Subdomain Finder

Discover active and historical subdomains for any domain with SSHVPN. Find hidden subdomains using certificate transparency, passive DNS, and more.

Subdomain Discovery

Enter a domain to discover its subdomains using multiple data sources.

Enter the root domain only. Wildcards and sub-subdomains are handled automatically.

Scans are executed server-side to protect your privacy. Results are ephemeral unless you choose to save or export them.

🔍

What is Subdomain Discovery and Why It Matters

Subdomain discovery is the process of finding all subdomains associated with a particular domain. This technique is essential for security professionals, penetration testers, and system administrators who need to understand the complete attack surface of an organization. Subdomains often host different services, applications, or environments that might be overlooked in traditional security assessments.

Modern organizations typically use multiple subdomains for various purposes: development environments (dev.example.com), staging servers (staging.example.com), API endpoints (api.example.com), and specialized services (mail.example.com). Discovering these subdomains helps create a comprehensive inventory of digital assets and identify potential security vulnerabilities or forgotten services that could be exploited.

📊

Data Sources for Subdomain Discovery

Effective subdomain discovery relies on multiple data sources to ensure comprehensive coverage. Certificate Transparency (CT) logs are one of the most valuable sources, containing records of all SSL/TLS certificates issued for domains and subdomains. These logs are publicly accessible and provide historical data about subdomains that may have been used in the past.

Passive DNS databases store historical DNS resolution data, revealing subdomains that have been queried over time. Web crawling and search engine data can uncover subdomains mentioned in web content, while specialized APIs from security companies provide additional coverage. Combining these sources ensures maximum discovery while minimizing false positives through validation and deduplication processes.

🛡️

Security Applications of Subdomain Discovery

Subdomain discovery plays a crucial role in cybersecurity and penetration testing. Security professionals use it to map the complete attack surface of an organization, identifying all publicly accessible services and potential entry points. This comprehensive view helps prioritize security efforts and ensures no services are left unprotected or unmonitored.

During penetration tests, subdomain discovery often reveals forgotten or misconfigured services that could be vulnerable to exploitation. Development and staging environments are commonly found through subdomain discovery and may have weaker security controls than production systems. Regular subdomain discovery helps organizations maintain an accurate inventory of their digital assets and identify unauthorized or forgotten services that could pose security risks.

Best Practices for Subdomain Discovery

Effective subdomain discovery requires a systematic approach and adherence to best practices. Start with passive reconnaissance using publicly available data sources before moving to more aggressive techniques. Always validate discovered subdomains through live DNS resolution to ensure they're actually active and accessible.

Maintain regular scanning schedules to detect new subdomains as they're created, and integrate subdomain discovery into your security monitoring and asset management processes. Be mindful of rate limits and terms of service when using third-party APIs, and always ensure you have proper authorization before scanning domains you don't own. Document your findings and establish processes for investigating and securing newly discovered subdomains.

🔧

Integrating Subdomain Discovery into Security Workflows

Subdomain discovery should be integrated into broader security and asset management workflows. Automated scanning can be scheduled to run regularly, with results compared against previous scans to identify new subdomains. Integration with security information and event management (SIEM) systems allows for real-time monitoring and alerting when new subdomains are discovered.

Combine subdomain discovery with vulnerability scanning and penetration testing tools to create comprehensive security assessments. Use the discovered subdomains as input for additional security checks, including port scanning, service enumeration, and vulnerability assessment. Establish clear processes for investigating and securing newly discovered subdomains, ensuring they meet your organization's security standards and are properly monitored.

📈

Advanced Subdomain Discovery Techniques

Advanced subdomain discovery techniques involve combining multiple approaches and data sources for maximum coverage. DNS zone transfers, if available, can reveal all subdomains configured in a domain's DNS zone. Brute force techniques using common subdomain names and patterns can discover subdomains that might not appear in public databases.

Machine learning and pattern recognition can help identify likely subdomain names based on organizational naming conventions. Historical analysis of certificate transparency logs and passive DNS data can reveal subdomains that were active in the past but may have been forgotten. Advanced techniques also include analyzing web content, email headers, and other metadata that might reference subdomains not visible through traditional discovery methods.