Subfinder

Passive Subdomain Enumerator

"Passive subdomain discovery from 40+ sources — Certificate Transparency, DNS records, search engines, and more."

What it does

The attack surface of an organization is almost always larger than anyone knows. Production subdomains, forgotten staging environments, internal tools accidentally exposed, old services left running — subfinder finds them all using passive sources that require no active scanning of the target.

subfinder queries 40+ passive sources simultaneously: Certificate Transparency logs (every SSL cert ever issued is public), DNS enumeration datasets, passive DNS databases, search engine indices, GitHub, Shodan, and more. Because it's entirely passive, it's undetectable — no requests are sent to the target itself.

The optional recursive setting runs subfinder on every discovered subdomain, revealing the full depth of the subdomain tree. This is essential for large organizations where api.internal.example.com might be more interesting than api.example.com.

Scan options

OptionDescriptionEst. time

recursive OFFDEFAULT

Standard discovery — subdomains of the target domain only

~30 sec/host

recursive ON

Also enumerate subdomains of discovered subdomains. Slower but thorough for large orgs.

~2 min/host

Example findings

INFOSubdomain Discovered: api.example.comsubfinder

INFOSubdomain Discovered: admin.example.comsubfinder

INFOSubdomain Discovered: dev-internal.example.comsubfinder

INFO12 total subdomains discoveredsubfinder

← Back to all tools ▶ Scan with Subfinder

What it finds

▸All subdomains of the target domain (passive, undetectable)
▸Subdomains of subdomains (with recursive mode)
▸Forgotten staging and development environments
▸Internal tools accidentally exposed
▸Third-party service integrations (mail.domain.com → SendGrid)

Works well with

Nmap →HTTPX →Subdomain Takeover →DNS Recon →