How to Check the Subdomains of a Domain

Jul 14, 2026
Updated Jul 14, 2026 Security How-To Guides check subdomains check subdomains of a domain how to check subdomains subdomain scan

To check the subdomains of a domain you enumerate every hostname that lives under it — mail.example.com, vpn.example.com, staging.example.com, and so on. There is no single command that returns them all, because subdomains are scattered across DNS, certificate logs, and search indexes. This guide walks through the practical ways to find them, from a one-click check to thorough command-line enumeration.

Why check a domain's subdomains?

Every subdomain is a door into an organisation. Forgotten staging servers, old admin panels, and abandoned cloud apps often sit on subdomains nobody remembers — and each one is part of the attack surface. Finding them is the first step in a security assessment, in bug-bounty recon, and in preventing a subdomain takeover. You cannot secure a host you do not know exists.

Method 1: use a free online subdomain finder (fastest)

The quickest way is a hosted tool that aggregates public sources for you. Enter the domain and it returns the discovered subdomains with no setup. Start with the free subdomain finder — it pulls from certificate transparency and passive DNS in one query, which covers the majority of live subdomains for most domains.

Method 2: certificate transparency logs

Every time a site gets an HTTPS certificate, that certificate — including its hostname — is published to public Certificate Transparency (CT) logs. Searching those logs is one of the most reliable ways to find subdomains, because almost everything on the modern web has a certificate.

# query crt.sh for every certificate issued under the domain
curl -s "https://crt.sh/?q=%25.example.com&output=json" | \
  grep -oE '[a-zA-Z0-9._-]+\.example\.com' | sort -u

CT logs reveal subdomains that never appear in normal DNS enumeration, but they only show names that were issued a certificate.

Method 3: DNS enumeration from the command line

Dedicated recon tools combine passive sources with active DNS resolution. The common ones:

# subfinder — passive aggregation from dozens of sources
subfinder -d example.com -silent

# amass — deeper active + passive enumeration
amass enum -passive -d example.com

# resolve a wordlist of guesses against the domain
dnsx -d example.com -w subdomains.txt

Active brute-forcing with a wordlist finds hosts that have no certificate and are missing from public sources, at the cost of sending many DNS queries.

Method 4: search-engine dorks

Search engines index subdomains too. A quick manual check:

site:*.example.com -www

This lists indexed subdomains excluding the main www host. It is fast and free but only surfaces what has been crawled and indexed.

Which method should you use?

MethodBest forEffort
Online finderA fast, complete-enough first passNone
Certificate transparencyReliable coverage of anything with a certificateLow
subfinder / amassThorough recon, including active brute-forceMedium
Search dorksA quick sanity checkNone

In practice, start with the online finder or CT logs, then run subfinder/amass when you need depth. Combining passive and active methods gives the most complete list.

What to do with the subdomains you find

A list of hostnames is only the start. For each subdomain, resolve its A/CNAME records and check what it points to. Watch especially for hosts whose records dangle to a deleted third-party service — those are prime subdomain-takeover candidates. Because subdomains appear and disappear constantly, a one-off check goes stale quickly; continuous monitoring re-checks them on a schedule.

Frequently asked questions

How do I check the subdomains of a domain for free?

Enter the domain into a free subdomain finder, or query certificate transparency logs at crt.sh. Both are free and require no software to install.

Can I find every subdomain of a domain?

No method guarantees 100% coverage. Certificate transparency and passive sources miss hosts with no certificate that were never made public; active brute-force misses hosts not in your wordlist. Combining methods gets you the most complete list.

Is checking a domain's subdomains legal?

Enumerating subdomains from public sources (DNS, CT logs, search engines) uses only publicly available information and is generally fine. Actively scanning or testing the hosts you find, however, requires permission from the owner.

Scan for these vulnerabilities

Secably automatically detects the issues discussed in this article.

Start Free Scan