DNS discovery

Sadly even in this day and age of data portability many DNS providers don’t like to let you export your own DNS data. Having finally received one too many PDF exports of a zone file I thought there must be an easier way to make my life simpler. Whilst I’m aware of some DNS providers that will make a stab at pre-populating your domain for you when you transfer domains, there doesn’t seem to be a general tool for achieving this task. The closest thing I could find was DNSdumpster which misses some of the obvious things and isn’t in the friendliest of formats. At this point there was only one thing to do. Write a quick and dirty tool for finding the well known RR’s for any given domain and present them in a BIND friendly format.

From far too many years of transferring domains from a variety of formats I’ve noticed that most domains are actually remarkably similar. There are an awful lot of very common resource record names, e.g. www, mail, webmail, sip and so forth. Obviously there is some variations but for smaller domains at least there’s a high level of similarity – which should be able to account for the majority of a domain import.

Being lazy I hoped that someone might already have a decent list of the most common server names – but for once the internet seems not to have a decent list. The best I could find was a bitquark post from 2016 of the most popular sub domains on the internet. This was sadly a bit before the popularity of 0365, SPF and other such things, but it contained a few things I hadn’t already thought of.

With a bit more research by looking at what various web hosting providers set up by default and what O365, Teams, Lync and the like expect to see I pulled together a list of about a hundred records that are quite likely to be present in a small to medium hosted domain. Especially when you then lookup the other domain names referenced by the starting set, either in CNAME, NS or SRV records. Thus was born the Zone finder. Which will be useful for me if no one else.

The list of RR names it works from is currently as follows, if I’ve missed anything obvious please let me know. Some of them are a bit old school and some may not be that common yet but I think it’s a decent representation.


Download common rr names.

Update As I’ve since discovered this also works quite well for researching shadow-IT and other suspicious looking domains that don’t have the classic “www.” address.

Bookmark the permalink.

Leave a Reply