Using DNS aggregators
There are a lot of the third party services that will do DNS enumeration on your behalf or they aggregate massive DNS datasets and look through them for sub-domains. I covered few popular ones in this section.
VirusTotal runs its own passive DNS replication service, built by storing DNS resolutions performed when visiting URLs submitted by users. In order to retrieve the information of a domain you just have to put domain name in the search bar
- We wrote a simple script to automate the extraction of sub-domains using VirusTotal. The script can be found here - https://github.com/appsecco/the-art-of-subdomain-enumeration/blob/master/virustotal_subdomain_enum.py
- DNSdumpster is another interesting tools that can find potentially large number of sub-domains for a given domain
- DNSdumpster has an unofficial python library to extract data https://github.com/PaulSec/API-dnsdumpster.com
- Netcraft can search for sub-domains for a given domain name.