How to Find Subdomains

May 16, 2026
Updated May 16, 2026 Security How-To Guides find subdomains subdomain enumeration subdomain discovery enumerate subdomains

How to Find Subdomains: A Comprehensive Guide

In the vast landscape of the internet, every website is a digital asset, and often, these assets extend beyond the primary domain. Subdomains are crucial components of a website's infrastructure, serving various purposes from hosting specific services to staging environments or regional content. However, these seemingly innocuous extensions can also represent significant security vulnerabilities if left unmonitored or misconfigured.

For security professionals, penetration testers, system administrators, and even curious developers, the ability to find subdomains is a fundamental skill. This process, often referred to as subdomain enumeration or subdomain discovery, is the first step in understanding an organization's true digital footprint. An overlooked subdomain could host an outdated application, an unpatched service, or sensitive information, providing an easy entry point for attackers.

This comprehensive guide will walk you through various methods to enumerate subdomains, ranging from the quickest and easiest online tools to advanced command-line techniques. We'll explain why this process is vital for bolstering your security posture and how to interpret the results effectively. Whether you're looking to secure your own assets or conduct ethical reconnaissance, mastering subdomain discovery is an indispensable skill.

Want to check your site right now?

Website Vulnerability Scanner →  ·  Port Scanner

Quick Method: Use Secably's Free Subdomain Finder

For those who need fast, accurate results without the hassle of installing software or dealing with complex commands, Secably offers a powerful and completely free online Subdomain Finder tool. It's designed for simplicity and efficiency, making it the ideal starting point for anyone looking to find subdomains quickly.

Why choose Secably's Subdomain Finder?

  • Free & Online: No costs, no downloads, no software installation.
  • No Signup Required: Get started immediately without creating an account.
  • User-Friendly: A clean, intuitive interface makes it accessible for all skill levels.
  • Fast Results: Most scans complete in under 60 seconds, providing a comprehensive list of discovered subdomains.
  • Comprehensive: Utilizes multiple techniques to maximize discovery, including DNS records, certificate transparency logs, and more.

Here's how to use it:

  1. Open your web browser and navigate to Secably's Subdomain Finder page.
  2. In the designated input field, enter the target domain (e.g., example.com). You can also enter an IP address if you're looking to discover subdomains associated with a specific server.
  3. Click the 'Scan' or 'Find Subdomains' button.
  4. Wait a few moments for the tool to process your request. The results will be displayed directly on the page, listing all discovered subdomains along with relevant information like their IP addresses.

This method is perfect for initial reconnaissance, regular security checks, or when you need a quick overview of a domain's subdomains without diving deep into manual techniques. It's an excellent way to enumerate subdomains efficiently and effectively.

Manual Method: Command-Line Tools & Advanced Techniques

While online tools offer convenience, understanding manual command-line techniques provides deeper insight and greater control over the subdomain enumeration process. These methods are favored by advanced users, penetration testers, and security researchers who require granular control or wish to integrate subdomain discovery into automated scripts. Here, we'll explore several powerful command-line tools and techniques to find subdomains.

1. DNS Query Tools (dig, host, nslookup)

These are fundamental tools for querying DNS records. By checking various record types, you can often uncover subdomains.

Using dig:

dig is a flexible tool for interrogating DNS name servers. You can use it to query for specific record types or perform zone transfers (though zone transfers are rarely enabled on public servers due to security concerns).

# Query for A records (IPv4 addresses) for common subdomains\ndig @8.8.8.8 www.example.com A\ndig @8.8.8.8 mail.example.com A\n\n# Query for NS records (Name Servers) to find potential subdomains\ndig @8.8.8.8 example.com NS\n\n# Query for MX records (Mail Exchangers) which often point to subdomains\ndig @8.8.8.8 example.com MX\n\n# Attempt a zone transfer (rarely successful, but worth a try)\ndig @ns1.example.com example.com AXFR\n

Using host:

host is a simpler utility for performing DNS lookups.

# Look up the IP address of a known subdomain\nhost www.example.com\n\n# Look up all available records for the main domain\nhost -t ANY example.com\n

Using nslookup:

nslookup is another common DNS query tool, though dig is generally preferred for scripting.

# Look up a specific subdomain\nnslookup www.example.com\n\n# Change server and query for all records\nnslookup\n> server 8.8.8.8\n> set type=ANY\n> example.com\n> exit\n

2. Certificate Transparency Logs

Certificate Authorities (CAs) publicly log every SSL/TLS certificate they issue. These logs often contain subdomain names, as certificates are issued for both main domains and their subdomains. This is an incredibly rich source for subdomain discovery.

Using crt.sh (via browser or curl):

crt.sh is a public interface to the Certificate Transparency logs. You can simply visit the website and enter a domain, or automate queries using curl.

# Query crt.sh for subdomains of example.com\ncurl -s "https://crt.sh/?q=%25.example.com&output=json" | jq -r '.[].name_value' | sed 's/\*.//g' | sort -u\n

Note: This command requires jq to parse JSON. Install it with sudo apt-get install jq on Debian/Ubuntu or brew install jq on macOS.

3. Search Engine Dorking

Search engines like Google, Bing, and DuckDuckGo index vast amounts of web content, including subdomains. Using specific search queries (dorks) can help uncover indexed subdomains.

Google Dorks:

# Find all indexed subdomains for a domain, excluding the main www subdomain\nsite:example.com -inurl:www\n\n# Find specific types of subdomains (e.g., admin panels)\nsite:example.com inurl:admin\n\n# Find subdomains with specific keywords\nsite:example.com "dashboard"\n

4. Brute-Forcing with Wordlists

This technique involves systematically trying a list of common subdomain names (a wordlist) against a target domain to see if they resolve to an IP address. While resource-intensive, it can uncover subdomains not found through other passive methods.

Using dig with a simple loop (for demonstration):

# Create a simple wordlist (e.g., common.txt)\necho "admin" > common.txt\necho "dev" >> common.txt\necho "test" >> common.txt\necho "api" >> common.txt\n\n# Loop through the wordlist and try to resolve each subdomain\nfor sub in $(cat common.txt); do\n  host "$sub.example.com" | grep "has address"\ndone\n

For more robust brute-forcing, dedicated tools like wfuzz, ffuf, or gobuster are recommended, which are optimized for speed and handling various HTTP responses.

Using ffuf (example):

# Install ffuf: go install github.com/ffuf/ffuf@latest\nffuf -w /path/to/wordlist.txt -u https://FUZZ.example.com -mc 200,301,302 -fs 0\n

5. Reverse DNS Lookups

While not a primary method for *finding* subdomains, performing reverse DNS lookups on IP ranges known to belong to an organization can sometimes reveal associated subdomains, especially if they have PTR records configured.

# Example: Perform a reverse lookup for an IP address\ndig -x 192.0.2.1\n

Combining these manual techniques allows for a thorough and comprehensive subdomain enumeration, providing a detailed map of an organization's exposed assets.

Understanding Your Subdomain Discovery Results

Once you've completed your subdomain enumeration, whether with Secably's tool or manual methods, you'll be presented with a list of subdomains. But what do these results mean, and how should you interpret them?

Each discovered subdomain typically comes with associated information, such as:

  • Subdomain Name: The actual subdomain (e.g., dev.example.com, mail.example.com).
  • IP Address: The server's IP address that the subdomain resolves to. This is crucial for identifying where the subdomain is hosted.
  • CNAME Record: Sometimes, a subdomain might be an alias (Canonical Name) pointing to another domain or subdomain (e.g., blog.example.com might CNAME to example.wordpress.com). This indicates third-party hosting or cloud services.
  • Status/Response Code: For web-based subdomains, tools might indicate if the subdomain resolves to an active web server and its HTTP status code (e.g., 200 OK, 404 Not Found, 301 Redirect).

What to Look For:

  1. Unusual or Forgotten Subdomains: Pay close attention to subdomains that seem out of place, use old naming conventions (e.g., old-site.example.com), or refer to development/testing environments (e.g., dev.example.com, staging.example.com). These are often neglected and prone to vulnerabilities.
  2. Different IP Addresses: If multiple subdomains resolve to different IP addresses, it suggests they are hosted on different servers or even by different providers. This expands your potential attack surface.
  3. Third-Party Services: CNAME records pointing to services like GitHub Pages, Heroku, AWS S3 buckets, or other cloud providers indicate external dependencies. These can sometimes be vulnerable to subdomain takeovers if not properly configured.
  4. Wildcard DNS Entries: Be aware of wildcard DNS records (e.g., *.example.com). These mean that any non-existent subdomain will still resolve to an IP address, often the main domain's. This can clutter results and make it harder to find truly unique subdomains. Tools like Secably's Subdomain Finder are designed to filter these out or highlight them.
  5. Open Ports and Services: While subdomain discovery primarily focuses on DNS, the IP addresses found can then be used for port scanning to identify open ports and running services, further detailing the attack surface.

Prioritize subdomains that appear to be active web servers, especially those with unusual names or pointing to development environments. These are often the most fruitful targets for further investigation and vulnerability assessment.

Common Issues & Troubleshooting During Subdomain Discovery

While subdomain enumeration is a powerful technique, you might encounter certain challenges. Understanding these common issues and how to troubleshoot them will help you achieve more comprehensive and accurate results.

  • Wildcard DNS Entries: As mentioned, a wildcard DNS record (*.example.com) will make almost any subdomain resolve to an IP address. This can lead to a flood of false positives, making it difficult to identify legitimate subdomains. Many advanced tools and Secably's Subdomain Finder have built-in logic to detect and filter out wildcard responses. If performing manual brute-forcing, you'll need to implement checks to identify and ignore wildcard responses.
  • Rate Limiting & IP Blocking: Aggressive scanning or too many DNS queries from a single IP address can trigger rate limits or even IP blocks from DNS resolvers or the target's infrastructure. If you notice incomplete results or connection errors, try slowing down your scans, using different DNS resolvers (e.g., Google's 8.8.8.8, Cloudflare's 1.1.1.1), or rotating your IP address (e.g., via a VPN or proxy).
  • Firewall & IDS/IPS: Security devices like firewalls, Intrusion Detection Systems (IDS), and Intrusion Prevention Systems (IPS) can detect and block suspicious activity, including rapid DNS queries or port scans. If your scans are consistently failing, it might be due to such defenses.
  • Incomplete Wordlists: When brute-forcing, the quality and comprehensiveness of your wordlist directly impact your success. A small or outdated wordlist will miss many subdomains. Use large, up-to-date wordlists specifically designed for subdomain enumeration.
  • DNS Caching: Your local DNS resolver or ISP might cache old DNS records, leading to outdated results. Clearing your local DNS cache or using public DNS resolvers (like 8.8.8.8) can help ensure you're getting the most current information.
  • Network Connectivity Issues: Basic network problems can obviously disrupt any scanning activity. Ensure your internet connection is stable and that there are no local firewall rules preventing your tools from making outbound connections.

If Secably's Subdomain Finder returns unexpected results or seems to fail, first double-check the domain name for typos. If the issue persists, try again after a few minutes, as temporary network glitches can occur. For manual methods, ensure your commands are correctly formatted and that all necessary tools are installed and updated.

Free Security Tools

Scan your website, check open ports, find subdomains — no signup required.

See all tools →

Next Steps After Subdomain Discovery

Discovering subdomains is just the beginning of a thorough security assessment. Once you have a comprehensive list of subdomains, the real work of identifying potential vulnerabilities begins. Here are the crucial next steps you should take:

  1. Further Reconnaissance:

    For each discovered subdomain, visit it in a browser. What kind of content or application is hosted? Is it an active website, an API endpoint, a file server, or a login portal? Note down technologies used (e.g., WordPress, Apache, Nginx, specific JavaScript frameworks).

  2. Port Scanning:

    Use the IP addresses associated with the subdomains to perform a port scan. This will reveal open ports and the services running on them. An open port might indicate an exposed service that could be vulnerable. Secably offers a free Port Scanner that can help you quickly identify open ports.

  3. Vulnerability Scanning:

    Once you've identified active web applications or services, the next step is to scan them for known vulnerabilities. This includes checking for common web application flaws (OWASP Top 10), outdated software, and misconfigurations. Secably's Website Scanner can perform a comprehensive vulnerability assessment on your web assets.

  4. Web Application Testing:

    For critical web applications, consider manual penetration testing to uncover business logic flaws, authentication bypasses, and other vulnerabilities that automated scanners might miss.

  5. Content Discovery:

    Even if a subdomain appears to be a 404 page, it might still host hidden directories or files. Tools like dirb, gobuster, or ffuf can be used to brute-force common directory and file names.

  6. Monitor Continuously:

    The digital landscape is constantly changing. New subdomains can be added, and configurations can change. Implement a routine to regularly find subdomains and re-evaluate your attack surface. Secably's tools are always available for free to help you maintain continuous vigilance.

    By systematically following these steps, you can transform a simple list of subdomains into actionable intelligence, significantly enhancing your overall security posture and reducing your exposure to potential threats. Don't just discover them; secure them!

    Is Secably's Subdomain Finder free to use?

    Yes, Secably's Subdomain Finder is completely free for basic scans. There's no cost, no hidden fees, and no signup required to use the tool and get your results.

    Is it safe and legal to scan my own website for subdomains?

    Absolutely. Scanning your own website and its subdomains is not only safe and legal but also highly recommended as a fundamental part of your security hygiene. It helps you identify forgotten assets and potential vulnerabilities before malicious actors do.

    How often should I enumerate subdomains for my assets?

    We recommend performing subdomain enumeration at least monthly, or ideally, after any significant changes to your infrastructure, new deployments, or major updates. Continuous monitoring helps ensure you catch new or forgotten assets promptly.

    What is a subdomain, and why is it important for security?

    A subdomain is a division of a primary domain (e.g., blog.example.com where example.com is the main domain). From a security perspective, subdomains are critical because each one can represent a separate application, service, or server. An unmonitored or misconfigured subdomain can expose sensitive data, provide an entry point for attacks, or host outdated software, significantly expanding an organization's attack surface.

    Can I find subdomains for any website?

    You can attempt to find subdomains for any public website using the methods described. However, ethical considerations and legal boundaries are paramount. Always ensure you have explicit permission before conducting extensive scanning or penetration testing on assets you do not own or manage. Passive methods like using certificate transparency logs or search engine dorking are generally acceptable for any public domain, but active scanning (like brute-forcing or port scanning) should only be done with authorization.

    Scan your website for free

    No signup needed. Get results in under 60 seconds.

    Run Free Scan →

Scan for these vulnerabilities

Secably automatically detects the issues discussed in this article.

Start Free Scan