reddit hackernews mail facebook facebook linkedin

Subdomain enumeration

A friend recently asked me what methods I use to find subdomains. To be honest I was confused, like “oooohhh so much, brute force mmm… zone transfer and… brute for… wait Google and mmm… many other tools!” What a shame that I was so inaccurate after so much time spent to look for subdomains. Time to dig a little bit! After I wrote a list of the most popular methods, I tried to make a list of some tools and online resources to exploit them. Of course this list is far from exhaustive, there are many new stuff every day, but it’s still a good start :)


Brute force
The easiest way. Try millions and millions words as subdomains and check which ones are alive with a forward DNS request.

Zone transfer aka AXFR
Zone transfer is a mechanism that administrators can use to replicate DNS databases but sometimes the DNS is not well configured and this operation is allowed by anyone, revealing all subdomains configured.

DNS cache snooping
DNS cache snooping is a specific way to query a DNS server in order to check if a record exists in his cache.

Reverse DNS
Try to find the domain name associated with an IP address, it’s the opposite of Forward DNS.

Alternative names
Once the first round of your recon is finished, apply permutations and transformations (based on another wordlist maybe?) to all subdomains discovered in order to find new ones.

Online DNS tools
There are many websites that allow to query DNS databases and their history.

SSL Certificates
Request informations about all certificates linked to a specific domain, and obtain a list of subdomains covered by these certificates.

Search engines
Search for a specific domain in your favourite search engine then minus the discovered sudomains one by one -www -dev

Technical tools/search engines
More and more companies host their code online on public platform, most of the time these services have a search bar.

Text parsing
Parse the HTML code of a website to find new subdomains, this can be applied to every resources of the company, office documents as well.

VHost discovery
Try to find any other subdomain configured on the same web server by brute forcing the HTTP Host header.

Exotic stuff
HTTP headers like Content-Security-Policy.
Sender Policy Framework records.
Zone walking.


Altdns: alternative names brute forcing
Amass: brute force, Google, VirusTotal, alt names
aquatone-discover: Brute force, Riddler, PassiveTotal, Threat Crowd, Google, VirusTotal, Shodan, SSL Certificates, Netcraft, HackerTarget, DNSDB
BiLE-suite: HTML parsing, alt names, reverse DNS
blacksheepwall: AXFR, brute force, reverse DNS, Censys, Yandex, Bing, Shodan, Logontube, SSL Certificates, Virus Total
Bluto: AXFR, netcraft, brute force
brutesubs: enumall, Sublist3r, Altdns
cloudflare_enum: Cloudflare DNS
CTFR: SSL Certificates
DNS-Discovery: brute force
DNS Parallel Prober: DNS resolver
dnscan: AXFR, brute force
dnsrecon: AXFR, zone walking, brute force, reverse DNS, snoop caching, Google
dnssearch: brute force
domained: Sublist3r, enumall, Knockpy, SubBrute, MassDNS, recon-ng
enumall: recon-ng -> Google, Bing, Baidu, Netcraft, brute force
Fierce: AXFR, brute force, reverse DNS
Knockpy: AXFR, virustotal, brute force
ldns-walk: zone walking (part of package ldnsutils)
MassDNS: DNS resolver
Second Order: HTML parsing
Sonar: AXFR, brute force
SubBrute: brute force
Sublist3r: Baidu, Yahoo, Google, Bing, Ask, Netcraft, DNSdumpster, VirusTotal, Threat Crowd, SSL Certificates, PassiveDNS
theHarvester: reverse DNS, brute force, Google, Bing, Dogpile, Yahoo, Baidu, Shodan, Exalead
TXDNS: alt names (typo/tld)
vhost-brute: vhost discovery
VHostScan: vhost discovery
virtual-host-discovery: vhost discovery

Online DNS tools

Search engines

Technical tools/search engines

DNS cache snooping

nslookup -norecursive
nmap -sU -p 53 --script dns-cache-snoop.nse --script-args 'dns-cache-snoop.mode=timed,{domain1,domain2,domain3}' <ip>

Others online resources

External resources