Subdomain Finder
Discover subdomains for any domain by aggregating Certificate Transparency logs, passive DNS, threat-intel feeds and web archives. Passive discovery, no probing of the target.
About subdomain discovery
We enumerate subdomains by aggregating multiple passive intelligence sources: Certificate Transparency logs, passive-DNS feeds, threat-intel datasets and web archives. No packets are sent to the target itself, only public datasets are queried. This is pure passive reconnaissance. Each discovered host is then resolved over DNS-over-HTTPS so you can tell live hosts from stale records, and hosts confirmed by several independent lookups are marked.
Method
- Several independent passive datasets are queried in parallel and merged.
- Every host is resolved over DNS-over-HTTPS; live hosts are separated from stale records.
- Resolved IPs are checked against Cloudflare's network so you can see which hosts are proxied.
Sources run isolated, so a single provider being down only removes its results, never the whole lookup. Wildcard entries (*.example.com) are filtered and duplicates are merged. Internal or expired subdomains may still appear.
When it's useful
- Mapping an organization's external attack surface before a penetration test.
- Finding forgotten staging or admin endpoints that still have certs.
- Due diligence on a domain you're about to acquire.