Home/Tools/Subdomain Enumeration

Subdomain Enumeration

Discover all publicly known subdomains for any domain using passive DNS and certificate transparency data.

DNS & Domain Tools

View All Tools →

What is Subdomain Enumeration?

Subdomain enumeration is the process of discovering all subdomains associated with a root domain. A subdomain is a child domain under a parent domain, for example, mail.example.com and blog.example.com are subdomains of example.com. Organizations often create dozens or hundreds of subdomains for different services, departments, or testing environments. Our tool uses passive DNS data and certificate transparency logs to find these subdomains without actively scanning the target network.

Attackers use subdomain enumeration during reconnaissance to map an organization's attack surface. Forgotten or poorly secured subdomains like dev.example.com or staging.example.com often lack the security controls of production environments, making them attractive targets. Security teams perform subdomain enumeration as part of asset discovery to ensure all internet-facing systems are accounted for and properly secured.

How to Use the Subdomain Finder

Step-by-Step Guide

  1. 1. Enter Root Domain: Type the parent domain without www or http:// (e.g., example.com). The tool will search for all subdomains beneath this root.
  2. 2. Complete reCAPTCHA: Verify you're human by completing the reCAPTCHA challenge below the input field.
  3. 3. Click Enumerate: The tool queries passive DNS databases and certificate transparency logs. This process may take several seconds as multiple data sources are checked.
  4. 4. Review Results: Discovered subdomains appear in a scrollable list with a count at the top. Use the filter box to narrow results by keyword.
  5. 5. Filter Results: Type search terms in the filter box to show only subdomains matching your keywords (e.g., "api" or "dev").

The tool relies entirely on passive sources, it does not send any DNS queries directly to the target domain's name servers. This means the enumeration is stealthy and won't appear in the target's DNS logs. However, results are limited to subdomains that have been publicly observed in DNS traffic or SSL/TLS certificates.

Enumeration Techniques Used

Passive DNS Data

DNS queries from users worldwide are collected by passive DNS systems. When someone looks up mail.example.com, that subdomain is recorded. Our tool queries these historical DNS databases to find previously observed subdomains.

Certificate Transparency Logs

Every SSL/TLS certificate issued by a trusted Certificate Authority is logged in public Certificate Transparency (CT) logs. These certificates often list subdomains in the Subject Alternative Name (SAN) field. By searching CT logs, we can discover subdomains even if they've never been queried publicly.

Search Engine Dorking

Search engines like Google index subdomains that are publicly linked or crawlable. Advanced search operators (e.g., site:example.com) can reveal subdomains indexed by search engines. This technique uncovers externally accessible subdomains.

Active techniques like DNS brute-forcing (trying thousands of common subdomain names) are more comprehensive but easily detected. Our passive approach trades completeness for stealth, you'll find many subdomains without alerting the target organization's security team.

Why Enumerate Subdomains?

Subdomains represent potential attack vectors. Organizations create subdomains for staging environments, internal tools, development servers, and legacy services. These often receive less security attention than production systems. For example, a subdomain like admin-panel.example.com might have weak authentication, or test.example.com could expose sensitive data unintentionally. Subdomain enumeration helps both attackers (during reconnaissance) and defenders (during asset discovery) understand the full scope of an organization's internet presence.

Common Use Cases

  • Security Assessments: Map an organization's attack surface by cataloging all internet-facing subdomains during penetration testing.
  • Asset Discovery: Identify forgotten or shadow IT subdomains that may not be tracked in asset management systems.
  • Vulnerability Scanning: Generate a target list of subdomains for automated security scanners to assess for known vulnerabilities.
  • Competitor Reconnaissance: Understand the infrastructure and services deployed by competitors based on their subdomain naming conventions.
  • Bug Bounty Research: Expand the scope of bug bounty targets by finding subdomains that may be in-scope but not explicitly listed.

Best Practices for Subdomain Security

  • Maintain an inventory of all authorized subdomains and regularly compare it to enumeration results to detect unauthorized hosts.
  • Remove or properly secure development, staging, and testing subdomains that are internet-accessible unnecessarily.
  • Implement DNS wildcard records carefully, they can expose internal naming schemes or allow subdomain takeovers.
  • Monitor Certificate Transparency logs for newly issued certificates to detect unauthorized SSL certificates for your domain.
  • Use subdomain takeover detection tools to find dangling DNS records pointing to expired or deleted cloud resources.