Best Subdomain Enumeration Tools and Techniques
The task of enumerating the subdomains of a domain, while it may appear simple at first glance, is in fact quite complicated. There is no one technique that can find every subdomain, and different tools produce different results because they rely on different sets of techniques.
In this post, we discuss the techniques that can be used for subdomain enumeration and some of the best tools that use these techniques with varying degrees of success.
Subdomain Enumeration Techniques
In general, subdomain discovery techniques can be categorized into passive and active methods.
Passive techniques gather subdomains without direct interaction with the target domain, while active techniques involve direct queries. We explain each type below.
Passive Enumeration
Passive subdomain enumeration techniques use publicly available information. They are not intrusive and don’t leave any digital footprints on the target’s servers.
- Enumeration using search engines: Regular search engines have advanced search operators that are useful during the reconnaissance phase. Google, for example, has a “site:” operator that tells the engine to return all indexed pages, including those on subdomains, for a given domain. This method is also called Google dorking.
- Certificate Transparency (CT) logs: CT logs are public, auditable records of all SSL/TLS certificates issued by Certificate Authorities. Every time a new SSL/TLS certificate is issued for a domain or subdomain, an entry is made in these logs. Therefore, querying CT logs can provide a list of subdomains, as organizations often secure even internal or test subdomains with SSL certificates.
- Using DNS aggregators: DNS aggregators like WhoisXML API collect and store DNS server data from various sources, such as public DNS zone transfers and queries, into a massive database of historical and current DNS records. This database can be a goldmine for passive subdomain enumeration, where you can discover subdomains that may be dormant, no longer active, or were only used for a short period of time, which would be impossible to find with live DNS queries alone.
Active Enumeration
Active subdomain enumeration techniques are more direct than passive techniques. They involve sending requests to the target’s servers, which means they are easily detected.
- Brute-forcing subdomains: In DNS brute-forcing, you first need a wordlist — a list of common words used in subdomains or permutations of existing subdomains (e.g., api.example[.]com, api-dev.example[.]com, dev.example[.]com, and dev-api.example[.]com). You then attempt to resolve those subdomains using tools like PureDNS and dnsx. Brute-forcing generates huge amounts of DNS queries, which may result in getting blocked.
- Virtual host enumeration: Penetration testers (or attackers) use this technique to discover hidden or unadvertised websites hosted on the same IP address. Instead of relying solely on DNS records, they send HTTP requests with different Host headers to the target server. Since many web servers host multiple domains (using virtual hosting), the server may respond differently depending on the Host value, revealing subdomains or websites that aren’t publicly listed in DNS. Virtual host enumeration is important because organizations often host multiple subdomains on a single web server, but not all of them are intended to be public. These subdomains could point to hidden services or shadow IT.
- Web crawling: This is a reconnaissance process that automates the task of following links and discovering new subdomains within a website or web application. A crawler systematically browses the site and extracts every URL and hostname (along with their SSL/TLS certificate details) to discover subdomains that would be too time-consuming to find manually. It then sends DNS or HTTP queries to verify which subdomains are live. This method yields very few false positives because you are directly verifying each potential subdomain, but it may not find subdomains that are not linked from the main site.
Best Subdomain Enumeration Tools
Now that we’ve covered the techniques, let's explore some of the most popular subdomain finder tools that put these methods (or a combination of them) into practice.
1. WhoisXML API’s Subdomains Lookup API
WhoisXML API offers a solution for passive subdomain enumeration through its Subdomain Lookup API. The tool uses a combination of data sources, including passive DNS, WHOIS, certificate transparency logs, and many other repositories, making it helpful in discovering subdomains that are no longer active or visible when querying live DNS servers. As a result, WhoisXML API has gathered a massive database of subdomains and updates it on a regular basis.
The Subdomains Lookup API is easy to use — just query the target domain name and wait for the tool to retrieve its subdomains from the database, along with the dates when the subdomain was first and last seen.
The tool’s subdomain enumeration service can be accessed through various delivery models, including a graphical user interface (GUI) for manual lookups, an API for integration into scripts and applications, and a large, downloadable database as well. Recently, WhoisXML API introduced an MCP server, which allows users to use large language model (LLM) applications such as Claude or Gemini CLI to perform subdomain enumeration and also access 16 other tools using the same API keys.
You can get 500 free API credits (50 API calls) as soon as you sign up. If you need to perform more Subdomains Lookup API calls, the subscription starts at $19.00 per month for 100 API calls.
2. OWASP Amass
Amass is an open-source external attack surface and asset discovery tool from the OWASP project, with subdomain enumeration as one of its capabilities. Amass is known for its hybrid approach to subdomain enumeration, using both passive and active techniques. It gathers data from public sources like search engines and SSL certificate logs (passive), and also performs direct DNS queries, web crawling, and brute-forcing (active). Amass can connect to external services using API keys, including WhoisXML API tools, to enrich the results.
Amass comes as a preinstalled package in Kali Linux. Other OS users can set up Amass by installing the tool using package managers such as Homebrew with the following commands:
brew tap owasp-amass/homebrew-amass
brew install amassAlternatively, you can build it from source, which requires a properly configured Go environment, or use a Docker image. Once that’s done, users can start using Amass by running it from the command line, such as:
amass enum -d example.comHere’s a sample output from an OWASP Amass tutorial:
3. SubFinder
SubFinder is an open-source passive subdomain discovery tool built by ProjectDiscovery, which uses multiple online data sources like public DNS databases, Google dorking, and CT logs. The tool can also be configured to use third-party API keys from services that provide passive reconnaissance data, including WhoisXML API.
Like Amass, SubFinder needs a working Go environment, as the tool is written in Go. You use the following command:
go install -v github.com/projectdiscovery/subfinder/v2/cmd/subfinder@latestto download and compile the source code, so that you can then call it from the command line.
If you don't have a Go environment or prefer not to use the go install command, you can download a precompiled binary for your operating system.
With the tool installed, you can get a list of subdomains for a target domain using the command:
subfinder -d example.com or
subfinder -d example.com -o output.txt to save the results to a TXT file.
4. Puredns
While it’s not a subdomain finder tool in itself, Puredns performs an important component of active subdomain enumeration — DNS brute-forcing and resolving. The tool takes a list of potential subdomains (generated by other tools) and checks which ones are active by performing DNS queries, effectively filtering out non-existent subdomains.
To use Puredns, you need a wordlist and a root domain (or multiple root domains saved in a TXT file) that you pass as arguments to the tool for brute-forcing or resolving. The free and open-source project is actively supported and maintained.
The simplest way to set up Puredns is by using the Go programming language installer, provided you have at least Go 1.17. The table below shows typical Puredns commands you can use once the tool is up and running in your environment.
| Function | Command |
| DNS brute-forcing | puredns brute-force all.txt -d domains.txt |
| Resolving a list of domains | puredns resolve domains.txt |
Unlike Amass and SubFinder, Puredns is not an install-in-one-click tool: it needs another package called Massdns to work, and then it needs a list of public DNS resolvers that you’ll need to obtain.
5. Pentest Tools’ Subdomain Finder
Pentest Tools’ Subdomain Finder is a web-based tool that combines both passive and active enumeration techniques. The tool offers two types of scans — light and deep. Light scans are for fast subdomain enumeration, where the tool searches public DNS records and uses a small wordlist to perform a quick brute-force check. Users are allowed two free light scans per day.
Deep scans use more passive and active techniques, including the use of CT logs, search engines, external APIs, brute-forcing, and reverse DNS searches. However, they are only available to paying customers, and plans with deep subdomain enumeration start at $119 per month (WebNetSec package for five assets).
6. Sublist3r
Sublist3r is a Python-based tool designed to enumerate subdomains of web applications by using Open-Source Intelligence (OSINT). It gathers subdomains from a variety of sources, including search engines and external services (e.g., VirusTotal, ThreatCrowd, Netcraft). The tool can also perform active subdomain enumeration, as it includes a brute-force module called SubBrute, which sends DNS queries to the target to find subdomains using a wordlist.
It’s worth noting that Sublist3r is no longer actively maintained and has been seemingly abandoned by its creator. At the time of writing this, it has not received updates since five years ago, but security professionals still use it for penetration testing and bug bounty hunting. To install the tool, you first need to clone the repository
git clone https://github.com/aboul3la/Sublist3r.gitand install dependencies.
Once set up, you can run the tool from the command line, using the -d flag to find subdomains for a specific domain name. The command looks like this:
python sublist3r.py -d example.comTo enable the brute-force module for a more thorough scan, add the -b flag:
python sublist3r.py -b -d example.com7. C99.nl’s Subdomain Finder
C99.nl’s Subdomain Finder is an online tool that uses passive subdomain enumeration techniques. It returns a list of subdomains for a given domain, along with their IP addresses. Subdomain Finder also checks whether a subdomain is tunneling through Cloudflare, and this is included in the lookup results.
Subdomain Finder is free to use, although it detected fewer subdomains for the same target domain that we queried on the Subdomains Lookup API.
Conclusion
Whether it's for attack surface mapping, security assessments, bug bounty hunting, penetration testing, or other use cases, most tools that employ passive enumeration techniques, like WhoisXML API’s Subdomains Lookup API, can often provide a sufficient list of subdomains without generating a log on the target server. These tools offer a plug-and-play solution, making them ideal for a quick and stealthy subdomain enumeration without any complex setup.
However, passive tools may struggle with wildcard subdomains, which can lead to a long list of false positives and a bloated attack surface if not handled correctly. Active subdomain enumeration generates fewer false positives, but in reality, purely active enumeration tools don’t exist. Most solutions combine active and passive methods, which are ideal if active reconnaissance is allowed and there’s no need for stealth.
Also, regardless of whether they are purely passive or have an active component, subdomain enumeration tools rely on high-quality passive DNS data, which is why open-source tools like Amass and SubFinder can be configured to connect to WhoisXML API’s subdomain and DNS repository via API keys. Without access to such data sources, subdomain enumeration tools may produce subpar results.