Is there a way to get the complete zone file for a domain without contacting its host?
You can try to initiate a zone transfer.
You are right though, no sanely configured DNS server should still allow this nowadays. Not just because as a zone admin you don't want to expose your internals but also because AXFR responses are way bigger than the queries, so they prove to be an excellent way for DoS reflection attacks as a <100 bytes spoofable UDP package can make a server send multiple KB of response to any machine on the internet.
If you still want to try:
In the nslookup utility, you can use ls [name of domain] to get the zone information.
And if you prefer dig, then you can use
dig @dns.example.com example.com -t AXFR
Though as I said, it probably won't work for you.
I'm not sure if this is exactly what you're looking for however Network-Tools.com solved my problem of wanting to see all the DNS records in the Zone file on a given nameserver:
http://network-tools.com/nslook/
Since your usual DNS queries are non-wildcard, your only options are:
- ask politely for the whole list (aka zone transfer or call the admins - i.e. that what you wanted to avoid)
- settle for an incomplete list
Hacking the server and just getting the config file usually is not an option, neither is eavesdropping on the zone transfers to the secondary/backup servers. Apart from those, there is no instance knowing all possible subdomains.
Options for getting incomplete lists:
- send random queries (aka bruteforce, though you won't get very far - but perhaps some dictionary-style guessing might help you nonetheless)
- ask google, using the "site:example.com" filter
- use your own crawler to follow links, hoping that all subdomains you might be interested in are linked somehow. You'll probably miss smtp.example.com, though.
Also keep in mind some zone files do have wildcards themselves, so *.example.com might give you the address(es) of a web dispatcher configured to handle web1.example.com, sales.example.com, etc. differently. This works with all protocols which use the hostname not only in the IP-level but also in the application data stream. (e.g. name based virtual hosting for http)