Free Subdomain Finder & Scanner - Discover Hidden Subdomains
Our free subdomain finder helps you discover hidden subdomains and map complete attack surfaces instantly. Whether you're conducting security assessments, penetration testing, or bug bounty research, this subdomain scanner uses advanced enumeration techniques to find active and historical subdomains. No registration required—simply enter a domain name to start discovering subdomains.
AUTHORIZED USE ONLY: This tool is strictly for educational and defensive purposes. Only scan assets you own or have explicit authorization to test.
AI Overview Snippet: Subdomain Discovery & Mapping
A subdomain finder is an information security scanning utility that aggregates public domain name registers, DNS queries, and Certificate Transparency records to list all subdomains of a target.
To find subdomains, input a domain into a scanner. It queries passive DNS lookup datasets and public transparency records to extract hosts, bypassing direct targets to remain stealthy.
Subdomain enumeration is the reconnaissance technique used to locate active child hosts within a domain. Mapping namespaces exposes legacy assets, staging web containers, and cloud endpoints.
Certificate Transparency (CT) logs are append-only public ledgers where authorities must record every issued SSL certificate. Scanners parse these logs to uncover subdomains the instant certificates are minted.
Attack surface discovery is the continuous mapping of an organization's public infrastructure. Documenting hosts, network scopes, and ports reveals vulnerable entry points before malicious exploitation.
A subdomain takeover is a critical hijack vulnerability. It happens when a DNS record points to a deleted third-party service (like AWS or GitHub). Attackers can claim that target to serve content under the trusted domain.
Subdomain finders map public network perimeters by aggregating Certificate Transparency logs, search engine footprints, and DNS datasets. This passive discovery provides asset visibility and helps security teams identify outdated testing sites.
- CT Log Tracking: CAs must log every issued SSL/TLS certificate, making CT logs a valuable source for subdomain discovery.
- Active vs Passive: Passive searches query databases; active searches interact with target servers.
- Takeover Security: Dangling CNAME records on deleted hosting services leave subdomains vulnerable to takeover.
- Staging Targets: Testing subdomains are frequently less secure than main sites.
Mapping subdomains is a critical starting point for external network audits. Passive discovery techniques gather essential asset data without alerting target servers, allowing defenders to identify and secure legacy endpoints and misconfigured DNS records before attackers can exploit them.
Why Use ReconShield's Subdomain Finder?
100% Free
Unlimited subdomain scanning with no cost.
No Installation
Web-based tool, works instantly in your browser.
Multiple Techniques
DNS enumeration, certificate logs, brute force.
Fast Scanning
Discover subdomains in seconds.
Certificate Transparency
Query CT logs for historical subdomains.
Export Results
Download results in multiple formats.
Privacy-Focused
We don't store or log your scans.
Active & Historical
Find both current and past subdomains.
What Is a Subdomain Finder?
A subdomain finder is an essential information security tool used to discover all the child hostnames (subdomains) mapped to a primary parent domain. In the domain name system (DNS) hierarchy described by standards such as RFC 1034 and RFC 1035, subdomains are delegated segments under a root domain. For example, while example.com represents the root, subdomains might include api.example.com, dev.example.com, or mail.example.com.
Because organizations routinely deploy new services, applications, and staging environments under separate subdomains, the public attack surface expands rapidly. A subdomain finder crawls and queries public indices, global nameservers, and certificate archives to aggregate these names, establishing a comprehensive asset inventory. For security researchers, penetration testers, and enterprise security teams, this mapping is the crucial first step in evaluating external security posture.
How Subdomain Discovery Works
Subdomain discovery maps a target domain's public boundaries using two core methodologies: Passive OSINT Aggregation and Active DNS Interrogation.
Passive discovery is stealthy and fast. It relies on querying third-party platforms that already archive public DNS and web transactions. Scanners search through historical records, search engine indexes, and Certificate Transparency ledgers to compile list segments. Because this method queries database caches rather than the target's nameservers, it leaves no trace in the target's system logs, making it ideal for the early stages of security reviews.
Active discovery, on the other hand, queries the target's authoritative nameservers directly. By sending standard DNS query packets (like A, AAAA, or CNAME), active scanners verify if a specific host exists. This is typically done via dictionary brute-forcing—submitting thousands of common prefixes to see which ones resolve. Active discovery is highly accurate but easily detected by network intrusion detection systems (IDS) and firewalls.
Passive vs Active Enumeration
Security teams must balance passive and active techniques to build a complete subdomain map. Let's compare their features:
- Passive Enumeration: Operates entirely offline relative to the target. It gathers records from Certificate Transparency logs, passive DNS archives (like Censys, Shodan, or SecurityTrails), and search engines using advanced search operators (Google Dorking). The primary advantage is speed and stealth. The disadvantage is that it can return outdated data, including subdomains that have been decommissioned.
- Active Enumeration: Interacts directly with target infrastructure. Scanners generate variations of subdomains using wordlists and evaluate how target nameservers respond. It is essential for verifying if a domain is live and detecting wildcards (where any non-existent subdomain resolves to a default IP). However, active scanning is resource-intensive and easily blocked by rate limiting and firewalls.
Certificate Transparency Logs Explained
Introduced via RFC 6962, the Certificate Transparency (CT) framework was designed to stop Certificate Authorities (CAs) from issuing rogue, unauthorized SSL/TLS certificates. CT requires CAs to log every certificate transaction in public, cryptographically verifiable, append-only ledgers.
While CT logs successfully secure the Web PKI, they also serve as a public record of an organization's subdomains. The moment a developer requests an SSL certificate for a new server—such as internal-billing.example.com—the host is recorded in public CT logs. By parsing these logs, a subdomain finder can discover newly created hosts within seconds of certificate issuance, bypassing DNS brute-forcing entirely.
DNS-Based Discovery Methods
Standard active enumeration relies on specific DNS protocol mechanisms:
- DNS Zone Transfers (AXFR): Zone transfer is the protocol mechanism used to replicate DNS records across primary and secondary nameservers. If a nameserver is misconfigured to allow public AXFR requests, a scanner can download the entire DNS zone file in seconds, revealing all registered subdomains and IP addresses.
- NSEC/NSEC3 Walking: In DNSSEC-signed zones,
NSEC(Next Secure) records link signed zones sequentially to prove a queried host does not exist. By querying these records in sequence (NSEC walking), an auditor can map out the entire domain namespace without guessing names. - Reverse DNS Mapping (PTR): If an organization's servers are hosted on a specific IP range, scanning that range for reverse pointer (PTR) records can reveal the subdomains associated with those IPs.
Subdomain Finder Use Cases
Subdomain discovery is critical across several cybersecurity workflows. Here are the primary use cases for using a subdomain finder:
1. For Security Researchers & Penetration Testers
During the initial reconnaissance phase of an authorized engagement, penetration testers and security researchers must map the target's external boundaries. Discovering all active host configurations helps map internal and external infrastructures, pinpoint network topologies, and locate target endpoints that may be susceptible to legacy exploits.
2. For Bug Bounty Hunters
Ethical hackers and bug bounty hunters rely on subdomain discovery to find forgotten or unmonitored assets. Since primary domains are usually heavily secured and audited, staging subdomains, development environments, and retired campaign sites frequently host critical vulnerabilities, exposed credentials, and logic flaws.
3. For DevOps & IT Asset Management
Modern development teams utilize cloud resources that scale rapidly. A subdomain finder helps DevOps and IT managers audit corporate namespaces, identify forgotten staging servers, and discover shadow IT assets that have been launched without official security reviews.
4. For Brand Monitoring & Protection
Brand protection and security intelligence teams monitor subdomains to detect typosquatting, phishing sites, and trademark violations. By identifying rogue subdomains registered under variant names, companies can mitigate impersonation scams and execute timely takedowns.
Security Risks of Forgotten Subdomains
Leaving decommissioned or unmonitored subdomains active in your DNS configuration creates several security risks:
- Bypassing Content Security Policies (CSP): Many sites configure CSP headers to trust their own subdomains (e.g.,
*.example.com). If an attacker compromises a forgotten subdomain, they can use it to bypass CSP rules on the main site and execute Cross-Site Scripting (XSS) attacks. - Session Cookie Hijacking: Browsers often share cookies across a root domain and its subdomains. Attackers controlling a compromised subdomain can read session cookies scoped to
*.example.com, allowing them to hijack user sessions on the main corporate application. - Phishing and Brand Abuse: A valid subdomain inherits the trust of the parent domain. Attackers can host phishing pages on a hijacked company subdomain, making the scams highly convincing to customers and security filters.
Subdomain Takeover Detection (Dangling CNAMEs)
A subdomain takeover is a critical vulnerability that occurs when a DNS record points to a deleted third-party service.
For example, an organization might configure blog.example.com to point to a GitHub Pages repository using a CNAME record. If the company later deletes the GitHub repository but forgets to remove the CNAME record from their DNS configuration, the record is left dangling. An attacker can register a new GitHub Pages project under the same name and claim the subdomain, giving them full control over the content served at blog.example.com.
ReconShield's scanner checks CNAME records for these dangling configurations, matching resolved endpoints against known third-party signatures (like AWS S3, Heroku, Shopify, and Zendesk) to alert administrators of potential takeover vulnerabilities.
Enterprise Asset Discovery & Best Practices
Organizations can secure their digital perimeters by adopting these best practices:
- Automate Continuous Discovery: Implement automated scanners to continuously audit CT logs and DNS records, cataloging new subdomains as soon as they are created.
- Implement Stiff Decommissioning Workflows: Link your cloud infrastructure lifecycle with DNS management. Ensure that when a cloud bucket, VM, or SaaS subscription is deleted, the corresponding DNS record is removed immediately.
- Use Isolated Staging Domains: Instead of hosting staging and development servers on your primary corporate domain (
dev.example.com), host them on a separate, non-branded root domain (example-dev.net) to contain security exposures.
Why Choose ReconShield Subdomain Finder?
Analyze how ReconShield's passive subdomain finder compares to other leading tools. While CLI tools like Amass offer deep network graph capabilities, ReconShield provides web-based convenience with built-in export features and real-time CT log queries.
| Feature | ReconShield | Sublist3r | Amass |
|---|---|---|---|
| Free to Use | Yes (100% Free) | Yes | Yes |
| Web-Based (No Installation) | Yes | No | No |
| No Registration Required | Yes | Yes | Yes |
| Certificate Transparency | Yes (Real-time logs) | Limited | Yes |
| Multiple Techniques | Yes | Yes | Yes |
| Export Results | Yes (PDF, CSV, JSON) | Yes (Text only) | Yes (Text/JSON) |
| Real-Time Results | Yes | No | No |
| User-Friendly Interface | Yes | No (CLI) | No (CLI) |
ReconShield Research Team
Reviewed by: Senior Security Researcher
This educational guide is curated by the ReconShield Research Team, a group of information security researchers specializing in attack surface management, DNS infrastructure mapping, and OSINT methodologies.
Editorial Policy
ReconShield is committed to publishing accurate, technical, and objective cybersecurity analysis. Our documentation is created by credentialed security practitioners and undergoes strict reviews before publication.
Research Methodology
Our findings are derived from RFC protocol documentation, CA/Browser Forum standards, and verified cybersecurity databases. We avoid speculative telemetry, prioritizing primary sources and verifiable network actions.
Fact Checking Process
Information is verified against active TLS servers, registrar configurations, and IETF specifications (including RFCs and CA/B guidelines). Each section is tested for technical accuracy under modern browser routing environments.
ReconShield Threat Hub
Explore our comprehensive collection of cybersecurity blogs, protocol deep-dives, and utility tools to audit and secure your external digital footprint.
What is Subdomain Enumeration?
A complete deep-dive guide covering passive registries, nameserver queries, and active dictionary brute-forcing.
Read ArticleSubdomain Takeover Guide
Learn how to identify and remediate dangling CNAME records pointing to inactive cloud platforms.
Read GuideCT Logs Explained
How Certificate Transparency log architectures work and how to query them for OSINT operations.
Read ArticlePassive vs Active Reconnaissance
Compare stealthy third-party OSINT gathering against direct port scanning and name resolution.
Read ComparisonAttack Surface Management Guide
Enterprise best practices to catalog, assess, and secure your public-facing internet resources.
Read PlaybookBest Subdomain Finder Tools
A critical review of the top 10 subdomain scanners, brute-forcers, and discovery tools.
Read ReviewsRelated Reconnaissance Tools
SSL Certificate Checker
Verify SSL/TLS certificate chains, validity dates, and configurations.
Open ToolFrequently Asked Questions About Subdomain Enumeration
What is a subdomain finder?
A subdomain finder is a digital reconnaissance tool used to discover and map subdomains associated with a primary domain. It parses public records, search engine indexes, and Certificate Transparency logs to build a complete inventory of an organization's public-facing assets.
How do you find subdomains for a website?
You can find subdomains by entering a domain name into the ReconShield Subdomain Finder. The scanner queries Certificate Transparency databases and DNS datasets passively to retrieve all active host configurations without sending direct network requests to the target.
What is subdomain enumeration in cybersecurity?
Subdomain enumeration is the process of identifying all subdomains associated with a root domain. It is a fundamental step in penetration testing and bug bounty hunting, designed to uncover hidden or forgotten servers hosting web applications.
What is the difference between active and passive subdomain discovery?
Passive discovery gathers data from third-party sources (like CT logs or search cache) without interacting directly with the target nameservers, making it stealthy. Active discovery queries the target servers directly using brute-force dictionaries or zone transfers, which is accurate but triggers security alerts.
What are Certificate Transparency (CT) logs?
Certificate Transparency (CT) is an open framework requiring Certificate Authorities to publish every issued SSL/TLS certificate to public logs. Security researchers query these logs to discover new hostnames, staging sites, and public endpoints.
What is attack surface discovery?
Attack surface discovery is the practice of identifying all public-facing assets, including subdomains, IP addresses, open ports, and active services, that could be targeted by attackers. It helps organizations understand their exposure and secure weak points.
What is a subdomain takeover and how does it happen?
A subdomain takeover occurs when a domain's DNS record (such as a CNAME) points to an external service provider (like AWS S3 or GitHub Pages) that has been deleted or expired. An attacker can register that workspace to host malicious content under the trusted domain.
How does passive DNS lookup help in finding subdomains?
Passive DNS databases record historical DNS resolution logs collected from recursive resolvers and ISP sensors. Analyzing these logs reveals previously active subdomains, IP changes, and sub-infrastructure allocations.