Enumerate subdomains via DNS and related queries.
The Subdomain Finder discovers hostnames that belong to a domain (e.g. www, mail, api, staging) using DNS enumeration, certificate transparency logs, or wordlists. It helps with security audits (finding forgotten or misconfigured subdomains), migration planning (knowing what to move), or inventory. Results are not guaranteed complete; they depend on the methods used (DNS brute force, CT log search, etc.). Use the output to verify DNS records, close unused subdomains, or ensure critical subdomains are covered by SSL and monitoring.
Common methods: DNS brute force with a wordlist, Certificate Transparency log search (issued certs list hostnames), or passive DNS data if available.
No. Only names that appear in DNS, CT logs, or the wordlist. Obscure or unlisted names may be missed.
Querying public DNS and CT logs is generally acceptable. Avoid aggressive brute force that could impact authoritative servers.
Certificates often list many subdomains (SANs). CT logs are public and can reveal names you did not think of.
Check each for live services, correct DNS and SSL, and remove or secure any that should not be public.