Find subdomains for a domain. Backed by a comprehensive DNS dataset; enter a domain to search for all related Forward DNS (A) records. A powerful reconnaissance tool when assessing an organisations security.

Valid Input: example.com example.co.uk


Remove limits & captcha with membership

Recon: Find your targets with a DNS (A) record search

Use this subdomain search to find all the forward DNS records (A recrds) for an organisation. A number of limits apply to FREE users including number of results and number of daily queries. Remove limits with a Membership or try the Domain profiler tool to get a full listing with additional meta data from the discovered hosts.

A forward DNS record (or A record) is used to determine an IP address from a human readable hostname. By searching all forward DNS records for a domain, attackers (or security penetration testers) can begin to understand the layout of an organisations Internet footprint. This type of reconnaissance can discover a wide range of hosts from multiple IP net blocks that can contain a wide range of services. With a good understanding of the perimeter the discovered systems can be assessed for security weak spots. The more hosts found the wider the potential attack surface.

Subdomain Enumeration Limits

Membership FREE USER
Queries / day# based on Plan50
Max # of Results500'000500
Data Set UpdatesHourlyWeekly

With a membership get up to half a million results from a single query. A gold mine of data for security analysts, network defenders and other cyber security professionals.

Updates to the DNS Data set are applied regularly from multiple sources. With a membership access newly discovered subdomains every hour.

Forward DNS Hostname Search

The only function within the DNS protocol to identify all (A) records associated with a domain is to perform a DNS Zone Transfer. This zone transfer is a process that allows replication of DNS data between two DNS servers. However, it is deemed to be a security risk to leak all that DNS data so a properly configured DNS server should not allow a DNS zone transfer to non-authorized hosts.

Since it is likely that a DNS zone transfer will not work, we need another way to identify all the hosts associated with a domain. This discovery process can use a number of resources such as search engines, DNS data sets, brute forcing or crawling to enumerate subdomains.

Subdomain Enumeration from Search Engines

Search engines are a popular subdomain enumeration technique. Advantages of this method are that it is a passive search, in other words you are not sending any traffic to the target network or DNS servers. The search engine returns a list of results that contain the domain you are searching on. An example using Google is to perform the following query:

site:example.com

This will show all results from Google that contain the domain site.com. As it is likely that there are many results on www.example.com we can refine the search with the following query.

site:example.com -site:www.example.com

This will filter the www.example.com domain from the results, perhaps revealing a number of more interesting subdomains to target.

Brute Forcing Subdomains

A number of DNS enumeration tools and scripts are available that will simply take a list of keywords (potential subdomains) and attempt to resolve these against the target domain. This is not an entirely passive undertaking as the DNS resolution goes to the target domains DNS server and results in many failed lookups.

If someone is closely monitoring the DNS server of the target domain they will be able to detect that someone is performing a brute force subdomain scan against the domain.

There are a number of tools that can perform this enumeration, if you have Nmap installed there is an NSE script that will perform a DNS subdomain brute force (dns-brute).

DNS and SSL Data Sets for Subdomain Enumeration

Certificate Transparency Logs are a source of Subdomain Enumeration dataThe data we use to find host records here at hackertarget.com is sourced from a number of excellent projects as well as Internet search engines.

Scans.io is a project supported by Rapid 7 that compiles Internet scan data as well as DNS data sets, including both forward and reverse DNS records. By searching through the Forward DNS data set we can find all subdomains in the list that match a domain name query.

Another project is the censys.io project. This project from the University of Michigan also compiles a large amount of Internet scan data as well SSL data. Searching the SSL records can reveal host names of target domains. There is an API available or the full data sets can be downloaded.

Certificate transparency logs are yet another excellent source of host data. A project that allows browsers to confirm the validity of SSL certificates in near real time. Certificate transparency also happens to be an excellent source for performing reconnaissance against target domains.

Related IP Tools

We have a number of other related tools in our IP Tools suite that may be of interest. The Reverse DNS Lookup enables searching reverse PTR records for a domain and the Reverse IP search identifies hosts sharing an IP address. By combining these tools it should be possible to get a very good indication of where an organisations Internet systems are located both from IP address and physical location if used in conjunction with GeoIP lookups.

Domain Profiler for Attack Surface Discovery

Use the Domain Profiler tool to perform automated reconnaissance against a domain name. This provides a quick overview of an organisations Internet facing infrastructure within a few minutes.

Results are collected passively; no packets are sent against the target IP ranges resulting in a very stealthy way to assess an organizations perimeter.

Forward DNS search API

Rather than using the form above you can also access the forward DNS tool using the API. The output is simply plain text and will include the IP address and the forward DNS host name. Data from the tool can be easily imported into a spreadsheet or other tool for reference purposes.

curl https://api.hackertarget.com/hostsearch/?q=example.com

This query will display the forward DNS records discovered using the data sets outlined above.

The API is simple to use and aims to be a quick reference tool; like all our IP Tools there is a limit of 50 queries per day. Remove limits with a Full Membership.

For those who need to send more packets upgrade to HackerTarget.com Enterprise Plans.

Automated Security Vulnerability Scans.

Discover. Investigate. Learn.

Use Cases

Website Recon?

Fingerprint Web App
Technologies in Bulk

Whatweb / Wappalyzer

Remove limits with a full membership

More info available

Membership