Clever Geek Handbook

Search all DNS records TXT domain and subdomains

Is there a way to get ALL (TXT) DNS records for a domain (and subdomains)?

My goal is to check my domain configuration: www.rosposhop.com where I set multiple SPF and DKIM records correctly for some subdomains

rosposhop.com
md.rosposhop.com (SPF+DKIM)
mg.rosposhop.com (SPF+DKIM)

(so I only have 5 TXT items)

Now if I ask with dig

or host -a

, I only got the first TXT item, I should have had a complete list of TXT items instead.

How am I wrong?

$ dig  rosposhop.com TXT


; <<>> DiG 9.9.5-3ubuntu0.1-Ubuntu <<>> rosposhop.com TXT
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 14774
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;rosposhop.com.                 IN      TXT

;; ANSWER SECTION:
rosposhop.com.          2362    IN      TXT     "google-site-verification=udcP944OqB1PldDn1ML"

;; Query time: 65 msec
;; SERVER: ***********
;; WHEN: Sat Dec 27 09:10:43 CET 2014
;; MSG SIZE  rcvd: 123

By the way, if I ask puntually for SUBdomain, now I only got the first entry again:

$ dig  md.rosposhop.com TXT

Return:

;; ANSWER SECTION:
md.rosposhop.com.       2223    IN      TXT     "v=spf1 include:spf.man*******"

again i am not getting DKIM info. Is this a security / permissions topic? sorry for my ignorance of DNS.

thanks giorgio

+3


source to share


2 answers


Approaching a single DNS query to get all this information in one fell swoop is flawed. It assumes that the data for one zone is a) static and b) managed by a single name server. DNS does not impose any restrictions on these zones.

For both SPF and DKIM (and DMARC if you want to throw that in the mix), use TXT records for specific domains. It is not necessary to get all TXT records for a domain and its subdomains to view the corresponding configuration.

If you would like to get SPF and DKIM information, just request the corresponding domains. Assuming you are doing Return-Path domains and DKIM signatures to md.rosposhop.com

and mg.rosposhop.com

, you should be interested in TXT records on



  • md.rosposhop.com

    - SPF
  • mg.rosposhop.com

    - SPF
  • (selector)._domainkey.md.rosposhop.com

    - DKIM
  • (selector)._domainkey.mg.rosposhop.com

    - DKIM

where (selector) is the selector you are using for this DKIM entry. You can have more than one selector for each of the domains md.rosposhop.com

and mg.rosposhop.com

. TXT records on other domains are irrelevant.

+4


source


To get all domain records, you use a AXFR

zone transfer query . This should be sent to one of the authorized servers for the domain:

dig rosposhop.com axfr @ns52.domaincontrol.com


However, most DNS servers restrict zone transfers for security reasons. Typically, only the master server allows zone transfers, and only to known slave servers. The servers domaincontrol.com

do not allow zone transfers, so you will get an error if you try this.

+2


source






More articles:


All Articles