> Is it possible to find out all the sub-domains of a domain? For > instance, if I created A records for private.domain.com and > secret.domain.com; are there tools that one could run to find those > sub-domains if they are aware of domain.com? > > I tried some online tools and searched around a bit but couldn't come > up > with anything useful. Just want to make sure before I roll some stuff > out... I believe you can if you have trusted access to a nameserver (i.e. you are a nameserver ) by requesting a "zone transfer" (aka AXFR) using nslookup. This will basically dump you the nameserver's entire zone list (including all sub-domains/hosts) and is normally used in replication. However these days this functionality is tightly restricted and it's rare that you find a badly configured NS. You're more likely to expose them accidentally AFAIK Chris  or you know a badly configured nameserver!!