I'm running a security experiment and I need to identify domains that point to a particular subdomain. I was wondering if there's a way for me to find the cname's for all domains in a list somewhere?
Or do I have to dig the whole .com list, and grep through to find every instance of the cname?
I was wondering if there's a way for me to find the cname's for all domains in a list somewhere?
No. There is no proper way of doing so. The CNAME entries are stored in zone files, which are stored in different nameservers. And there is no general way of getting the whole zone file from a nameserver. Unless you have access to all the nameservers in the world, you can't find all CNAMES pointing to a domain (which you obviously can't have).
Or do I have to dig the whole .com list, and grep through to find every instance of the cname?
Even if you download the zone file for a TLD (Yes, that's possible: http://jordan-wright.com/blog/2015/09/30/how-to-download-a-list-of-all-registered-domain-names/), all you'll get is a list of nameservers used for all the second level domains. Then you'll need to go through every nameserver in the list and recursively ask for its zone file, which they won't provide in most cases.
One feasible workaround in your case would be to log activity of users.
If you are the owner of the particular subdomain for which you want
CNAMEs and a web server is hosted on that server, you can log the
HOST header in the HTTP request to get a possible CNAME entry.
If you are network administrator of your network (i.e. you have access to the local DNS server), you can all log DNS queries which are resolved to the desired CNAMEs.
As an end user, where nameservers are not correctly set up, you can't walk the DNS to get a list of all the resource records (which is, I think, what you are asking).
If the domain name is not correctly set up (or if you have elevated privs, which I assume you don't), you can do a "Zone Transfer" which will dump the contents of the zone - look here, but, under Linux, its as simple as doing a dig axfr domain.name @dns.server.name
If you have access to the box or can intercept network traffic where "the particular subdomain", and if the target traffic is "http", you can sniff the http headers to get a list of requests (if you run the web server, you can create a log file to produce this info which you can search through)
Lastly, if you have a list of domains, and you know the subdomain you are looking for for each domain, its possible to write a script to query the subdomain for each domain, and log that. (But I suspect this is not what you are asking ?)
I was also thinking about this recently and one can't do this directly without collecting massive amounts of data. But luckily Merklemap has collected a lot of DNS queries into their 418Gb dataset (41Gb compressed). Using this data you can find for example which domains are pointing to certain CNAME. It's not comprehensive but it does contain a lot of domains.
This dataset is stored in newline_delimeted JSON and going through it does require plenty of disk space and some compute time.
If someone is interested I wrote how to analyse this DNS dataset for CNAMEs using duckdb.
