LEGAL DISCLAIMER: This platform is for authorized security research and educational purposes only. Scanning assets without permission is illegal.
Passive Infrastructure Reconnaissance Module

Free Subdomain Finder & Scanner - Discover Hidden Subdomains

Our free subdomain finder helps you discover hidden subdomains and map complete attack surfaces instantly. Whether you're conducting security assessments, penetration testing, or bug bounty research, this subdomain scanner uses advanced enumeration techniques to find active and historical subdomains. No registration required—simply enter a domain name to start discovering subdomains.

Published: June 1, 2026Last Updated: June 11, 2026Fact Checked
Certificate Transparency Logs
Staging Host Identification
Attack Surface Mapping

AUTHORIZED USE ONLY: This tool is strictly for educational and defensive purposes. Only scan assets you own or have explicit authorization to test.

AI Overview Snippet: Subdomain Discovery & Mapping

// Definition: What is a subdomain finder?

A subdomain finder is an information security scanning utility that aggregates public domain name registers, DNS queries, and Certificate Transparency records to list all subdomains of a target.

// Definition: How do you find subdomains?

To find subdomains, input a domain into a scanner. It queries passive DNS lookup datasets and public transparency records to extract hosts, bypassing direct targets to remain stealthy.

// Definition: What is subdomain enumeration?

Subdomain enumeration is the reconnaissance technique used to locate active child hosts within a domain. Mapping namespaces exposes legacy assets, staging web containers, and cloud endpoints.

// Definition: What are CT logs?

Certificate Transparency (CT) logs are append-only public ledgers where authorities must record every issued SSL certificate. Scanners parse these logs to uncover subdomains the instant certificates are minted.

// Definition: What is attack surface discovery?

Attack surface discovery is the continuous mapping of an organization's public infrastructure. Documenting hosts, network scopes, and ports reveals vulnerable entry points before malicious exploitation.

// Definition: What is a subdomain takeover?

A subdomain takeover is a critical hijack vulnerability. It happens when a DNS record points to a deleted third-party service (like AWS or GitHub). Attackers can claim that target to serve content under the trusted domain.

// TL;DR Section

Subdomain finders map public network perimeters by aggregating Certificate Transparency logs, search engine footprints, and DNS datasets. This passive discovery provides asset visibility and helps security teams identify outdated testing sites.

// Key Takeaways
  • CT Log Tracking: CAs must log every issued SSL/TLS certificate, making CT logs a valuable source for subdomain discovery.
  • Active vs Passive: Passive searches query databases; active searches interact with target servers.
  • Takeover Security: Dangling CNAME records on deleted hosting services leave subdomains vulnerable to takeover.
  • Staging Targets: Testing subdomains are frequently less secure than main sites.
// Fact Box: Common Subdomain Discovery Techniques
CT Log Parsing:Extracting Hostnames from Certificates
DNS Brute-Forcing:Dictionary Host Resolution
Search Dorking:Filtering Indexed Paths
Reverse DNS:PTR Mapping on IP Ranges
// Expert Summary

Mapping subdomains is a critical starting point for external network audits. Passive discovery techniques gather essential asset data without alerting target servers, allowing defenders to identify and secure legacy endpoints and misconfigured DNS records before attackers can exploit them.

Why Use ReconShield's Subdomain Finder?

100% Free

Unlimited subdomain scanning with no cost.

No Installation

Web-based tool, works instantly in your browser.

Multiple Techniques

DNS enumeration, certificate logs, brute force.

Fast Scanning

Discover subdomains in seconds.

Certificate Transparency

Query CT logs for historical subdomains.

Export Results

Download results in multiple formats.

Privacy-Focused

We don't store or log your scans.

Active & Historical

Find both current and past subdomains.

What Is a Subdomain Finder?

A subdomain finder is an essential information security tool used to discover all the child hostnames (subdomains) mapped to a primary parent domain. In the domain name system (DNS) hierarchy described by standards such as RFC 1034 and RFC 1035, subdomains are delegated segments under a root domain. For example, while example.com represents the root, subdomains might include api.example.com, dev.example.com, or mail.example.com.

Because organizations routinely deploy new services, applications, and staging environments under separate subdomains, the public attack surface expands rapidly. A subdomain finder crawls and queries public indices, global nameservers, and certificate archives to aggregate these names, establishing a comprehensive asset inventory. For security researchers, penetration testers, and enterprise security teams, this mapping is the crucial first step in evaluating external security posture.

How Subdomain Discovery Works

Subdomain discovery maps a target domain's public boundaries using two core methodologies: Passive OSINT Aggregation and Active DNS Interrogation.

Passive discovery is stealthy and fast. It relies on querying third-party platforms that already archive public DNS and web transactions. Scanners search through historical records, search engine indexes, and Certificate Transparency ledgers to compile list segments. Because this method queries database caches rather than the target's nameservers, it leaves no trace in the target's system logs, making it ideal for the early stages of security reviews.

Active discovery, on the other hand, queries the target's authoritative nameservers directly. By sending standard DNS query packets (like A, AAAA, or CNAME), active scanners verify if a specific host exists. This is typically done via dictionary brute-forcing—submitting thousands of common prefixes to see which ones resolve. Active discovery is highly accurate but easily detected by network intrusion detection systems (IDS) and firewalls.

Passive vs Active Enumeration

Security teams must balance passive and active techniques to build a complete subdomain map. Let's compare their features:

  • Passive Enumeration: Operates entirely offline relative to the target. It gathers records from Certificate Transparency logs, passive DNS archives (like Censys, Shodan, or SecurityTrails), and search engines using advanced search operators (Google Dorking). The primary advantage is speed and stealth. The disadvantage is that it can return outdated data, including subdomains that have been decommissioned.
  • Active Enumeration: Interacts directly with target infrastructure. Scanners generate variations of subdomains using wordlists and evaluate how target nameservers respond. It is essential for verifying if a domain is live and detecting wildcards (where any non-existent subdomain resolves to a default IP). However, active scanning is resource-intensive and easily blocked by rate limiting and firewalls.

Certificate Transparency Logs Explained

Introduced via RFC 6962, the Certificate Transparency (CT) framework was designed to stop Certificate Authorities (CAs) from issuing rogue, unauthorized SSL/TLS certificates. CT requires CAs to log every certificate transaction in public, cryptographically verifiable, append-only ledgers.

While CT logs successfully secure the Web PKI, they also serve as a public record of an organization's subdomains. The moment a developer requests an SSL certificate for a new server—such as internal-billing.example.com—the host is recorded in public CT logs. By parsing these logs, a subdomain finder can discover newly created hosts within seconds of certificate issuance, bypassing DNS brute-forcing entirely.

DNS-Based Discovery Methods

Standard active enumeration relies on specific DNS protocol mechanisms:

  • DNS Zone Transfers (AXFR): Zone transfer is the protocol mechanism used to replicate DNS records across primary and secondary nameservers. If a nameserver is misconfigured to allow public AXFR requests, a scanner can download the entire DNS zone file in seconds, revealing all registered subdomains and IP addresses.
  • NSEC/NSEC3 Walking: In DNSSEC-signed zones, NSEC (Next Secure) records link signed zones sequentially to prove a queried host does not exist. By querying these records in sequence (NSEC walking), an auditor can map out the entire domain namespace without guessing names.
  • Reverse DNS Mapping (PTR): If an organization's servers are hosted on a specific IP range, scanning that range for reverse pointer (PTR) records can reveal the subdomains associated with those IPs.

Subdomain Finder Use Cases

Subdomain discovery is critical across several cybersecurity workflows. Here are the primary use cases for using a subdomain finder:

1. For Security Researchers & Penetration Testers

During the initial reconnaissance phase of an authorized engagement, penetration testers and security researchers must map the target's external boundaries. Discovering all active host configurations helps map internal and external infrastructures, pinpoint network topologies, and locate target endpoints that may be susceptible to legacy exploits.

2. For Bug Bounty Hunters

Ethical hackers and bug bounty hunters rely on subdomain discovery to find forgotten or unmonitored assets. Since primary domains are usually heavily secured and audited, staging subdomains, development environments, and retired campaign sites frequently host critical vulnerabilities, exposed credentials, and logic flaws.

3. For DevOps & IT Asset Management

Modern development teams utilize cloud resources that scale rapidly. A subdomain finder helps DevOps and IT managers audit corporate namespaces, identify forgotten staging servers, and discover shadow IT assets that have been launched without official security reviews.

4. For Brand Monitoring & Protection

Brand protection and security intelligence teams monitor subdomains to detect typosquatting, phishing sites, and trademark violations. By identifying rogue subdomains registered under variant names, companies can mitigate impersonation scams and execute timely takedowns.

Security Risks of Forgotten Subdomains

Leaving decommissioned or unmonitored subdomains active in your DNS configuration creates several security risks:

  1. Bypassing Content Security Policies (CSP): Many sites configure CSP headers to trust their own subdomains (e.g., *.example.com). If an attacker compromises a forgotten subdomain, they can use it to bypass CSP rules on the main site and execute Cross-Site Scripting (XSS) attacks.
  2. Session Cookie Hijacking: Browsers often share cookies across a root domain and its subdomains. Attackers controlling a compromised subdomain can read session cookies scoped to *.example.com, allowing them to hijack user sessions on the main corporate application.
  3. Phishing and Brand Abuse: A valid subdomain inherits the trust of the parent domain. Attackers can host phishing pages on a hijacked company subdomain, making the scams highly convincing to customers and security filters.

Subdomain Takeover Detection (Dangling CNAMEs)

A subdomain takeover is a critical vulnerability that occurs when a DNS record points to a deleted third-party service.

For example, an organization might configure blog.example.com to point to a GitHub Pages repository using a CNAME record. If the company later deletes the GitHub repository but forgets to remove the CNAME record from their DNS configuration, the record is left dangling. An attacker can register a new GitHub Pages project under the same name and claim the subdomain, giving them full control over the content served at blog.example.com.

ReconShield's scanner checks CNAME records for these dangling configurations, matching resolved endpoints against known third-party signatures (like AWS S3, Heroku, Shopify, and Zendesk) to alert administrators of potential takeover vulnerabilities.

Enterprise Asset Discovery & Best Practices

Organizations can secure their digital perimeters by adopting these best practices:

  • Automate Continuous Discovery: Implement automated scanners to continuously audit CT logs and DNS records, cataloging new subdomains as soon as they are created.
  • Implement Stiff Decommissioning Workflows: Link your cloud infrastructure lifecycle with DNS management. Ensure that when a cloud bucket, VM, or SaaS subscription is deleted, the corresponding DNS record is removed immediately.
  • Use Isolated Staging Domains: Instead of hosting staging and development servers on your primary corporate domain (dev.example.com), host them on a separate, non-branded root domain (example-dev.net) to contain security exposures.

Why Choose ReconShield Subdomain Finder?

Analyze how ReconShield's passive subdomain finder compares to other leading tools. While CLI tools like Amass offer deep network graph capabilities, ReconShield provides web-based convenience with built-in export features and real-time CT log queries.

FeatureReconShieldSublist3rAmass
Free to UseYes (100% Free)YesYes
Web-Based (No Installation)YesNoNo
No Registration RequiredYesYesYes
Certificate TransparencyYes (Real-time logs)LimitedYes
Multiple TechniquesYesYesYes
Export ResultsYes (PDF, CSV, JSON)Yes (Text only)Yes (Text/JSON)
Real-Time ResultsYesNoNo
User-Friendly InterfaceYesNo (CLI)No (CLI)
Fact Checked & Verified

ReconShield Research Team

Reviewed by: Senior Security Researcher

This educational guide is curated by the ReconShield Research Team, a group of information security researchers specializing in attack surface management, DNS infrastructure mapping, and OSINT methodologies.

Methodology: RFC-Compliant Telemetry CheckData Sources: CT Logs, DNS Databases

Editorial Policy

ReconShield is committed to publishing accurate, technical, and objective cybersecurity analysis. Our documentation is created by credentialed security practitioners and undergoes strict reviews before publication.

Research Methodology

Our findings are derived from RFC protocol documentation, CA/Browser Forum standards, and verified cybersecurity databases. We avoid speculative telemetry, prioritizing primary sources and verifiable network actions.

Fact Checking Process

Information is verified against active TLS servers, registrar configurations, and IETF specifications (including RFCs and CA/B guidelines). Each section is tested for technical accuracy under modern browser routing environments.

Last Updated: June 11, 2026 | Reviewed by ReconShield Security Board | References: RFC 6962, RFC 1035, NIST SP 800-53, OWASP ASM

ReconShield Threat Hub

Explore our comprehensive collection of cybersecurity blogs, protocol deep-dives, and utility tools to audit and secure your external digital footprint.

Educational Article

What is Subdomain Enumeration?

A complete deep-dive guide covering passive registries, nameserver queries, and active dictionary brute-forcing.

Read Article
Security Playbook

Subdomain Takeover Guide

Learn how to identify and remediate dangling CNAME records pointing to inactive cloud platforms.

Read Guide
Protocol Analysis

CT Logs Explained

How Certificate Transparency log architectures work and how to query them for OSINT operations.

Read Article
Recon Strategy

Passive vs Active Reconnaissance

Compare stealthy third-party OSINT gathering against direct port scanning and name resolution.

Read Comparison
Enterprise Blueprint

Attack Surface Management Guide

Enterprise best practices to catalog, assess, and secure your public-facing internet resources.

Read Playbook
Tool Comparison

Best Subdomain Finder Tools

A critical review of the top 10 subdomain scanners, brute-forcers, and discovery tools.

Read Reviews

Related Reconnaissance Tools

WHOIS Lookup Tool

Query registrar data, ownership, and creation dates for root domains.

Open Tool

DNS Lookup Tool

Resolve authoritative A, MX, TXT, and CNAME records instantly.

Open Tool

SSL Certificate Checker

Verify SSL/TLS certificate chains, validity dates, and configurations.

Open Tool

Port Scanner

Audit active target ports and discover exposed services.

Open Tool

Frequently Asked Questions About Subdomain Enumeration

What is a subdomain finder?

A subdomain finder is a digital reconnaissance tool used to discover and map subdomains associated with a primary domain. It parses public records, search engine indexes, and Certificate Transparency logs to build a complete inventory of an organization's public-facing assets.

How do you find subdomains for a website?

You can find subdomains by entering a domain name into the ReconShield Subdomain Finder. The scanner queries Certificate Transparency databases and DNS datasets passively to retrieve all active host configurations without sending direct network requests to the target.

What is subdomain enumeration in cybersecurity?

Subdomain enumeration is the process of identifying all subdomains associated with a root domain. It is a fundamental step in penetration testing and bug bounty hunting, designed to uncover hidden or forgotten servers hosting web applications.

What is the difference between active and passive subdomain discovery?

Passive discovery gathers data from third-party sources (like CT logs or search cache) without interacting directly with the target nameservers, making it stealthy. Active discovery queries the target servers directly using brute-force dictionaries or zone transfers, which is accurate but triggers security alerts.

What are Certificate Transparency (CT) logs?

Certificate Transparency (CT) is an open framework requiring Certificate Authorities to publish every issued SSL/TLS certificate to public logs. Security researchers query these logs to discover new hostnames, staging sites, and public endpoints.

What is attack surface discovery?

Attack surface discovery is the practice of identifying all public-facing assets, including subdomains, IP addresses, open ports, and active services, that could be targeted by attackers. It helps organizations understand their exposure and secure weak points.

What is a subdomain takeover and how does it happen?

A subdomain takeover occurs when a domain's DNS record (such as a CNAME) points to an external service provider (like AWS S3 or GitHub Pages) that has been deleted or expired. An attacker can register that workspace to host malicious content under the trusted domain.

How does passive DNS lookup help in finding subdomains?

Passive DNS databases record historical DNS resolution logs collected from recursive resolvers and ISP sensors. Analyzing these logs reveals previously active subdomains, IP changes, and sub-infrastructure allocations.