How to Check the Subdomains of a Domain
To check the subdomains of a domain you enumerate every hostname that lives under it — mail.example.com, vpn.example.com, staging.example.com, and so on. There is no single command that returns them all, because subdomains are scattered across DNS, certificate logs, and search indexes. This guide walks through the practical ways to find them, from a one-click check to thorough command-line enumeration.
Why check a domain's subdomains?
Every subdomain is a door into an organisation. Forgotten staging servers, old admin panels, and abandoned cloud apps often sit on subdomains nobody remembers — and each one is part of the attack surface. Finding them is the first step in a security assessment, in bug-bounty recon, and in preventing a subdomain takeover. You cannot secure a host you do not know exists.
Method 1: use a free online subdomain finder (fastest)
The quickest way is a hosted tool that aggregates public sources for you. Enter the domain and it returns the discovered subdomains with no setup. Start with the free subdomain finder — it pulls from certificate transparency and passive DNS in one query, which covers the majority of live subdomains for most domains.
Method 2: certificate transparency logs
Every time a site gets an HTTPS certificate, that certificate — including its hostname — is published to public Certificate Transparency (CT) logs. Searching those logs is one of the most reliable ways to find subdomains, because almost everything on the modern web has a certificate.
# query crt.sh for every certificate issued under the domain
curl -s "https://crt.sh/?q=%25.example.com&output=json" | \
grep -oE '[a-zA-Z0-9._-]+\.example\.com' | sort -u
CT logs reveal subdomains that never appear in normal DNS enumeration, but they only show names that were issued a certificate.
Method 3: DNS enumeration from the command line
Dedicated recon tools combine passive sources with active DNS resolution. The common ones:
# subfinder — passive aggregation from dozens of sources
subfinder -d example.com -silent
# amass — deeper active + passive enumeration
amass enum -passive -d example.com
# resolve a wordlist of guesses against the domain
dnsx -d example.com -w subdomains.txt
Active brute-forcing with a wordlist finds hosts that have no certificate and are missing from public sources, at the cost of sending many DNS queries.
Method 4: search-engine dorks
Search engines index subdomains too. A quick manual check:
site:*.example.com -www
This lists indexed subdomains excluding the main www host. It is fast and free but only surfaces what has been crawled and indexed.
Which method should you use?
| Method | Best for | Effort |
|---|---|---|
| Online finder | A fast, complete-enough first pass | None |
| Certificate transparency | Reliable coverage of anything with a certificate | Low |
| subfinder / amass | Thorough recon, including active brute-force | Medium |
| Search dorks | A quick sanity check | None |
In practice, start with the online finder or CT logs, then run subfinder/amass when you need depth. Combining passive and active methods gives the most complete list.
What to do with the subdomains you find
A list of hostnames is only the start. For each subdomain, resolve its A/CNAME records and check what it points to. Watch especially for hosts whose records dangle to a deleted third-party service — those are prime subdomain-takeover candidates. Because subdomains appear and disappear constantly, a one-off check goes stale quickly; continuous monitoring re-checks them on a schedule.
Frequently asked questions
How do I check the subdomains of a domain for free?
Enter the domain into a free subdomain finder, or query certificate transparency logs at crt.sh. Both are free and require no software to install.
Can I find every subdomain of a domain?
No method guarantees 100% coverage. Certificate transparency and passive sources miss hosts with no certificate that were never made public; active brute-force misses hosts not in your wordlist. Combining methods gets you the most complete list.
Is checking a domain's subdomains legal?
Enumerating subdomains from public sources (DNS, CT logs, search engines) uses only publicly available information and is generally fine. Actively scanning or testing the hosts you find, however, requires permission from the owner.