.11.225.234 project.lowlife.org has address 145.92.3.32 *.lowlife.org mail is handled (pri=10) by punt.mail.nl.demon.net *.lowlife.org mail is handled (pri=40) by relay-2.mail.nl.demon.net *.lowlife.org mail is handled (pri=60) by relay-1.mail.demon.net *.lowlife.org mail is handled (pri=60) by relay-2.mail.demon.net sentinel.lowlife.org is a nickname for www.lowlife.org lowlife.org start of authority ns0.demon.nl hostmaster.demon.nl( 2000801000 ;serial (version) 21600 ;refresh period 1800 ;retry refresh this often 1209600 ;expiration period 86400 ;minimum TTL ) Oke this is allot of info if you're just interested in the cnames/subdomains try this: user@host:/#host -l lowlife.org lowlife.org name server ns0.demon.nl lowlife.org name server ns0.demon.co.uk middelburg.lowlife.org has address 212.92.68.205 localhost.lowlife.org has address 127.0.0.1 www.lowlife.org has address 195.11.225.234 project.lowlife.org has address 145.92.3.3 Which just gives you the subdomains and try this: user@host:/#host -l -t cname lowlife.org demon.lowlife.org is a nickname for www.lowlife.org freebsd.lowlife.org is a nickname for www.lowlife.org sentinel.lowlife.org is a nickname for www.lowlife.org for the cnames.
Another way is using spy sites:
http://www.ip2country.cc/?q=##
http://##.websitetrafficspy.com/
http://spyonweb.com/##
http://webmastercoffee.com/en/site/##
http://www.mydnstats.com/index.php?a=search&q=##
http://www.robtex.com/dns/##.html
http://dns.l4x.org/##
http://uptime.netcraft.com/up/graph?site=##
http://sameip.org/ip/##
http://www.hostsearch.cc/##