Subdomain Finder — Find All Subdomains of Any Domain
Free online subdomain enumeration tool powered by Certificate Transparency logs. Discover every public subdomain of any website in seconds — used by SEO auditors, bug bounty hunters, and security researchers. Last updated: January 2026.
Find Subdomains
Enter any root domain to discover its subdomains from public Certificate Transparency logs.
tesla.com, not www.tesla.com or shop.tesla.com). Results are sorted alphabetically — click any subdomain to copy it.
Protect your own attack surface while you research others
If you're doing reconnaissance work, your own IP is exposed to every domain you query. NordVPN masks your real IP with military-grade encryption, plus rotates through 6,000+ servers — essential when you don't want your research traffic traced back to you.
Get NordVPN — 30-day money-back guarantee →How this subdomain finder works
Unlike brute-force tools that guess subdomain names from wordlists, this tool uses passive enumeration via Certificate Transparency (CT) logs. Every time a website obtains an SSL certificate from a Certificate Authority (Let's Encrypt, DigiCert, Sectigo, etc.), that certificate is required to be published in public, append-only CT logs — a system mandated by major browsers since 2018.
Because nearly every modern subdomain uses HTTPS, those subdomains end up in the CT log forever. We query crt.sh — the most comprehensive CT log search engine — and surface the results in a clean, copyable format.
What this means in practice: the results are typically more accurate than wordlist-based scanners, and they include subdomains that aren't publicly linked anywhere.
🔍 CT Log Powered
Queries crt.sh — the most reliable subdomain data source.
⚡ Instant Results
Most domains return results in 2-5 seconds.
🆓 No Signup
No API key, no rate limits, no login required.
🤫 Passive Recon
Zero traffic sent to the target domain.
📋 One-Click Copy
Click any subdomain to copy it to clipboard.
📱 Works Anywhere
Any browser, any device, no installation.
How to find subdomains in 3 steps
- Enter a root domain. Use the bare domain like
example.com— nowww, nohttps://, no trailing paths. - Click "Find Subdomains". The tool queries the public Certificate Transparency database in real time.
- Review and copy. Browse the alphabetically sorted list. Click any subdomain to copy it to your clipboard for further analysis.
Who uses subdomain finders?
- Bug bounty hunters: Map a target's full attack surface before testing. Forgotten subdomains often run outdated software that's never been patched.
- Penetration testers: Build a complete asset inventory during the reconnaissance phase of an authorized engagement.
- SEO professionals: Audit a domain's full structure to find orphaned subdomains that may be diluting authority or causing duplicate content issues.
- DevOps & SREs: Verify their own organization's external footprint — finding rogue or shadow IT subdomains spun up by other teams.
- Threat intelligence analysts: Identify infrastructure relationships between domains, including phishing sites mimicking legitimate brands.
- Competitive researchers: Discover what staging, beta, or product environments a competitor is running.
- Domain investors: Assess the full portfolio of a target acquisition.
Passive vs. active subdomain enumeration
There are two main approaches to subdomain discovery, and understanding the difference matters:
Passive enumeration (what this tool does)
Queries third-party data sources without sending any traffic to the target. Sources include:
- Certificate Transparency logs (crt.sh, Censys) — most reliable
- DNS history archives (SecurityTrails, DNSDumpster)
- Search engine indexes (Google dorks, Shodan)
- Public datasets (Common Crawl, Project Sonar)
Advantages: undetectable, fast, no legal exposure. Disadvantages: misses subdomains without public footprint.
Active enumeration (tools like Subfinder, Amass, gobuster)
Sends DNS queries directly to the target's name servers, either using wordlists or by mutating discovered subdomain patterns.
Advantages: finds subdomains passive tools miss. Disadvantages: detectable by target, may violate terms of service if you lack authorization.
Best practice: Start with passive enumeration (this tool), then supplement with active tools only on domains you have explicit permission to assess.
Tips for getting better results
Use the root domain, not a subdomain
If you enter blog.example.com, you'll only get subdomains of the blog. Enter example.com to find everything.
Try the brand's secondary domains too
Companies often own multiple TLDs (example.com, example.io, example.dev, country-specific like example.de). Each may have a different subdomain landscape.
Combine with other recon tools
For complete coverage, supplement CT log data with:
- Subfinder or Amass for active brute-force enumeration
- Shodan for finding services on discovered subdomains
- WhoIs lookup — see our free WhoIs tool — for ownership data
- DNS lookup — see our DNS lookup tool — to verify subdomains are live
Hosting your own subdomain-heavy projects?
If you're spinning up api., staging., dev. subdomains for your projects, Cloudways makes it trivial — managed cloud hosting on DigitalOcean, AWS, and Vultr from $11/month with unlimited subdomain SSL, instant DNS, and one-click app deploys.
Frequently asked questions
How does this subdomain finder work?
The tool queries Certificate Transparency logs through crt.sh — a public database that records every SSL/TLS certificate issued by any Certificate Authority. Since most subdomains use HTTPS, their certificates leave a public trail, which is the most reliable way to discover subdomains passively.
Is this subdomain finder legal to use?
Yes. The tool only uses publicly available Certificate Transparency data, which is required by browsers like Chrome to be public. It does not perform any active scanning or interact with the target domain. Always follow responsible disclosure and only test domains you have authorization to assess.
Why are some subdomains missing from the results?
This tool only finds subdomains with publicly logged SSL certificates. Subdomains using self-signed certificates, internal-only DNS records, or HTTP-only configurations may not appear. For complete enumeration, combine passive results with active DNS brute-force tools like Subfinder or Amass.
Is this tool free?
Yes. Completely free with no signup, no API key, no rate limits, and no watermarks. Built on the open crt.sh database.
Will my searches be logged?
AlllinTools does not log or store your queries. However, the tool routes the request through allorigins.win (a public CORS proxy) and crt.sh, both of which may keep standard server logs of incoming requests. For maximum privacy, use a VPN.
What's the difference between passive and active subdomain enumeration?
Passive enumeration queries third-party databases (CT logs, DNS history, search engines) without touching the target. Active enumeration sends DNS requests directly to the target's servers — faster and more thorough, but detectable and potentially against terms of service if you don't have permission.
Can I find subdomains for any domain?
Yes, for any domain that has issued public SSL certificates. This includes virtually all production websites. Only verify subdomains for domains you own or have explicit permission to assess.
The tool says "No subdomains found" — what does that mean?
Either the domain hasn't issued any public SSL certificates (rare for active domains), or you may have entered a subdomain instead of the root. Double-check spelling and try the bare root domain.