Free Subdomain Finder

Discover subdomains using DNS enumeration, certificate transparency logs (crt.sh), and HTTP probing.

Enumerating subdomains for ...

Daily scan limit reached

Sign up free to get 10 scans/day — or upgrade for unlimited access.

Redirecting to report...

Quick answer

A subdomain finder is a tool that discovers the subdomains of a domain — such as mail.example.com or staging.example.com — by combining DNS enumeration, Certificate Transparency logs, and HTTP probing. Secably's subdomain finder is free, requires no signup, and returns results in seconds.

  • Three discovery methods: DNS, CT logs, HTTP probing
  • Surfaces forgotten and hidden hosts, not just documented ones
  • Free, no signup, results in seconds
  • Wildcard DNS detected and filtered automatically

What is a subdomain finder?

A subdomain finder discovers the hostnames that live under a domain — like mail.example.com, staging.example.com, or vpn.example.com — without you needing a list in advance. Instead of guessing, it enumerates candidate names from public sources, then confirms which ones actually resolve and respond.

Most organizations run far more subdomains than anyone keeps track of: marketing microsites, old staging servers, admin panels, forgotten cloud instances, and third-party tools bolted onto a subdomain. Each one is a separate entry point into your infrastructure.

Why forgotten subdomains are a security risk

The subdomains you've forgotten about are exactly the ones attackers find first. An unpatched staging server, an admin panel exposed on a subdomain, or a subdomain still pointing at a de-provisioned cloud service (a dangling DNS record) can hand over access your main site never would.

Mapping every subdomain is the first step of any real attack-surface review — and the first thing a penetration tester does during reconnaissance. You can't secure a host you don't know exists.

The problem keeps growing: the average organization exposes more than 300 new internet-facing services every month, and roughly 32% of those additions become new high- or critical-severity exposures (Palo Alto Unit 42, 2024). Enumerating your subdomains once isn't enough — the list changes faster than most teams review it.

How subdomain enumeration works

Secably combines three independent discovery methods and cross-checks the results, so you catch subdomains that any single technique would miss.

— Wordlist

DNS enumeration

Tests thousands of common subdomain names against the domain's DNS and keeps the ones that resolve. Fast, and reliable for predictable names like dev, vpn, git, mail.

— crt.sh

Certificate Transparency

Every TLS certificate issued for a subdomain is logged publicly. Searching Certificate Transparency logs surfaces subdomains that were never meant to be public but received a certificate — including internal and staging hosts.

— Live check

HTTP probing

For each candidate, Secably checks whether it actually serves a website and how it responds — so your results are live hosts, not stale DNS entries.

Wildcard DNS — where every possible subdomain resolves — is detected and filtered automatically, so you aren't flooded with false positives.

How to find subdomains in 3 steps

1

Enter a domain

Type the root domain, for example example.com. No http:// and no path needed.

2

Choose your methods

Keep Certificate Transparency and HTTP probing enabled for the most complete results, or narrow the scan down to what you need.

3

Read the results

Each discovered subdomain is listed with its resolution status. Save or export the full list with a free account.

Who uses a subdomain finder

dev
Catch what you left exposed
Developers: find a staging or dev environment you accidentally left public — before it turns into an incident.
ops
Inventory every host you own
Sysadmins & ops: build a complete list of every host under your domain, including shadow IT and third-party subdomains nobody documented.
sec
Map the attack surface fast
Security & pentesters: map the full external attack surface in one pass, and spot subdomain-takeover candidates pointing at de-provisioned services.

Frequently Asked Questions

What is subdomain enumeration? +
Subdomain enumeration is the process of discovering every subdomain that belongs to a domain. It reveals the full attack surface by surfacing forgotten servers, staging environments, and internal tools that never made it into any inventory.
What methods does this tool use? +
Secably combines DNS dictionary enumeration (a curated wordlist tested against the domain's DNS), Certificate Transparency log searches via crt.sh, and HTTP probing to confirm which hosts are live. Wildcard DNS is detected and filtered automatically.
What is Certificate Transparency (crt.sh)? +
Certificate Transparency is a public, append-only log of every TLS certificate issued on the internet. Because most subdomains eventually get a certificate, searching CT logs (via crt.sh) is one of the most reliable ways to discover them — including hosts that never appear in a DNS wordlist.
Is it legal to find subdomains of a domain? +
Subdomain enumeration uses only public data — DNS records and Certificate Transparency logs — so discovering subdomains is generally legal. Actively scanning or attacking hosts you don't own or have permission to test is not. Only run deeper scans against domains you're authorized to assess.
What is a subdomain takeover? +
A subdomain takeover happens when a subdomain's DNS record still points at a third-party service (like a cloud bucket or hosting platform) that has since been de-provisioned. An attacker can re-register that service and serve their own content from your subdomain. Finding these dangling subdomains is a key reason to enumerate regularly.
How often should I check my subdomains? +
Attack surface changes constantly as teams spin up new services, so a one-off scan goes stale quickly. Schedule recurring checks (available on Pro) to get an alert whenever a new subdomain appears.
Why are results limited to 20? +
Anonymous scans show the first 20 subdomains. Create a free account to see the full list, or upgrade to Pro for unlimited enumeration, export, and scheduled monitoring.
Do you store my scan results? +
Anonymous scan results are temporary and expire automatically. Create a free account if you'd like to keep your scan history and compare results over time.

Related security tools