Skip to main content

Overview

The Subdomain Finder enumerates subdomains of a target domain using multiple discovery techniques. Subdomains often point to different applications and network ranges used by the target organization, and discovering them helps map the full attack surface. Subdomains sometimes host non-public applications (test, development, restricted) which are usually less secure than the public applications, making them primary attack targets. Subdomain Finder is a discovery tool: it enumerates subdomains but does not test for vulnerabilities. It does not add data to your Attack Surface or generate findings.

Scan types

TechniqueLight scanDeep scan
Passive detection
DNS records (NS, MX, TXT, AXFR)
DNS enumeration
External APIs
SSL certificates
Certificate Transparency Logs
Google and Bing search
HTML links search
Reverse DNS
Alteration search
CNAME search
Custom scan allows you to select which techniques to use and configure all parameters manually.

Parameters

ParameterDescription
TargetThe domain to enumerate (e.g., example.com). Must include a TLD.
Scan typeLight, Deep, or Custom. See comparison table above.
DNS enumeration wordlistWordlist for brute-forcing subdomains. You can use default wordlists or your own custom wordlists. See Wordlists.
Include Whois informationPerforms Whois queries to determine network owner (netname) and country for each IP.
Detect web technologiesFingerprints each subdomain to identify OS, server software, technologies, web platform, and page title.
Include unresolved subdomainsShows subdomains that were found but couldn’t be resolved to an IP address.

Discovery techniques

Passive detection

Searches our database of historically cached subdomains. When you run scans, discovered subdomains are stored and can be retrieved in future scans for faster results.

DNS records

Queries DNS records including:
  • NS (Name Server) records
  • MX (Mail Exchange) records
  • TXT records
  • AXFR (Zone Transfer): attempts to retrieve the full zone file if the DNS server is misconfigured

DNS enumeration

Brute-forces subdomain names using a wordlist. Each word in the wordlist is prepended to the target domain and checked for DNS resolution. You can use the default wordlists or provide your own custom wordlist. Larger wordlists find more subdomains but take longer to complete.

Certificate transparency logs

Queries Certificate Transparency (CT) logs for certificates issued for the target domain. CT logs are public records of SSL/TLS certificates, which often reveal subdomains that have been issued certificates.

External APIs

Queries third-party data sources that aggregate subdomain information from various sources. Uses search engine queries (dorks) to find indexed subdomains. Search engines often index pages on subdomains that might not be found through other methods. Crawls the target website and extracts subdomain references from HTML links, JavaScript files, and other resources on the page.

SSL certificates

Connects to the target and extracts subdomain information from the SSL certificate’s Common Name (CN) and Subject Alternative Names (SAN) fields.

Reverse DNS

Performs reverse DNS lookups on IP ranges associated with already-discovered subdomains. This can reveal additional subdomains hosted on the same infrastructure. Generates permutations and alterations of subdomains found during the scan. For example, if api.example.com is found, it might try api2.example.com, api-dev.example.com, etc. Performs CNAME lookups on discovered subdomains and searches the CNAME records for additional subdomain references.

Follow-up actions

After discovering subdomains:
  1. Check for takeover risks: Use Subdomain Takeover to find dangling DNS entries
  2. Scan for vulnerabilities: Run Website Scanner on discovered web apps
  3. Fingerprint services: Use Website Recon for detailed technology detection
  4. Scan open ports: Use Port Scanner on discovered hosts
  5. Discover related domains: Use Domain Finder to find domains owned by the same organization