Legal Disclaimer:

This platform is for authorized security research and educational purposes ONLY. Scanning assets without explicit permission is illegal.

Subdomain OSINT Guide

Active Subdomain Enumeration Methodologies

A technical guide to direct DNS probing methods, wordlist selection, and resolving wildcard DNS boundaries.

Probing DNS Infrastructure directly

Unlike passive reconnaissance, active subdomain enumeration involves sending direct queries to target DNS authoritative nameservers to resolve hostnames.

Core Active Techniques

1. Dictionary Brute-Forcing: Querying nameservers for a list of words prefixed to the root domain (e.g. admin.example.com, test.example.com).

2. DNS Zone Transfers (AXFR): Attempting to query the zone configuration directly. If a nameserver is misconfigured, it will transmit the complete DNS database to the client.

3. DNS Wildcard Detection: Verifying if the nameserver responds with a valid record for non-existent domains. Active scanners must detect wildcards to filter false positives.

Audit Your Subdomain Exposure

Map out forgotten development environments, staging configurations, and scan for dangling CNAME takeover vulnerabilities instantly.

Scan Subdomains Now

Frequently Asked Questions

Is AXFR zone transfer enabled by default?

No. Modern DNS systems disable AXFR transfers globally by default to prevent boundary mapping leaks.

What tool is best for fast active DNS brute-forcing?

Utilities like gobuster, subfinder, or amap are optimized for fast dictionary resolution.

Related Subdomain Topics

Subdomain Enumeration Guide: Active vs. Passive OSINT Discovery

Learn the methodologies of subdomain enumeration. Discover how mapping host infrastructure uncovers staging environments and shadow IT.

Learn More

Passive Subdomain Enumeration: Stealth Reconnaissance Techniques

Learn how to discover subdomains without interacting with the target server using stealth passive OSINT techniques.

Learn More

Certificate Transparency (CT) Logs for Subdomain Discovery

Learn how Certificate Transparency logs function as a public ledger and why they are the most powerful passive subdomain discovery resource.

Learn More

Subdomain Takeover Vulnerabilities: CNAME Hijacking & Remediation

What is a subdomain takeover? Learn how orphaned CNAME DNS records pointing to decommissioned third-party hosts allow attackers to hijack subdomains.

Learn More
Explore all subdomain profiles & topics

Related OSINT Guides

Subdomain Enumeration Guide
OSINT analysis guide
Passive Enumeration Techniques
OSINT analysis guide