Live Subdomains
Resolves discovered subdomains to confirm which are currently live and responding.
RECON
Free account required
Subdomain Finder
Enumerate subdomains via DNS records, certificate transparency logs, and brute-force.
Comprehensive subdomain discovery using multiple sources: certificate transparency log queries, DNS brute-force with curated wordlists, passive DNS databases, and web crawl data. Identifies live hosts, expired domains, and takeover candidates.
What it detects
Live Subdomains
Subdomain Takeover Candidates
Certificate Transparency Entries
Wildcard DNS
Detection capabilities
What Subdomain Finder finds
Subdomain Takeover Candidates
Identifies dangling DNS records pointing to deprovisioned cloud services (S3, GitHub Pages, Heroku).
Certificate Transparency Entries
Queries CT logs to find subdomains that appear in TLS certificates — including staging and internal ones.
Wildcard DNS
Detects wildcard DNS configurations that may mask real subdomain enumeration results.
Step-by-step guide
How to use Subdomain Finder
Enter target domain
Input the root domain (e.g., example.com). The tool handles all subdomain prefix enumeration.
Choose discovery method
Select passive (CT logs, passive DNS), active (DNS brute-force), or both for maximum coverage.
Export results
Download found subdomains as a text list for use in further recon or full hunt sessions.
Keep going
Related tools
RECON
URL Finder
Discover hidden endpoints, admin paths, and API routes from any web application.
Use tool →
RECONANALYSIS
URL Analysis
Find open redirects, SSRF indicators, and injection points in any URL.
Use tool →
RECONANALYSIS
JS Recon
Extract API keys, internal endpoints, and auth tokens from JavaScript files.
Use tool →
RaSEC Platform
Run Subdomain Finder as part of an overnight hunt.
All 8 tools in coordinated sequence
Deterministic reproduction
Copy-paste PoC reports
No credit cardCancel anytimeFree forever tier