One domain. Every subdomain it exposes.
Subfinder is the free online subdomain discovery tool: enter a domain for passive subdomain enumeration across 40+ sources, in one report.
- Sign in to scan
- Private & passive
Every subdomain a domain exposes, one consolidated report.
Wherever a subdomain has been seen in public records, stitched into one report.
- SOURCE / 01
Certificate transparency logs
- SOURCE / 02
Passive DNS aggregators
- SOURCE / 03
Search engines & web archives
- SOURCE / 04
Threat-intelligence feeds
- SOURCE / 05
Other passive sources
$ only subdomains that already appear in public passive sources. No brute force, no scanning of the target's servers.
Subfinder online: the free subdomain discovery and enumeration tool
Subfinder is a free subdomain discovery tool that runs entirely online, no install, no API key, no command line. Paste any domain and Subfinder performs live passive subdomain enumeration across 40+ sources, then returns one report of every subdomain the domain exposes. It is the browser version of the open-source Subfinder project from ProjectDiscovery on GitHub, rebuilt as an online recon tool you can run from any device.
Whether you need subdomain discovery, attack-surface mapping, bug-bounty recon or a quick way to list the subdomains of a domain, it is the same engine in one place. Every query reads only public passive sources, so Subfinder can enumerate a domain's subdomains without ever touching its servers.
Subdomain finder
Run subdomain discovery from a single domain and find every subdomain attached to it, the modern subdomain finder security teams actually use.
Passive enumeration
A full passive subdomain enumeration in your browser: query a domain across 40+ sources and read a report broken down by source, with zero traffic to the target.
Attack-surface mapping
Map an attack surface in seconds. Subfinder is a free subdomain lookup that surfaces the hosts attached to a domain across the sources that matter.
DNS reconnaissance
Use Subfinder for DNS reconnaissance: enumerate a domain or any organization to see which subdomains are exposed and which currently resolve.
Search by domain
Search by domain to map a digital footprint, an asset-discovery primitive that returns hosts, not paywalls. See where a domain's infrastructure leads next.
Enumerate without scanning
Enumerate subdomains without scanning the target. Subfinder only reads public passive sources, so the lookup stays silent and the owner is never alerted.
Explore more subdomain discovery and recon guides
Subfinder sits at the centre of a full set of online recon tools. Dive deeper into each technique:
From domain to subdomain map in three steps.
Nothing to install, no setup. Drop a domain and see every subdomain it exposes.
- STEP / 01
Drop a domain
inputPaste any root domain. The engine knows which 40+ passive sources to query, no configuration required.
- STEP / 02
Query every source
processSubfinder asks each supported passive source which subdomains it has seen and stitches the responses into one consolidated report.
- STEP / 03
Read the result
outputEvery result is broken down into clear sections: which subdomains were found, which are live, and which source each one came from.
Built for people who already know what they're looking for.
Three audiences keep coming back. Different goals, same primitive: a domain in, a map of every subdomain it exposes out.
- 01
Red teams & pentesters
Map the external attack surface of a target in seconds. See which subdomains resolve, then pivot to forgotten hosts, staging environments and exposed panels.
- Map the attack surface
- Spot staging & dev hosts
- Pre-engagement recon
- 02
Bug bounty hunters
Expand a program's scope fast: enumerate every subdomain of an in-scope domain to find the assets other hunters miss and get to a bug first.
- Scope expansion
- Asset discovery
- Continuous monitoring
- 03
Security & asset teams
Keep an inventory of your own exposed subdomains: catch shadow IT, expiring hosts and takeover-prone records before an attacker does.
- Attack-surface inventory
- Shadow-IT discovery
- Takeover prevention
Why Subfinder
A single console for the kind of recon that usually requires juggling half a dozen scripts and API keys.
Frequently asked questions
What the recon community asks most often before paying attention.