Find subdomains from a top level domain

Having been asked this question a few times by varying people I thought I’d do a quickie blog post on how to find subdomains for a domain.

The Official Way

dig @ns.thenameserver.net example.com axfr AXFR is a method of domain transfer and if the name servers are configured to allow the command to be executed then it would give you the full NS record for that domain including any subdomains.

However, trying that will likely give you this message:

1
; <<>> DiG 9.8.3-P1 <<>> @ns.thenameserver.net example.com axfr; (1 server found);; global options: +cmd; Transfer failed.

Unofficial Methods