Home All Tools Domain & Network Subdomain Finder

Subdomain Finder

Discover subdomains via DNS brute force

Related Tools

WHOIS Lookup

Get domain registration details, registrar info, and dates

DNS Lookup

Query DNS records (A, AAAA, MX, TXT, NS, CNAME)

IP Lookup

Find IP address and reverse hostname information

Domain Age Checker

Calculate domain age from WHOIS

What is a Subdomain Finder?

A subdomain finder discovers subdomains associated with a root domain. A subdomain is a prefix added to the main domain to designate various services under the same domain (such as mail.example.com or cdn.example.com).

Our SubDomain Finder is a DNS Brute Forcing tool which will test a list of the most common domain prefixes. If a record does exist for a prefix, the subdomain and the resolved ip address is returned.

How the Sub Domain Finder works?

It utilizes a set of common subdomains prefixes and resolves them through DNS each one against the target domain:

  • Mail & email: mail, webmail, smtp, pop, pop3, imap, autodiscover, autoconfig
  • Web www, www2, blog, news, forum, docs, shop, demo
  • Development: dev, beta, test, api, git, cdn, cloud, static
  • Infrastructuredns, mx, ns, ns1, ns2, ns3, mysql, sql
  • Management: admin, cpanel, whm, secure, vpn, stats, tools

Each prefix is appended to the domain to be resolved using PHP's gethostbyname(). The subdomain is added to the "found" list if the domain resolves to a real IP address, (not back to the query), otherwise it would be added to the "not found" list.

The subdomain finder can be used in the following manner:

  • Type in a domain root (e.g. example.com).
  • Click Find Subdomains.
  • Look over the results table, which displays all the found subdomains along with their respective IP addresses.

Why Find Subdomains?

There are a few reasons why discovering subdomains is crucial:

  • Security auditing — Attack vectors may be unknown or forgotten subdomains. They can be using outdated software, missing security headers or weak authentication.
  • Attack surface mapping — Each sub domain is a point of entry in your infrastructure. It requires a full inventory to be well protected by security teams.
  • Organizations tend to forget about some subdomains that have been used for temporary projects or old campaigns. Their identification will help to control the digital footprint.
  • SEO analysis — Subdomains can have an effect on search engine rankings. Knowing about the site's subdomain hierarchy is helpful for content and link strategy.
  • Competitive research — Identifying subdomains of competitor sites gives you clues to the services they provide and what their infrastructure looks like.

The following are some tips about how to manage subdomains.

  • Have an inventory — Have a documented list of all active subdomains and what they do.
  • Remove unused subdomains — Remove DNS records of subdomains that aren't being used to lower attack surface.
  • Secure all subdomains – All of the subdomains should be secured by HTTPS, with the implementation of security headers and ensuring that all are kept up to date.
  • Monitor regularly — Conduct subdomain scans regularly to identify possible unauthorized or rogue subdomains.

Privacy

Our SubDomain Finder has DNS lookups done on our server. No domains, results or IP addresses are stored, logged or shared. There are no accounts, rate limits, or captchas.

Frequently Asked Questions

What is a subdomain in the web?

Subdomains are the domain names that are preceded by a prefix in the DNS hierarchy. In mail.example.com, for instance, the subdomain "mail" is a part of the "example.com" domain. Subdomains are used to structure various services or sections of a domain.

Is the subdomain finder free of charge?

Yes. There are no captchas, limits or sign-up required.

What is DNS Brute Forcing?

Brute forcing of DNS consists of an iterative test of known subdomain prefixes of a domain until a successful subdomain is discovered that resolves to a valid DNS record. It's a great technique to discover subdomains because it functions even if subdomains aren't connected to public pages.

How many subdomains does this tool check?

The tool is designed to scan a list of the most commonly used subdomains for web servers, mail, DNS, web development and infrastructure. If you need to do an exhaustive enumeration for thousands of prefixes, you might want to use a specific tool such as subfinder or amass.

What is the meaning of the discovery of a subdomain?

Found subdomain – DNS provides an A record for that name and it points to an IP address. This means that there is a server or a service that expects to be called on that subdomain.

Is it possible to upload any domain to be scanned?

Yes. Like many other network diagnostic tasks, DNS resolution of subdomains is public information and a common operation. But only do security testing on domains that you own or have explicit permission to do security testing on.