Subdomain Enumeration
Discover all publicly known subdomains for any domain using passive DNS and certificate transparency data.
DNS & Domain Tools
View All Tools →What is Subdomain Enumeration?
Subdomain enumeration is the process of discovering all subdomains associated with a root domain. A subdomain is a child domain under a parent domain, for example, mail.example.com and blog.example.com are subdomains of example.com. Organizations often create dozens or hundreds of subdomains for different services, departments, or testing environments. Our tool uses passive DNS data and certificate transparency logs to find these subdomains without actively scanning the target network.
Attackers use subdomain enumeration during reconnaissance to map an organization's attack surface. Forgotten or poorly secured subdomains like dev.example.com or staging.example.com often lack the security controls of production environments, making them attractive targets. Security teams perform subdomain enumeration as part of asset discovery to ensure all internet-facing systems are accounted for and properly secured.
How to Use the Subdomain Finder
Step-by-Step Guide
- 1. Enter Root Domain: Type the parent domain without www or http:// (e.g., example.com). The tool will search for all subdomains beneath this root.
- 2. Complete reCAPTCHA: Verify you're human by completing the reCAPTCHA challenge below the input field.
- 3. Click Enumerate: The tool queries passive DNS databases and certificate transparency logs. This process may take several seconds as multiple data sources are checked.
- 4. Review Results: Discovered subdomains appear in a scrollable list with a count at the top. Use the filter box to narrow results by keyword.
- 5. Filter Results: Type search terms in the filter box to show only subdomains matching your keywords (e.g., "api" or "dev").
The tool relies entirely on passive sources, it does not send any DNS queries directly to the target domain's name servers. This means the enumeration is stealthy and won't appear in the target's DNS logs. However, results are limited to subdomains that have been publicly observed in DNS traffic or SSL/TLS certificates.
Enumeration Techniques Used
Passive DNS Data
DNS queries from users worldwide are collected by passive DNS systems. When someone looks up mail.example.com, that subdomain is recorded. Our tool queries these historical DNS databases to find previously observed subdomains.
Certificate Transparency Logs
Every SSL/TLS certificate issued by a trusted Certificate Authority is logged in public Certificate Transparency (CT) logs. These certificates often list subdomains in the Subject Alternative Name (SAN) field. By searching CT logs, we can discover subdomains even if they've never been queried publicly.
Search Engine Dorking
Search engines like Google index subdomains that are publicly linked or crawlable. Advanced search operators (e.g., site:example.com) can reveal subdomains indexed by search engines. This technique uncovers externally accessible subdomains.
Active techniques like DNS brute-forcing (trying thousands of common subdomain names) are more comprehensive but easily detected. Our passive approach trades completeness for stealth, you'll find many subdomains without alerting the target organization's security team.
Why Enumerate Subdomains?
Subdomains represent potential attack vectors. Organizations create subdomains for staging environments, internal tools, development servers, and legacy services. These often receive less security attention than production systems. For example, a subdomain like admin-panel.example.com might have weak authentication, or test.example.com could expose sensitive data unintentionally. Subdomain enumeration helps both attackers (during reconnaissance) and defenders (during asset discovery) understand the full scope of an organization's internet presence.
Common Use Cases
- ✓Security Assessments: Map an organization's attack surface by cataloging all internet-facing subdomains during penetration testing.
- ✓Asset Discovery: Identify forgotten or shadow IT subdomains that may not be tracked in asset management systems.
- ✓Vulnerability Scanning: Generate a target list of subdomains for automated security scanners to assess for known vulnerabilities.
- ✓Competitor Reconnaissance: Understand the infrastructure and services deployed by competitors based on their subdomain naming conventions.
- ✓Bug Bounty Research: Expand the scope of bug bounty targets by finding subdomains that may be in-scope but not explicitly listed.
Best Practices for Subdomain Security
- • Maintain an inventory of all authorized subdomains and regularly compare it to enumeration results to detect unauthorized hosts.
- • Remove or properly secure development, staging, and testing subdomains that are internet-accessible unnecessarily.
- • Implement DNS wildcard records carefully, they can expose internal naming schemes or allow subdomain takeovers.
- • Monitor Certificate Transparency logs for newly issued certificates to detect unauthorized SSL certificates for your domain.
- • Use subdomain takeover detection tools to find dangling DNS records pointing to expired or deleted cloud resources.
FAQ
Frequently Asked Questions
Answers about how the subdomain enumeration tool works and how to interpret results. Not here? Talk to us.
Subdomain enumeration discovers all publicly visible subdomains for a root domain using passive DNS records, TLS certificate logs, and indexed search data. Security teams and bug bounty hunters use it to uncover forgotten staging environments, misconfigured services, and exposed assets before attackers do.
Querying publicly available records — DNS databases, TLS certificate logs, search engine indexes — is generally legal in most jurisdictions. You should only investigate or act on domains you own or have explicit permission to test, and always follow responsible disclosure practices.
Each tool queries different data sources — passive DNS feeds, TLS certificate issuance records, or search engine crawls — and each refreshes at its own interval. Our tool queries multiple sources in parallel so you get broader coverage than any single provider can offer.
TLS certificate data is near real-time; passive DNS providers typically update within hours to a few days. We query multiple sources in parallel for the best coverage, though very recently created subdomains may take a short time to appear.
No — the tool only surfaces subdomains visible in public DNS records, TLS certificate logs, or search engine indexes. Hostnames that exist solely on private networks or behind a VPN and have never been publicly exposed will not appear in results.
Unexpected subdomains often point to forgotten staging servers, abandoned third-party integrations, or cloud assets left undeleted — all common attack surface risks. Review each one, verify ownership, and remove or secure anything that should not be publicly reachable.
Use the built-in copy button to grab results from the UI. You can then paste the list into any port scanner, asset tracker, or recon pipeline you already use to continue your investigation.
No — this tool queries passive data sources such as DNS databases and TLS certificate logs, and never sends requests directly to the target's infrastructure. Passive enumeration is far less likely to trigger IDS alerts or WAF rules than active scanning techniques.