Find Every Subdomain,Instantly
Run comprehensive subdomain enumeration with DNS, certificates, search engines, and passive sources. Built for security researchers, SEOs, and growth teams.
What This Tool Does
Enumerates all publicly visible subdomains using passive sources (CT logs, search engines, DNS datasets) and optional active checks (DNS resolution, HTTP probing).
How Enumeration Works
- Passive: Certificate transparency logs, historical DNS, public datasets
- Active: Resolves A/AAAA/CNAME, HTTP/HTTPS probe for status and title
- Normalization: Lower-casing, punycode, wildcard filtering, root-domain grouping
Interpreting Results
- Domain: Discovered subdomain name
- Title: HTML meta title from HTTP response
- Status: Live/down/timeout indicator
- HTTP Code: Response status from our probe
- Server: Web server type if detected
Frequently Asked Questions
What is subdomain enumeration?
The process of discovering all subdomains associated with a root domain using passive and active techniques.
Is active probing safe?
We use standard DNS/HTTP requests with sensible rate limits. Always ensure you have permission to scan target domains.
Do you detect subdomain takeover risks?
We flag common patterns (e.g., CNAME pointing to deprovisioned services) that may indicate takeover risks.
What data sources do you use?
Certificate transparency logs, DNS records, reverse DNS lookups, web crawl data, and partner data sources.