Subdomain Scanner

Discover all subdomains for any domain using Certificate Transparency logs. Find hidden subdomains, check certificate validity, and export results.

Run a check to see results

APIPOST /api/v1/dns/subdomains
4.7(22 votes)
17
checks performed
Try also: DNS Lookup
Run Check

Key Features

100% Free

No registration required, unlimited checks

Instant Results

Real-time analysis with detailed output

REST API Access

Integrate into your workflow via API

Accurate Data

Live queries to authoritative sources

What is Subdomain Scanner?

The Subdomain Scanner discovers all subdomains associated with a domain by querying Certificate Transparency (CT) logs — public, auditable databases where every SSL/TLS certificate issued by a Certificate Authority must be recorded. This passive reconnaissance technique reveals subdomains that have had certificates issued for them, often uncovering infrastructure that isn't publicly linked: staging servers, internal admin panels, development environments, API endpoints, mail servers, and forgotten services. The tool displays each discovered subdomain with its associated certificate details, validity status, and issuer.

Results can be filtered, sorted, and exported as CSV for further analysis. This free subdomain finder is used by security professionals mapping an organization's attack surface during authorized penetration testing, IT administrators auditing their domain's certificate inventory, DevOps teams discovering forgotten infrastructure that should be decommissioned, brand protection teams finding unauthorized use of their domain, and competitive analysts exploring a company's web infrastructure.

How to Use

  1. 1Enter the root domain you want to scan (e.g., example.com — do not include subdomains)
  2. 2Click 'Run Check' to query Certificate Transparency logs for all associated certificates
  3. 3Browse the discovered subdomains — use the filter to search for specific names
  4. 4Check certificate validity for each subdomain: valid, expired, or revoked
  5. 5Export the full list as CSV or copy all subdomains to clipboard for further analysis
  6. 6Investigate unexpected subdomains — they may indicate forgotten infrastructure or unauthorized usage

Who Uses This

System Administrators

Monitor and troubleshoot infrastructure

Developers

Debug network issues and integrate via API

SEO Specialists

Verify domain configuration and performance

Security Analysts

Audit and assess network security

Frequently Asked Questions

What is subdomain scanning and why is it important?
Subdomain scanning is the process of discovering all subdomains belonging to a root domain. It's important for security because subdomains often host services that aren't publicly visible or linked — staging environments, admin panels, API servers, legacy applications — which may have weaker security than the main website. Attackers frequently target forgotten or poorly maintained subdomains as entry points. For organizations, knowing your complete subdomain inventory is essential for security auditing, certificate management, and infrastructure hygiene.
What are Certificate Transparency logs?
Certificate Transparency (CT) is a framework (RFC 6962) that requires Certificate Authorities to publicly log every SSL/TLS certificate they issue. These logs are cryptographically verifiable and publicly searchable, allowing anyone to discover which domains and subdomains have had certificates issued. CT was created to detect misissued or fraudulent certificates. As a side effect, it provides a powerful subdomain enumeration method — if a subdomain ever had an SSL certificate (including internal and staging certs), it appears in CT logs.
Will this find all subdomains of a domain?
This tool finds subdomains that have had SSL/TLS certificates issued — which covers the vast majority of actively used subdomains, since modern browsers and services require HTTPS. However, it may miss subdomains that have never had a certificate (HTTP-only internal services, intranet sites), subdomains using private Certificate Authorities not logged in public CT, and subdomains that were created after the last CT log update. For the most comprehensive discovery, combine CT log scanning with DNS brute-forcing, DNS zone transfer attempts, and search engine dorking.
Is subdomain scanning legal?
Querying Certificate Transparency logs is completely legal — CT logs are public by design and intended to be searched. This is passive reconnaissance that doesn't interact with the target's servers at all. The tool only reads publicly available certificate data. However, acting on the discovered subdomains (attempting to access admin panels, exploiting vulnerabilities) requires explicit authorization from the domain owner. CT-based subdomain discovery is a standard first step in authorized security assessments and is widely used by legitimate security researchers.
How can I protect my subdomains from being discovered?
Complete prevention is difficult because Certificate Transparency logging is mandatory for publicly trusted certificates. However, you can minimize exposure by: using wildcard certificates (*.example.com) instead of individual subdomain certificates (the subdomain names won't appear in CT logs), keeping sensitive internal services on private Certificate Authorities (not logged in public CT), regularly auditing discovered subdomains and decommissioning unused ones, ensuring all subdomains have proper authentication and access controls regardless of discoverability, and monitoring CT logs for unauthorized certificate issuance for your domain.

Related Articles

Master Subdomain Verification: Real-World TechniquesGuide

Master Subdomain Verification: Real-World Techniques

Master subdomain verification with real-world techniques and tools. Learn to improve security and SEO with effective strategies.

NetVizor Team
Mar 21, 2026

Related Tools

DNS Lookup

WHOIS Lookup

SSL Checker

Security Score

Popular Tools

MX Lookup

Blacklist Check

Email Validator

Email Header Analyzer

API Endpoint

POST /api/v1/dns/subdomains
View Documentation