Search all DNS records TXT domain and subdomains
Is there a way to get ALL (TXT) DNS records for a domain (and subdomains)?
My goal is to check my domain configuration: www.rosposhop.com where I set multiple SPF and DKIM records correctly for some subdomains
rosposhop.com
md.rosposhop.com (SPF+DKIM)
mg.rosposhop.com (SPF+DKIM)
(so I only have 5 TXT items)
Now if I ask with dig
or host -a
, I only got the first TXT item, I should have had a complete list of TXT items instead.
How am I wrong?
$ dig rosposhop.com TXT
; <<>> DiG 9.9.5-3ubuntu0.1-Ubuntu <<>> rosposhop.com TXT
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 14774
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;rosposhop.com. IN TXT
;; ANSWER SECTION:
rosposhop.com. 2362 IN TXT "google-site-verification=udcP944OqB1PldDn1ML"
;; Query time: 65 msec
;; SERVER: ***********
;; WHEN: Sat Dec 27 09:10:43 CET 2014
;; MSG SIZE rcvd: 123
By the way, if I ask puntually for SUBdomain, now I only got the first entry again:
$ dig md.rosposhop.com TXT
Return:
;; ANSWER SECTION:
md.rosposhop.com. 2223 IN TXT "v=spf1 include:spf.man*******"
again i am not getting DKIM info. Is this a security / permissions topic? sorry for my ignorance of DNS.
thanks giorgio
source to share
Approaching a single DNS query to get all this information in one fell swoop is flawed. It assumes that the data for one zone is a) static and b) managed by a single name server. DNS does not impose any restrictions on these zones.
For both SPF and DKIM (and DMARC if you want to throw that in the mix), use TXT records for specific domains. It is not necessary to get all TXT records for a domain and its subdomains to view the corresponding configuration.
If you would like to get SPF and DKIM information, just request the corresponding domains. Assuming you are doing Return-Path domains and DKIM signatures to md.rosposhop.com
and mg.rosposhop.com
, you should be interested in TXT records on
-
md.rosposhop.com
- SPF -
mg.rosposhop.com
- SPF -
(selector)._domainkey.md.rosposhop.com
- DKIM -
(selector)._domainkey.mg.rosposhop.com
- DKIM
where (selector) is the selector you are using for this DKIM entry. You can have more than one selector for each of the domains md.rosposhop.com
and mg.rosposhop.com
. TXT records on other domains are irrelevant.
source to share
To get all domain records, you use a AXFR
zone transfer query . This should be sent to one of the authorized servers for the domain:
dig rosposhop.com axfr @ns52.domaincontrol.com
However, most DNS servers restrict zone transfers for security reasons. Typically, only the master server allows zone transfers, and only to known slave servers. The servers domaincontrol.com
do not allow zone transfers, so you will get an error if you try this.
source to share