> ## Documentation Index
> Fetch the complete documentation index at: https://pentest-tools.com/docs/llms.txt
> Use this file to discover all available pages before exploring further.

# Subdomain Finder

> Discover subdomains and determine the attack surface of an organization

## Overview

The Subdomain Finder enumerates subdomains of a target domain using multiple discovery techniques. Subdomains often point to different applications and network ranges used by the target organization, and discovering them helps map the full attack surface.

Subdomains sometimes host non-public applications (test, development, restricted) which are usually less secure than the public applications, making them primary attack targets.

Subdomain Finder is a **discovery tool**: it enumerates subdomains but does not test for vulnerabilities. It does not add data to your [Attack Surface](/capabilities/attack-surface) or generate [findings](/core/findings/findings).

## Scan types

| Technique                                                       | Light scan | Deep scan |
| --------------------------------------------------------------- | :--------: | :-------: |
| [Passive detection](#passive-detection)                         |      ✓     |     ✓     |
| [DNS records (NS, MX, TXT, AXFR)](#dns-records)                 |      ✓     |     ✓     |
| [DNS enumeration](#dns-enumeration)                             |      ✓     |     ✓     |
| [External APIs](#external-apis)                                 |      ✓     |     ✓     |
| [SSL certificates](#ssl-certificates)                           |      ✓     |     ✓     |
| [Certificate Transparency Logs](#certificate-transparency-logs) |      ✗     |     ✓     |
| [Google and Bing search](#google-and-bing-search)               |      ✗     |     ✓     |
| [HTML links search](#html-links-search)                         |      ✗     |     ✓     |
| [Reverse DNS](#reverse-dns)                                     |      ✗     |     ✓     |
| [Alteration search](#alteration-search)                         |      ✗     |     ✓     |
| [CNAME search](#cname-search)                                   |      ✗     |     ✓     |

**Custom scan** allows you to select which techniques to use and configure all parameters manually.

## Parameters

| Parameter                     | Description                                                                                                                                  |
| ----------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------- |
| Target                        | The domain to enumerate (e.g., `example.com`). Must include a TLD.                                                                           |
| Scan type                     | Light, Deep, or Custom. See comparison table above.                                                                                          |
| DNS enumeration wordlist      | Wordlist for brute-forcing subdomains. You can use default wordlists or your own custom wordlists. See [Wordlists](/capabilities/wordlists). |
| Include Whois information     | Performs Whois queries to determine network owner (netname) and country for each IP.                                                         |
| Detect web technologies       | Fingerprints each subdomain to identify OS, server software, technologies, web platform, and page title.                                     |
| Include unresolved subdomains | Shows subdomains that were found but couldn't be resolved to an IP address.                                                                  |

## Discovery techniques

### Passive detection

Searches our database of historically cached subdomains. When you run scans, discovered subdomains are stored and can be retrieved in future scans for faster results.

### DNS records

Queries DNS records including:

* **NS** (Name Server) records
* **MX** (Mail Exchange) records
* **TXT** records
* **AXFR** (Zone Transfer): attempts to retrieve the full zone file if the DNS server is misconfigured

### DNS enumeration

Brute-forces subdomain names using a wordlist. Each word in the wordlist is prepended to the target domain and checked for DNS resolution.

You can use the default wordlists or provide your own custom wordlist. Larger wordlists find more subdomains but take longer to complete.

### Certificate transparency logs

Queries Certificate Transparency (CT) logs for certificates issued for the target domain. CT logs are public records of SSL/TLS certificates, which often reveal subdomains that have been issued certificates.

### External APIs

Queries third-party data sources that aggregate subdomain information from various sources.

### Google and Bing search

Uses search engine queries (dorks) to find indexed subdomains. Search engines often index pages on subdomains that might not be found through other methods.

### HTML links search

Crawls the target website and extracts subdomain references from HTML links, JavaScript files, and other resources on the page.

### SSL certificates

Connects to the target and extracts subdomain information from the SSL certificate's Common Name (CN) and Subject Alternative Names (SAN) fields.

### Reverse DNS

Performs reverse DNS lookups on IP ranges associated with already-discovered subdomains. This can reveal additional subdomains hosted on the same infrastructure.

### Alteration search

Generates permutations and alterations of subdomains found during the scan. For example, if `api.example.com` is found, it might try `api2.example.com`, `api-dev.example.com`, etc.

### CNAME search

Performs CNAME lookups on discovered subdomains and searches the CNAME records for additional subdomain references.

## Follow-up actions

After discovering subdomains:

1. **Check for takeover risks**: Use [Subdomain Takeover](/tools/subdomain-takeover) to find dangling DNS entries
2. **Scan for vulnerabilities**: Run [Website Scanner](/tools/website-scanner) on discovered web apps
3. **Fingerprint services**: Use [Website Recon](/tools/website-recon) for detailed technology detection
4. **Scan open ports**: Use [Port Scanner](/tools/port-scanner) on discovered hosts
5. **Discover related domains**: Use [Domain Finder](/tools/domain-finder) to find domains owned by the same organization
