Legal Disclaimer:

This platform is for authorized security research and educational purposes ONLY. Scanning assets without explicit permission is illegal.

Subdomain OSINT Guide

Subdomain Enumeration: Attack Surface Mapping

A guide to mapping an organization's digital footprint using DNS discovery techniques.

Mapping the External Boundary

Subdomain enumeration is the process of identifying all child hostnames associated with a root domain. It is the foundational phase of any external security audit.

Why Mapping Subdomains is Critical

Organizations often have hundreds of active subdomains. Some are managed, while others are forgotten development interfaces or legacy servers.

By enumerating subdomains, you can:

  • Discover Shadow IT: Locate testing servers or administrative panels deployed without the knowledge of the central security team.
  • Prevent Cookie Stealing: Find vulnerable subdomains that could allow attackers to hijack session cookies scoped to *.example.com.
  • Identify Target Services: Pinpoint specific hostnames (e.g., vpn.example.com, git.example.com) that indicate valuable entry points.

Active vs. Passive Enumeration

  • Active Enumeration: Sending direct queries and brute-forcing namespaces against the target nameservers.
  • Passive Enumeration: Querying public repositories, Certificate Transparency ledgers, and index caches.

Audit Your Subdomain Exposure

Map out forgotten development environments, staging configurations, and scan for dangling CNAME takeover vulnerabilities instantly.

Scan Subdomains Now

Frequently Asked Questions

What is the difference between active and passive subdomain scanning?

Active scanning queries the target nameservers directly or brute-forces domains. Passive scanning collects data from third-party databases, making it invisible to the target.

Can wildcard DNS block subdomain discovery?

Wildcard DNS (*.example.com resolves to the same IP) makes active brute-forcing difficult due to false positives, but passive discovery via CT logs is unaffected.

How do I secure my subdomains from enumeration?

You cannot prevent passive enumeration because CT logs are public. Focus instead on securing the endpoints and removing unused DNS records.

Related Subdomain Topics

Passive Subdomain Enumeration: Stealth Reconnaissance Techniques

Learn how to discover subdomains without interacting with the target server using stealth passive OSINT techniques.

Learn More

Active Subdomain Enumeration: Brute-forcing, Zone Transfers & DNS Probing

Learn how active subdomain probing works. Discover techniques for brute-forcing, wildcards handling, and DNS zone transfers.

Learn More

Certificate Transparency (CT) Logs for Subdomain Discovery

Learn how Certificate Transparency logs function as a public ledger and why they are the most powerful passive subdomain discovery resource.

Learn More

Subdomain Takeover Vulnerabilities: CNAME Hijacking & Remediation

What is a subdomain takeover? Learn how orphaned CNAME DNS records pointing to decommissioned third-party hosts allow attackers to hijack subdomains.

Learn More
Explore all subdomain profiles & topics

Related OSINT Guides

Passive Enumeration
OSINT analysis guide
Certificate Transparency Logs
OSINT analysis guide
Subdomain Takeover Risks
OSINT analysis guide