This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
I can use Resolve-Dns to retrieve an A record (if one exists) for a given domain name. Is there a way, using PowerShell, to find all sub-domains?
Here's a specific use case:
One of Microsoft's stated domains to allow through firewalls is: *.blob.core.windows.net. I have not found a way to resolve an IP address for this using PowerShell. For windows.net Resolve-Dns resolves several A records but this *.blob... address actually has 1600 related sub-domains. (Source: https://spyse.com/)
I want to use PowerShell to resolve all of those 1600 sub-domains. Is this possible?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(256, 74%, 34%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ERM%3C/text%3E%3C/svg%3E)
Without being able to accomplish a DNS zone transfer I doubt you'll find an easy way to do this. There are "subdomain finders" available, but they mostly written in Python. Rewriting one of them using PowerShell and .Net might be something to explore.
Here's a starting point, though:
find-subdomains
