Subdomain Finder

Discover subdomains using DNS brute force. Find www, mail, api, and 90+ common subdomains.

Scan for Subdomains

Enter a domain to discover subdomains through DNS lookups

Daily limit: 0/5 | Checks 90+ common subdomains

What is Subdomain Discovery?

Subdomain discovery (also called subdomain enumeration) is the process of finding subdomains associated with a main domain. Subdomains are prefixes added before the main domain name, like mail.example.com or api.example.com. Organizations use subdomains to organize different services, applications, or departments under a single parent domain. Discovering subdomains helps security researchers identify potential attack surfaces, helps businesses understand their digital footprint, and aids in competitive intelligence.

Our subdomain finder uses DNS brute force, querying DNS servers for a list of common subdomain names (www, mail, api, blog, etc.) to see which ones resolve to IP addresses. This technique is completely legal when used on domains you own or have permission to test. Unlike some advanced subdomain enumeration tools that check thousands or millions of variations, our tool focuses on the 90+ most common subdomains for quick, practical results.

Why Subdomain Discovery Matters

Security Assessment

Discovering all subdomains of your domain helps identify forgotten or abandoned services that might have security vulnerabilities. Old test servers, staging environments, or deprecated applications can become entry points for attackers. Regular subdomain enumeration is a crucial part of attack surface management and penetration testing.

Infrastructure Mapping

Understanding your complete infrastructure helps with IT asset management, cloud cost optimization, and ensuring proper security policies are applied across all services. Many organizations lose track of subdomains, leading to unnecessary hosting costs and compliance issues. Subdomain discovery provides a complete inventory of your digital assets.

Competitive Intelligence

Analyzing competitors' subdomains reveals their technology stack, services offered, and business operations. Discovering subdomains like api.competitor.com, partners.competitor.com, or careers.competitor.com provides insights into their technical architecture and business strategies. This information is publicly available and legal to gather.

Brand Protection

Discovering unauthorized subdomains helps protect your brand from phishing attacks and trademark infringement. Bad actors sometimes create subdomains on compromised servers or through DNS hijacking to impersonate legitimate services. Regular monitoring helps detect and shut down malicious subdomains quickly.

Common Subdomains Explained

www - Main Website

The most common subdomain, traditionally used for the main public website. While many modern sites work without "www," it's still widely used for historical reasons and to separate the website from other services.

mail / webmail - Email Access

Used for web-based email clients where users can access their email through a browser. Common for businesses using custom email solutions or providing employee webmail access.

api - API Endpoints

Hosts REST APIs or web services that other applications use to interact with the platform. Separating the API onto its own subdomain improves organization, security, and allows independent scaling.

blog - Company Blog

Dedicated subdomain for blogging content, often running on a different platform (WordPress, Ghost) than the main site. Helps with content organization and can be managed by marketing teams independently.

dev / staging - Development

Test environments for developers to work on new features before deploying to production. These should always be password-protected or IP-restricted to prevent exposing unfinished work or vulnerabilities.

shop / store - E-commerce

Online store or marketplace, often on a separate subdomain for security (PCI compliance) or using third-party e-commerce platforms like Shopify or WooCommerce.

cdn / static - Content Delivery

Hosts static assets (images, CSS, JavaScript) served through a Content Delivery Network for faster load times worldwide. Using a separate subdomain enables cookieless domains for better performance.

admin / cpanel - Administration

Backend administration panels for managing the website, database, or server. These are high-value targets for attackers and should have strong authentication and IP restrictions.

Frequently Asked Questions

Is subdomain discovery legal?

Yes, subdomain discovery using DNS queries is completely legal. DNS is a public service, and querying it for information is no different than looking up a phone number in a directory. However, what you do after discovering subdomains may have legal implications. Only test security on domains you own or have explicit permission to test. Unauthorized penetration testing is illegal.

How accurate is DNS brute force?

DNS brute force is highly accurate for finding subdomains that have DNS records, but it only finds what you specifically look for. Our tool checks 90+ common subdomain names, which catches the most frequently used ones. However, uncommon or custom subdomains (like project123.example.com) won't be found unless they're in our wordlist. Advanced enumeration tools use dictionaries with millions of names for more comprehensive discovery.

Why are some subdomains password-protected or inaccessible?

Just because a subdomain exists in DNS doesn't mean it's publicly accessible. Many subdomains have IP restrictions (only accessible from corporate networks), require authentication (login pages), or are behind firewalls. Finding a subdomain only tells you it exists; it doesn't grant access. Attempting to bypass authentication or access restrictions is illegal without permission.

Can I find all subdomains of a domain?

No single method finds all subdomains. DNS brute force finds subdomains by guessing names. Other methods include certificate transparency logs (SSL certificates list subdomains), search engines (Google dorking), web archives, and reverse DNS. A comprehensive subdomain enumeration combines multiple techniques. Large organizations can have thousands of subdomains that aren't in common wordlists.

What should I do if I find a vulnerable subdomain?

If you find a vulnerability on your own domain, fix it immediately and investigate how it was created. If you discover a vulnerability on someone else's domain during research, follow responsible disclosure practices: notify the organization privately, give them reasonable time to fix it (typically 90 days), and don't publicly disclose details until it's patched. Many companies have bug bounty programs that reward security researchers.

Why do wildcards affect subdomain discovery?

Some domains use wildcard DNS records (*.example.com) that resolve any subdomain to the same IP address. This makes subdomain enumeration difficult because every query returns a positive result, even for non-existent subdomains. Advanced tools detect wildcard configurations and filter results, but it complicates identifying legitimate vs. catch-all subdomains.

How often should I scan my domain for subdomains?

For security purposes, scan quarterly or whenever major infrastructure changes occur. Set up automated monitoring to alert you when new subdomains are created, as unauthorized subdomains can indicate a security breach. For competitive intelligence, monthly scans provide insights into competitors' new services or products. Use continuous monitoring for high-security environments.

What's the difference between A and AAAA records?

A records point to IPv4 addresses (like 192.168.1.1), while AAAA records point to IPv6 addresses (like 2001:0db8:85a3::8a2e:0370:7334). Modern websites often have both for compatibility. IPv4 is still dominant, but IPv6 adoption is growing. Our tool checks both types to ensure comprehensive discovery of all configured subdomains.

Can deleted subdomains still appear in searches?

Yes, deleted subdomains can linger in DNS caches (based on TTL settings), certificate transparency logs (permanent record), search engine caches, web archives (Wayback Machine), and third-party databases. Even after removing a subdomain from your DNS, it may be discoverable through historical records for months or years. Plan subdomain naming carefully.

Related Tools

Explore more tools for domain and DNS analysis:

DNS Propagation Checker

Check DNS records across global servers to verify propagation status after DNS changes.

WHOIS Lookup

Get domain registration information, nameservers, and expiration dates.

SSL Certificate Checker

Verify SSL/TLS certificates, check expiration dates, and validate certificate chains.

Domain Blacklist Checker

Check if your domain is listed on major spam blacklists and DNS-based blocklists.