Share via

How can I find all sub-domains using PowerShell?

Kevin D. Boutelle 21 Reputation points
2020-07-31T11:45:58.277+00:00

I can use Resolve-Dns to retrieve an A record (if one exists) for a given domain name. Is there a way, using PowerShell, to find all sub-domains?

Here's a specific use case:

One of Microsoft's stated domains to allow through firewalls is: *.blob.core.windows.net. I have not found a way to resolve an IP address for this using PowerShell. For windows.net Resolve-Dns resolves several A records but this *.blob... address actually has 1600 related sub-domains. (Source: https://spyse.com/)

I want to use PowerShell to resolve all of those 1600 sub-domains. Is this possible?

Windows DHCP
Windows DHCP
Windows: A family of Microsoft operating systems that run across personal computers, tablets, laptops, phones, internet of things devices, self-contained mixed reality headsets, large collaboration screens, and other devices.DHCP: Dynamic Host Configuration Protocol (DHCP). A communications protocol that lets network administrators manage centrally and automate the assignment of Internet Protocol (IP) addresses in an organization's network.
1,039 questions
Windows Server PowerShell
Windows Server PowerShell
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.PowerShell: A family of Microsoft task automation and configuration management frameworks consisting of a command-line shell and associated scripting language.
5,546 questions
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Rich Matheisen 46,801 Reputation points
    2020-07-31T19:52:09.493+00:00

    Without being able to accomplish a DNS zone transfer I doubt you'll find an easy way to do this. There are "subdomain finders" available, but they mostly written in Python. Rewriting one of them using PowerShell and .Net might be something to explore.

    Here's a starting point, though:
    find-subdomains

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.