Was looking to a solution to generate zonefiles from DNS,
but zone transfer (AXFR) does not work for secured dns. MX,
TXT etc. can be collected with dig but not A-Records of
subdomains. As these are mostly secured via https for our
domains, you may get the information from certificate
transparency logs.
Here’s the cmdline to get some subdomains with IP-Adresses:
curl -s -q "https://crt.sh/?q=%.${DOMAIN}&output=json" | jq -a -M -r '.name_value' | xargs -n 1 host | sort -u
more advanced auditing tool here: https://github.com/aboul3la/Sublist3r