Network Tool
Subdomain Lookup
Discover subdomains for any domain using passive DNS records.
Enter a domain name to discover its subdomains using passive DNS records.
This free subdomain lookup tool discovers publicly visible subdomains for a given domain using passive sources — primarily certificate transparency logs and DNS records. It is designed for attack surface mapping, asset inventory, and reconnaissance during authorized security assessments. No active scanning or brute-forcing is performed; the tool queries data that is already publicly available.
What subdomain enumeration is and why it matters
Subdomain enumeration is the process of identifying all DNS names under a given apex domain. Organizations frequently expose forgotten development environments, staging servers, internal APIs, and legacy applications on subdomains that never received the same security hardening as the main site. A subdomain like dev.example.com or api-v1.example.com may run outdated software, have weak authentication, or be misconfigured — making subdomain discovery a foundational step in any external attack surface assessment or bug bounty engagement.
Certificate transparency logs as a passive source
Since 2018, all publicly trusted TLS certificates must be logged to Certificate Transparency (CT) logs before browsers will trust them (RFC 9162). Every certificate issued for any subdomain — including internal staging and test hosts that should never have received a public certificate — is therefore permanently and publicly recorded. CT log aggregators like crt.sh index this data, making it possible to enumerate subdomains without sending a single packet to the target. This tool queries CT log data as its primary passive source.
Passive discovery vs. active scanning
Passive subdomain discovery queries publicly available data sources (CT logs, DNS zone transparency, open datasets) without connecting to the target organization\'s infrastructure. Active scanning, by contrast, involves sending DNS queries or HTTP requests directly to the target, which may trigger IDS alerts or violate terms of service if done without authorization. This tool is passive only — it will not find subdomains that have never appeared in a CT log or public DNS dataset, but it also generates no traffic to the target.
Frequently asked questions
What is subdomain enumeration?+
Subdomain enumeration is the process of discovering all DNS names under a domain. It is used in penetration testing, bug bounty hunting, and asset inventory to map an organization\'s external attack surface.
Is this legal?+
Querying publicly available data (CT logs, open DNS records) is legal and does not involve accessing any system without authorization. However, acting on what you find — scanning, probing, or exploiting those subdomains — is only lawful if you have explicit authorization from the asset owner.
Why don\'t all subdomains show up?+
Passive discovery only surfaces subdomains that have appeared in CT logs or public DNS datasets. Internal-only subdomains with no public certificate, subdomains resolved only within a private DNS namespace, or very new subdomains not yet indexed will not appear.
Does this tool send any requests to the target domain?+
No. This tool is entirely passive — it queries CT log aggregators and DNS datasets without sending any traffic to the target organization\'s servers.