How to Find All Subdomains of a Domain (Free, 2026 Guide)

Subdomains are one of the most useful starting points in any reconnaissance or attack-surface review. A single company often runs dozens of subdomains — mail., dev., staging., vpn., api. — and each one is a potential entry point or an information leak. This guide explains, in plain terms, how subdomain discovery actually works in 2026 and how to do it for free, without installing anything.

Only enumerate subdomains for domains you own or are explicitly authorised to assess. Reconnaissance against third parties without permission can be illegal.

What is a subdomain, really?

A subdomain is a label placed in front of a registered domain — for example, blog.example.com is a subdomain of example.com. Technically each is just a DNS name that resolves (usually) to an IP address or another name. Organisations create them to separate services: a marketing site, an internal tool, an API, a staging environment, and so on. Because they are often spun up quickly and forgotten, they are a goldmine for OSINT and security testing.

The three main ways to discover subdomains

1. Certificate Transparency (CT) logs — the best passive source

Every time a website gets an HTTPS certificate from a public Certificate Authority, that certificate is published to public, append-only Certificate Transparency logs. Because certificates list the exact hostnames they cover, CT logs are effectively a public ledger of subdomains. Searching CT logs (via services like crt.sh) is passive — you never touch the target's servers — and it's the single most productive free technique.

Our free Subdomain Finder queries Certificate Transparency data for you and returns the unique hostnames it finds, deduplicated and sorted.

2. DNS enumeration

If you have a wordlist of common names (www, mail, dev, test, vpn, api, cpanel…), you can ask DNS whether each candidate resolves. This is 'active' — you are sending queries — but it catches subdomains that may never have had a public certificate. Combine it with the records you find using a DNS lookup tool to map the infrastructure.

3. Passive OSINT sources

• Search engines (site: operators) reveal indexed subdomains.
• Public datasets and DNS aggregators store historically observed hostnames.
• Code, docs and job posts sometimes leak internal hostnames.
• WHOIS/RDAP and IP/ASN data help you pivot to related infrastructure.

A simple, free workflow

1. Start passive: run the target through Certificate Transparency (Subdomain Finder).
2. Resolve what you find with a DNS lookup to see which are live and where they point.
3. Pivot on IPs and ASNs with an IP lookup to find neighbouring hosts.
4. Document everything; subdomains change often, so re-run periodically.

Why subdomains matter for security

Forgotten subdomains are a classic source of risk: an unused staging box with default credentials, an expired service pointing at a third party (subdomain takeover), or a dev environment that exposes internal APIs. Mapping your own subdomains regularly is one of the cheapest, highest-value security habits you can build.

Frequently asked questions

Is subdomain enumeration legal? Passive techniques like reading public CT logs are generally fine, but always stay within authorisation and local law when probing systems you don't own. Does this find every subdomain? No single method is complete — combine CT logs, DNS and OSINT for the best coverage.

Ready to try it? Run a domain through our free tools and see what's exposed.