Free subdomain finder online 🛡️ find subdomains of domain (2024)

What is a Subdomain Finder?

A Subdomain Finder is a subdomain enumeration tool that helps you discover subdomain hosts (aka subdomain FQDNs) which serve specific functions for your target (e.g. hosting public websites, private subdomains for testing web apps, URLs where you can find backups, etc.).

Manual methods involve a lot of time and effort to retrieve subdomain information, taking away precious resources from completing your time-limited engagements.

Since finding subdomains is an important step in the information gathering stage of a penetration test, we built a Subdomain Finder to maximize your chances of finding vulnerabilities worth pursuing.

For an ethical hacker, subdomains are interesting because they point to various (less-known) applications and indicate various external network ranges the target company uses.

For instance, a subdomain finder report might show you that subdom1.company.com points to IP 1.1.1.1 and subdom2.company.com points to IP 2.2.2.2. Now you know two different IP addresses your target organization might own and you can extend the attack surface while still operating in the scope of the engagement.

Subdomains sometimes host applications for internal use (e.g. test, development, backup, restricted) that are usually less secure than public/official applications, which makes them attractive targets for cybercriminals.

Our automatic subdomain enumeration helps you retrieve not just subdomains, but also their IP address, WHOIS information (netname and country), OS, server and its technology, plus the web platform running on them and the page title – all in scope of the security assessment you’re tasked with performing.

What makes our Subdomain Finder different

The effectiveness of any pentesting tool depends on the ecosystem it’s part of. Because we know much work it takes to connect different tools and ensure you can follow your workflow without interruptions, we built Pentest-Tools.com with this in mind.

Instead of offering a Subdomain Scanner as a standalone tool, we chose to offer the ability to chain the results with our other tools from the start. As a result, our platform provides an entire ecosystem of tools and features you can even combine into automated testing sequences.

To make it easy for you to find all subdomains and identify low hanging fruit as well as less obvious potential entry points, we combined almost a dozen search methods with various enumeration wordlist options, and even the ability to include unresolved subdomains.

On top of the ability to use your own wordlists for enumeration and fuzzing, you can also use our Subdomain Finder to get extra information about the subdomains it finds, including IP address, WHOIS, and web server and web technologies information built-in (if applicable). Plus, you can easily filter results to surface the most useful findings you need to move forward.

How our Subdomain Finder works

If you’re looking for domain checker tools that are free to use, you can try our Subdomain Finder for free with the Light scan version. This searches DNS records (NS, MX, TXT, AXFR) and performs subdomain enumeration using a built-in wordlist.

The Deep scan version delivers speed, accuracy and extensiveness, all together, along with access to all the pentesting tools and features on the platform. The Deep scan uses multiple techniques to find subdomains fast and effectively:

  • DNS records (NS, MX, TXT, AXFR)
  • Enumeration using built-in wordlists, plus the option to use your own
  • External APIs search
  • Public search engine queries (Google search, Bing)
  • Word mutation techniques
  • Searching in SSL certificates
  • Parsing HTML links
  • Reverse DNS on target IP ranges
  • Generates permutations and alterations of the subdomain names found so far in the scan
  • Searching in CNAME records

On top of the subdomains list, you can customize the output to include:

  • Unresolved domains
  • IP addresses of the found subdomains
  • WHOIS information
  • Operating system information
  • Web server and web technologies.
Free subdomain finder online 🛡️ find subdomains of domain (1)

Subdomain Finder is a comprehensive tool, so scan duration varies depending on the target. For an average domain, a subdomain scan takes just a few minutes. For instance, it can return up to 500 results in under 10 minutes.

For domains with thousands or tens of thousands of subdomains, such as websites in the government, educational, medical, etc. sectors, subdomain scans can take up to a few hours. To slightly increase scanning speed, deactivate the “Detect web technologies” option.

Scanning parameters for paying customers

When you choose a paid plan and log into your Pentest-Tools.com account, you get eight additional detections methods and can select and combine the following subdomain scanning parameters to customize the output:

ParameterDescription
Include IP informationCheck this to instruct the tool to do WHOIS queries in order to determine the network owners and country for each IP address.
Detect web technologies Use this option to have the tool try to find more details about each extracted subdomain, such as: OS, Server, Technology, Web Platform and Page Title.
Include unresolved subdomainsGives you the option of keeping unresolved subdomains in the list of results, but without an IP address.

What to do next

Besides the Subdomain Finder, you have other domain checker tools on Pentest-Tools.com, along with a full arsenal of vulnerability scanners and exploitation tools.

Our solution for finding domains, our free Google Hacking tool, and Find Virtual Hosts provide breadth by extending your attack surface. Enhance your reconnaissance work with complementary tools such as the Port Scanner, the UDP Port Scanner, and the Website Recon tool which provide you with in-depth information about a specific target.

Our Subdomain Finder is also closely connected to all other tools on the platform, which allows you to get much more information about subdomains and act on it with precision and speed.

Web vulnerability scanners, web CMS scanners, and network vulnerability scanners are all available from your online account, along with powerful offensive tools (e.g. URL Fuzzer, Subdomain Takeover, Sniper Auto-Exploiter, and more).

We make it easy to access the one that is relevant to your next steps from the list of subdomain results to remove as much repetitive work from your day as possible.

Free subdomain finder online 🛡️ find subdomains of domain (2)

Automation features also help you expedite entire testing sequences. For instance, Recon Robot, one of our pentest robots, automatically discovers all subdomains of any given domain, does full port scanning and service discovery, and gathers technologies and takes screenshots for each web port it finds. It also delivers all the data it aggregates in the unified Attack Surface view. All without you having to wait for scans to finish to start follow-up scans with different tools and other work that disrupts your flow.

Use this Subdomain Finder with other features in our cloud platform to further boost its capabilities:

  • Webhooks for real-time notifications
  • Scheduled scans and bulk scanning
  • sharing for effective collaboration
  • Finding templates and report templates for high-speed reporting
  • API access for integrating it into your own pentesting stack.

Plus, the entire arsenal on Pentest-Tools.com gets updates on a regular basis, consistently growing stronger with new features.

Free subdomain finder online 🛡️ find subdomains of domain (2024)

FAQs

Is there a way to find all subdomains? ›

The Deep scan uses multiple techniques to find subdomains fast and effectively:
  1. DNS records (NS, MX, TXT, AXFR)
  2. Enumeration using built-in wordlists, plus the option to use your own.
  3. External APIs search.
  4. Public search engine queries (Google search, Bing)
  5. Word mutation techniques.
  6. Searching in SSL certificates.

What is the best tool to find subdomains? ›

Here are ten highly effective options.
  • Google Dorking. Google Dorking is a passive subdomain enumeration technique using Google's advanced search operators, like "site:" to find information about a target, including subdomains. ...
  • Sublist3r. ...
  • Amass. ...
  • Recon-ng. ...
  • SubDomainizer. ...
  • Pentest Tools Subdomain Finder. ...
  • crt.sh. ...
  • Shodan.
May 13, 2024

How to find the subdomain of a website online? ›

Online subdomain finder, discovery and research tools to collect and gather DNS information about hosts
  1. Knockpy.
  2. Sublist3r.
  3. DNSscan(Realtime)
  4. Anubis enumeration.
  5. Amass.
  6. Nmap(dns-brute.nse)
  7. Lepus.
  8. Censys finder.

How do I find subdomains of a domain using NsLookup? ›

Find Subdomains of a Domain with NsLookup:

Replace “example.com” with the domain name you are interested in. This command will return a list of the authoritative name servers for the domain, which can often include the subdomains.

Do subdomains show up on Google search? ›

The short answer is yes, Google can and will index and rank subdomains unless you explicitly take steps to ensure they're excluded from its index. Google's entire business model is based on discovering content. The same goes for all search engines.

What search phrase can be used to find subdomains of a website? ›

By search engines

These operators are often referred to as Google Dorks. We can use site: operator in Google search to find all the Subdomains that Google has found for a Domain. Lets take an example on “site:vulnweb.com”.

Are subdomains free with domain? ›

On your domain, you can create multiple separate independent websites, often at no cost. If your website domain is example.com, you can set up different subdomains, such as blog.example.com and shop.example.com.

Why subdomains are bad for SEO? ›

One disadvantage of using subdomains for SEO is that they are treated as separate entities by search engines, which can dilute the overall authority of your main site. Additionally, managing content on subdomains can be more complex than on a subdirectory, as it requires separate hosting and maintenance.

Which subdomain is historically the most used? ›

Default subdomain www is used by 39.7% of all the websites.

How do I find all the subsites of a website? ›

You can usually locate it in the root or footer section of the website. For example, the XML sitemap URL could be “www.example.com/sitemap.xml“. Once you click on the sitemap, you will find all pages & subpages of a website. You can use different sitemap generation tools if you don't have an existing sitemap.

What is a wappalyzer? ›

Wappalyzer is a technology profiler that shows you what websites are built with. Find out what CMS a website is using, as well as any framework, ecommerce platform, JavaScript libraries and many more.

What is a subfinder? ›

subfinder is a subdomain discovery tool that returns valid subdomains for websites, using passive online sources. It has a simple, modular architecture and is optimized for speed. subfinder is built for doing one thing only - passive subdomain enumeration, and it does that very well.

How many subdomains does a domain have? ›

Characteristics and Parameters of a Subdomain

A domain can have up to 500 subdomains. You can create multiple levels of subdomains such as store.product.yoursite.com, test.forum.yoursite.com, etc. Each subdomain can be up to 255 characters long, but for multi level subdomains, each level can only be 63 characters long.

Do subdomains have their own DNS? ›

Each name has its own DNS records – really, the whole point of subdomains is that each of them can have different records (and point to different IP addresses) than the main domain. Because of that, each name is cached independently.

How to list all DNS records in nslookup? ›

Using nslookup online is very simple. Enter a domain name in the search bar above and hit 'enter'. This will take you to an overview of DNS records for the domain name you specified.

How many subdomains is too many? ›

A domain can have up to 500 subdomains. You can create multiple levels of subdomains such as store.product.yoursite.com, test.forum.yoursite.com, etc. Each subdomain can be up to 255 characters long, but for multi level subdomains, each level can only be 63 characters long.

How do I find dangling subdomains? ›

To identify DNS entries within your organization that might be dangling, use Microsoft's GitHub-hosted PowerShell tools "Get-DanglingDnsRecords". This tool helps Azure customers list all domains with a CNAME associated to an existing Azure resource that was created on their subscriptions or tenants.

References

Top Articles
Latest Posts
Recommended Articles
Article information

Author: Lilliana Bartoletti

Last Updated:

Views: 5629

Rating: 4.2 / 5 (73 voted)

Reviews: 88% of readers found this page helpful

Author information

Name: Lilliana Bartoletti

Birthday: 1999-11-18

Address: 58866 Tricia Spurs, North Melvinberg, HI 91346-3774

Phone: +50616620367928

Job: Real-Estate Liaison

Hobby: Graffiti, Astronomy, Handball, Magic, Origami, Fashion, Foreign language learning

Introduction: My name is Lilliana Bartoletti, I am a adventurous, pleasant, shiny, beautiful, handsome, zealous, tasty person who loves writing and wants to share my knowledge and understanding with you.