How are subdomains discovered?

Two sources combined. Passive: we query Certificate Transparency logs via crt.sh, which lists every publicly issued TLS certificate. Active: we DNS-probe a short list of around 90 common subdomain names (mail, blog, dev, staging, api, vpn, etc.). The two sets are unioned, deduplicated, and sorted.

Will this find ALL subdomains for a domain?

No. Anything that never appeared in a public certificate AND is not one of the common names we probe will be missed. Private subdomains used only inside a corporate network are also invisible. Treat the result as a fast reconnaissance starting point, not an exhaustive audit.

Is using this tool legal or safe?

Subdomain enumeration via passive CT logs and common-name probing is non-intrusive (no port scanning, no exploit attempts) and widely used by security researchers and ops teams. The DNS probes hit our server's resolver, not the target's nameservers directly, so the target sees a normal DNS query pattern.

Some result no longer resolves when I check it. Why?

CT logs are historical: a cert issued a year ago for `old-app.example.com` shows up in crt.sh forever, even if the subdomain is long retired. We return all unique names without re-verifying every one. To confirm a specific subdomain is currently live, run DNS Lookup on it.

What's a good next step after finding subdomains?

For each interesting subdomain: check live HTTP headers with HTTP Headers, inspect the TLS via SSL Checker, confirm where it points with DNS Lookup.

Free, rate-limited per IP (3 requests per minute, since each scan fires around 90 DNS probes plus a crt.sh fetch).

WEB

Subdomain Finder

Find subdomains (limited)

Input

Discover subdomains for a domain by combining Certificate Transparency logs with active DNS probing of common subdomain names.

Terminal

Console ready. Execute a command to see output...

About Subdomain Finder

Expand the Attack Surface

Subdomain enumeration is the first step in security auditing. It reveals the breadth of an organization's infrastructure.

Hidden Treasures

test.example.com: May have weak passwords.
vpn.example.com: Critical entry points.
old.example.com: Legacy systems that haven't been patched in years.

How it works: We query Certificate Transparency logs via crt.sh (passive, fetches historical issued certificates), then DNS-probe a short list of common subdomain names (active, around 90 names) to catch entries that never appeared in a public certificate. Not exhaustive, but a fast pragmatic mix.

How to use Subdomain Finder

Enter the apex domain
Just the bare domain, e.g. example.com. Subdomain inputs do not enumerate further levels reliably.
Hit Find Subdomains
The tool queries crt.sh and runs around 90 common-name DNS probes in parallel.
Read the result
A deduplicated, sorted list. CT log entries may be historical and may not currently resolve.
Verify and explore
Use DNS Lookup to confirm each interesting subdomain is currently live. Use HTTP Headers and SSL Checker on the ones that are.

Frequently Asked Questions

: Two sources combined. Passive: we query Certificate Transparency logs via crt.sh, which lists every publicly issued TLS certificate. Active: we DNS-probe a short list of around 90 common subdomain names (mail, blog, dev, staging, api, vpn, etc.). The two sets are unioned, deduplicated, and sorted.