UtilityKit

500+ fast, free tools. Most run in your browser only; Image & PDF tools upload files to the backend when you run them.

Subdomain Finder

Discover subdomains for any domain via passive enumeration of Certificate Transparency logs (crt.sh) — no scanning, no permission needed.

About Subdomain Finder

The Subdomain Finder enumerates subdomains for any domain by querying public Certificate Transparency log mirrors — primarily crt.sh, which aggregates every TLS certificate issued by participating CAs (Let's Encrypt, DigiCert, Sectigo, Google Trust Services, more). Because every issued cert must be logged to CT under modern browser policies (Chrome, Safari, Firefox enforce this), the CT log is a comprehensive record of which subdomains have ever had a public TLS certificate. The enumeration is fully passive — the target is not contacted, nothing is scanned — so the tool is safe to run against domains you don't own. Results are de-duplicated, sorted, and rendered as a filterable list with one-click copy. Use it for security audits, asset inventory across exposed sub-services, marketing teams cataloging campaign domains, and M&A due diligence.

Why use Subdomain Finder

  • Fully passive — the target is never contacted; safe for third-party recon.
  • CT logs are comprehensive — every modern public TLS cert is logged.
  • De-duplicated and sorted output, filterable in-page.
  • Copy entire list with one click for downstream tooling.
  • Each entry links to https://<sub> for fast visual triage.
  • Free, no API key, no signup — usable in tight security-review windows.

How to use Subdomain Finder

  1. Enter the apex domain — for example, example.com.
  2. Click Find subdomains to query crt.sh for every certificate issued under that domain.
  3. Wait 5-15 seconds — large domains can have thousands of CT entries.
  4. Use the inline filter to narrow the list (search for api., dev., staging., etc.).
  5. Click Copy list to grab the full set as plain text for further triage.
  6. Optionally pair with HTTP Headers Checker, SSL Certificate Checker, or DNS Lookup Tool to inspect each subdomain.

When to use Subdomain Finder

  • When auditing your own organization's exposed web footprint.
  • During penetration tests where the scope includes subdomain enumeration.
  • When mapping a target's infrastructure for competitive intelligence or M&A due diligence.
  • Whenever you suspect a forgotten dev or staging environment is leaking from a wildcard cert.
  • When validating that a wildcard cert hasn't unintentionally provisioned subdomains across a public CT log.
  • While building an inventory of all customer-facing endpoints under a parent brand.

Examples

Large public domain

Input: github.com

Output: ~600 subdomains found in CT logs — api., raw., gist., enterprise., codeload., etc.

Small org

Input: small-startup.example

Output: 12 subdomains — www., api., docs., staging., blog., status., etc.

Domain with no public certs

Input: internal-only.example

Output: No subdomains found in CT logs — domain has no public TLS certificates

Tips

  • CT is point-in-time — a subdomain that retired its cert before logs existed won't appear.
  • Wildcard certs (*.example.com) won't enumerate individual subdomains here — they show as the wildcard.
  • crt.sh occasionally rate-limits aggressive queries; large domains may take 10-15 seconds.
  • Combine with reverse-DNS (PTR) lookups on the resolved IPs to find non-CT subdomains.
  • For active enumeration (DNS brute-force), this tool is intentionally not the right one — that requires permission from the target.

Frequently Asked Questions

Is the queried domain sent to a third party?
Yes — by design. The tool queries crt.sh, a public CT log mirror, to retrieve cert-issued subdomains. crt.sh sees the query (that's how it works); nothing else stores the result.
How does this compare to dnsdumpster or hackertarget?
Functionally similar passive enumeration. Ours is free, signup-free, has an inline filter, and one-click copy. We focus on CT-only — for DNS brute-force or shared-hosting maps you'd want a dedicated tool.
Why doesn't every subdomain show up?
Only subdomains that have ever had a public TLS cert appear in CT logs. Internal-only or HTTP-only subdomains are invisible here. Wildcard certs also don't enumerate individual subdomains — they show as the wildcard pattern.
Is this legal to run against a domain I don't own?
CT logs are public and the queries are passive — nothing is scanned, nothing on the target is touched. This is generally accepted as legitimate research. Always confirm against your local jurisdiction and your organization's policies.
Can this detect subdomain takeover risk?
Indirectly. The list reveals candidates; you still need to check each one for a CNAME pointing to a deprovisioned third-party service. Pair with our DNS Lookup Tool.
What does 'passive' mean here?
The target host is never contacted. The query goes to a third-party CT log mirror; the target receives no traffic, sees no probes, gets no logs. That makes it safe and authorized in most contexts.
Why does the result count differ from dnsdumpster / Sublist3r?
Different sources. dnsdumpster combines CT, DNS brute-force, and search-engine sources. We use only CT for the simplicity guarantee. Combine multiple tools for a complete picture.
Why does the request take 10-15 seconds for big domains?
crt.sh's JSON endpoint has to assemble every cert issued under the pattern. Domains like github.com with millions of certs over time take real wall-clock to return.

Explore the category

DNS Lookup Tool Query public DNS records with SSRF-safe hostname validation SSL Certificate Checker Peek TLS certificate metadata with SSRF-safe hostname rules X.509 Certificate Inspector Decode PEM or DER (base64) X.509 certificates to extract subject, issuer, SANs, validity, key info, and fingerprints. WHOIS Domain Lookup Look up WHOIS registration data for any domain — registrar, creation date, expiry, name servers, and contact details. DNS Propagation Checker Check DNS propagation across multiple global nameservers to see how widely a recent DNS change has spread. Reverse DNS Lookup Perform a reverse DNS lookup (PTR record query) to find the hostname associated with any IP address.

Glossary

Certificate Transparency
RFC 6962 — public append-only logs that every browser-trusted CA must submit to. Modern browsers refuse certs not in CT.
crt.sh
A free public mirror of multiple CT logs. Provides a JSON API that returns every cert issued under a parent domain pattern.
Wildcard certificate
A TLS cert valid for *.example.com. Enumerates only as the wildcard string in CT logs — individual subdomains are not separately logged.
Passive recon
Reconnaissance that doesn't contact the target host. CT log enumeration is the canonical example.
DNS brute-force
Active enumeration that resolves a wordlist of likely names against the target. Not what this tool does — requires permission.
Subdomain takeover
When a subdomain points to a third-party service (S3, Heroku) that's been deprovisioned. Enumerating subdomains is the first step in detecting these.