What Is a Subdomain Finder?
A subdomain finder is a reconnaissance tool that discovers all subdomains associated with a root domain. Every organization uses subdomains to organize their web infrastructure — mail.example.com for email, api.example.com for APIs, staging.example.com for testing environments, and dozens more. A subdomain finder reveals all of these, including subdomains that aren't publicly linked anywhere.
Our free subdomain scanner queries multiple Certificate Transparency log sources in parallel — including Certspotter and crt.sh — then resolves each subdomain via DNS and enriches IP data with ASN, geolocation, and hosting provider detection for 35+ providers (Cloudflare, AWS, Google Cloud, Vercel, and more). Results stream in real-time as they're discovered, so you don't have to wait for the full scan. Whether you're a security researcher mapping an attack surface, a sysadmin auditing DNS infrastructure, or a developer checking deployment subdomains, this tool gives you complete visibility.
How Subdomain Discovery Works
Modern subdomain discovery combines multiple techniques to achieve comprehensive coverage. No single method finds everything — the best results come from combining passive and active approaches.
Certificate Transparency Logs
Every SSL/TLS certificate issued by a CA is logged in public CT logs. When a certificate is issued for api.example.com, that subdomain becomes discoverable. CT logs are the most reliable passive source — they reveal subdomains even before they resolve in DNS.
Sources: crt.sh, Google CT, Censys
DNS Brute-Force Enumeration
Tests common subdomain names (www, mail, ftp, api, dev, staging, admin, test, etc.) against DNS resolvers. Uses curated wordlists of the most common subdomain patterns. Fast and effective for finding standard infrastructure subdomains that may not have SSL certificates.
Typical wordlist: 5,000-50,000 names
DNS Zone Transfer (AXFR)
Requests the complete DNS zone file from a domain's nameservers. A successful zone transfer reveals every DNS record — all subdomains, IPs, mail servers, and more. Most nameservers restrict AXFR requests, but misconfigured servers still allow them, making this the most powerful single technique.
Success rate: ~5% of domains
Public Datasets & Search Engines
Aggregates subdomain data from web crawlers, search engine indices, the Wayback Machine, security scanning services (Shodan, Censys), and passive DNS databases. These sources catch subdomains that have been historically active, even if they're currently offline.
Sources: VirusTotal, SecurityTrails, Wayback Machine
Why Find Subdomains of a Domain?
Subdomain discovery is a critical step in security auditing, infrastructure management, and competitive intelligence. Here are the key use cases:
Attack Surface Mapping
Discover all externally-facing assets to understand your organization's complete attack surface. Forgotten subdomains running outdated software are common entry points for attackers.
Subdomain Takeover Prevention
Find subdomains with CNAME records pointing to decommissioned services (Heroku, GitHub Pages, AWS). These "dangling CNAMEs" can be hijacked by attackers to serve malicious content on your domain.
DNS Inventory & Audit
Maintain a complete inventory of all DNS records. Find shadow IT subdomains created by teams without going through proper channels. Ensure every subdomain is accounted for and properly managed.
Infrastructure Mapping
Map where your subdomains are hosted — which cloud providers, CDNs, and data centers serve each subdomain. Identify infrastructure sprawl and consolidation opportunities.
Competitive Intelligence
Discover what services and technologies competitors are using by analyzing their subdomain structure. Subdomains like jira.company.com or grafana.company.com reveal internal tooling choices.
Compliance & Documentation
Many compliance frameworks (SOC 2, ISO 27001, PCI DSS) require a complete asset inventory. Subdomain discovery ensures you haven't missed any internet-facing assets that need to be in scope.
Common Subdomains and What They Reveal
Subdomain names often follow predictable patterns that reveal the purpose of the underlying service. Here are the most commonly discovered subdomains and what they typically indicate:
Infrastructure
www — Main website
mail / webmail — Email services
ftp / sftp — File transfer servers
vpn / remote — Remote access portals
ns1 / ns2 / dns — Name servers
cdn / static / assets — Content delivery
Development & Ops
api / api-v2 — API endpoints
dev / staging / test — Development environments
admin / panel / dashboard — Admin interfaces
git / gitlab / jenkins — CI/CD and source control
grafana / prometheus / monitor — Monitoring
db / mysql / postgres — Databases (should not be public)
What Is Subdomain Takeover?
Subdomain takeover is a security vulnerability that occurs when a subdomain's DNS record (typically a CNAME) points to an external service that has been decommissioned, but the DNS record was never removed. An attacker can then claim the abandoned service endpoint and serve content on your subdomain — including phishing pages, malware, or SEO spam.
Company creates blog.example.com with a CNAME pointing to example.github.io
Company deletes the GitHub Pages repository but forgets to remove the DNS CNAME record
Attacker creates an example.github.io repository and GitHub serves it on blog.example.com
Attacker now controls content on your subdomain — can serve phishing pages, steal cookies, or damage brand reputation
Services commonly vulnerable to subdomain takeover include GitHub Pages, Heroku, AWS S3, Azure, Shopify, Tumblr, and many more. Regular subdomain auditing with a subdomain finder is the best defense — identify dangling CNAMEs before attackers do.
Subdomain Security Best Practices
Regular Subdomain Audits
Run subdomain scans monthly to catch new, unauthorized, or abandoned subdomains. Automate this as part of your security pipeline.
Remove Dangling DNS Records
When decommissioning a service, always remove the DNS record first. CNAME records pointing to services you no longer control are takeover risks.
Use Wildcard Certificates Carefully
Wildcard SSL certificates (*.example.com) cover all subdomains but won't appear in CT logs with specific subdomain names, making discovery harder for auditors.
Restrict Zone Transfers
Configure your nameservers to deny AXFR requests from unauthorized IPs. An open zone transfer reveals your entire DNS infrastructure to anyone who asks.
Monitor CT Logs
Set up CT log monitoring to get alerts when new certificates are issued for your domain. This catches unauthorized subdomain creation and potential phishing attacks using similar subdomains.
Minimize Subdomain Exposure
Internal tools (admin panels, monitoring, databases) should not be accessible on public subdomains. Use VPNs or private DNS for internal infrastructure.
Related Tools
Use these complementary tools alongside the subdomain finder for comprehensive domain analysis:
DNS Lookup
Look up all DNS records (A, AAAA, MX, CNAME, TXT, NS) for any domain
CNAME Lookup
Check CNAME records and detect dangling CNAMEs for takeover prevention
IP Lookup
Get detailed geolocation, ISP, and ASN data for any IP address
SSL Checker
Verify SSL certificate validity, chain, and expiration
Reverse DNS Lookup
Find hostnames associated with IP addresses (PTR records)
Domain to IP
Find the IP address, hosting provider, and ASN for any domain
WHOIS Lookup
Check domain registration details, owner info, and expiry dates
Domain Validation
Run a comprehensive DNS health check with graded reports
Frequently Asked Questions
What is a subdomain finder?
A subdomain finder is a tool that discovers all subdomains associated with a root domain. It uses techniques like certificate transparency log scanning, DNS enumeration, brute-force wordlist attacks, and public dataset queries to reveal subdomains such as mail.example.com, api.example.com, or staging.example.com that may not be publicly listed.
How does subdomain discovery work?
Subdomain discovery combines multiple techniques: (1) Certificate Transparency (CT) logs — public databases of all SSL/TLS certificates, which contain subdomain names. (2) DNS brute-force — testing common subdomain names (www, mail, api, dev, staging) against DNS resolvers. (3) DNS zone transfers — requesting the full zone file from nameservers (rarely allowed but very effective). (4) Public datasets — search engines, Wayback Machine, and security databases that index subdomains.
What are Certificate Transparency logs?
Certificate Transparency (CT) logs are publicly auditable, append-only records of all SSL/TLS certificates issued by certificate authorities. When a CA issues a certificate for 'api.example.com', that subdomain gets logged in CT logs. Services like crt.sh, Google CT, and Censys index these logs, making them the most reliable passive source for subdomain discovery.
Why should I find subdomains of my domain?
Subdomain discovery is essential for: (1) Security auditing — finding forgotten or shadow IT subdomains that may be vulnerable. (2) Attack surface mapping — understanding your complete external exposure. (3) DNS inventory management — keeping track of all active subdomains. (4) Subdomain takeover prevention — identifying subdomains pointing to decommissioned services. (5) Compliance — ensuring all assets are documented and monitored.
What is a subdomain takeover?
A subdomain takeover occurs when a subdomain (e.g., blog.example.com) has a CNAME record pointing to an external service (like GitHub Pages, Heroku, or AWS S3) that has been decommissioned but the DNS record still exists. An attacker can claim the abandoned service endpoint and serve malicious content on your subdomain. Regular subdomain auditing with a subdomain finder helps prevent this vulnerability.
Is it legal to find subdomains of a domain?
Passively discovering subdomains using publicly available data (CT logs, search engines, DNS queries) is generally legal. This information is publicly accessible by design. However, active techniques like aggressive brute-forcing or attempting zone transfers on domains you don't own may violate terms of service. Always have authorization before performing active reconnaissance on domains you don't control.
How many subdomains can a domain have?
There is no technical limit to the number of subdomains a domain can have. Large organizations like Google, Amazon, and Microsoft have tens of thousands of subdomains. A typical small business might have 10-50 subdomains (www, mail, ftp, webmail, remote, vpn, api, dev, staging, etc.). DNS allows up to 127 levels of subdomain nesting, though this is rarely used beyond 3-4 levels.
What information does a subdomain finder reveal?
A comprehensive subdomain finder reveals: the subdomain name, IP address(es) it resolves to, DNS record types (A, AAAA, CNAME), HTTP status codes (200, 301, 403, 404), web server software, hosting provider, SSL certificate status, and first/last seen dates. This information helps in security assessments, infrastructure mapping, and DNS management.
What is DNS enumeration?
DNS enumeration is the process of discovering DNS records and subdomains through systematic querying. It includes techniques like forward DNS brute-forcing (testing wordlists of common subdomain names), reverse DNS lookups (resolving IP ranges to hostnames), zone transfers (AXFR queries), and DNS record queries (checking for A, AAAA, CNAME, MX, TXT records). It is a core technique in subdomain discovery and network reconnaissance.
Is this subdomain finder free?
Yes, our subdomain finder is completely free to use. You can scan any domain to discover its subdomains, view IP addresses and DNS records, and export results — all without creating an account. The tool uses certificate transparency logs and DNS enumeration for comprehensive coverage.