Find Subdomains
Subdomain discovery identifies hosts under your domain that may be forgotten, misconfigured, or vulnerable. Mapping your attack surface helps prioritize security work and reduce risk from orphaned or overlooked assets.
What Is Subdomain Discovery?
Subdomain enumeration finds hosts like mail.example.com, api.example.com, dev.example.com, or staging.example.com. Each subdomain may run different applications, use different frameworks, or have weaker security than the main site. Attackers use subdomain discovery to expand their attack surface and find forgotten or misconfigured hosts. Defenders use it to build an asset inventory and prioritize hardening.
Orphaned subdomains are a common problem. A dev or staging environment created years ago may still resolve but run outdated software. Mergers and acquisitions leave behind legacy subdomains. Marketing campaigns spin up temporary subdomains that are never retired. Each of these can become an entry point if not discovered and secured.
Why It Matters
- Attack surface: More subdomains mean more potential entry points for attackers
- Orphaned hosts: Forgotten subdomains may be unpatched and unmonitored
- Asset inventory: Know what you have before securing it
- Compliance: Asset discovery supports security audits and risk assessments
Passive vs Active Discovery
Passive subdomain discovery uses public data sources: certificate transparency logs, DNS archives, search engine indices, and threat intelligence feeds. It does not send traffic to your domain and is safe for any target. Vulnify's passive subdomain discovery tool runs low-noise enumeration using these sources. Passive discovery may miss subdomains that have never appeared in public data.
Active discovery uses DNS bruteforce with wordlists (e.g. subdomains.txt, SecLists) to query common subdomain names. It generates DNS traffic to your domain and should only be used on domains you own or have permission to test. Active methods can find subdomains that passive sources miss but may trigger rate limits or monitoring alerts.
How to Find Subdomains
Start with passive discovery. Use Vulnify's passive subdomain discovery tool to get a baseline without generating traffic. Review certificate transparency for your domain; every TLS certificate issuance is logged and often reveals subdomains. Check DNS for common names like www, mail, api, dev, staging, admin, and test.
Document discovered assets: which team owns each, whether it is still in use, and what software it runs. Decommission or secure orphaned subdomains. For active discovery on your own domains, use wordlists and DNS enumeration tools; ensure you have authorization.
Discovery Checklist
- Run passive subdomain discovery
- Review certificate transparency for your domain
- Check DNS for common subdomain names
- Document and secure discovered assets
- Decommission or harden orphaned hosts
What to Do After Discovery
Triage discovered subdomains: identify owners, determine if still in use, and assess risk. Orphaned subdomains should be decommissioned or locked down. Active subdomains need the same security posture as the main site: HTTPS, security headers, and regular vulnerability scanning. Use the fix orphaned subdomains guide for remediation guidance.
Remediation Priority
- Orphaned: Decommission or restrict access
- Dev/Staging: Restrict to VPN or IP allowlist
- Production: Apply same security as main site
Frequently Asked Questions
How do I find subdomains?
Use Vulnify's passive subdomain discovery tool. It uses certificate transparency and other passive sources without sending traffic to your domain.
Is passive discovery safe for any domain?
Yes. Passive discovery only queries public data sources. It does not send requests to your servers.
What is an orphaned subdomain?
A subdomain that still resolves but is no longer actively used or maintained. Often from old projects, dev environments, or acquisitions.