Best Subdomain Enumeration Tools in 2026 — Online & Self-Hosted

1. SubDomainsFinder.com (subdomainsfinder.com)

2. DNSDumpster (dnsdumpster.com)

DNSDumpster is a free online DNS research tool built by HackerTarget.com. It goes beyond subdomains to give you a holistic view of a domain’s DNS configuration — MX records, NS records, TXT records, and a visual network map showing how discovered hosts relate to each other. It uses a combination of passive DNS datasets and its own scanning infrastructure to discover hosts.

The network map visualization is genuinely useful in early recon — it helps you quickly identify which mail servers, nameservers, and web hosts belong to a target organization and which are third-party services. The subdomain list itself tends to be shorter than what you get from CT log-focused tools, but the DNS record context adds meaningful depth.

The main drawbacks are rate limiting and speed. Large domains can take a long time to return results, and repeated queries on the same IP may get throttled. There is no API and no way to automate queries without going through HackerTarget’s paid API offering.

• Best for: DNS record auditing alongside subdomain discovery; understanding MX/NS/TXT configuration at a glance
• Limitation: rate-limited, slower on large domains, shorter subdomain lists than CT-first tools
• Free tier: yes

3. crt.sh (crt.sh)

crt.sh is a Certificate Transparency log search engine maintained by Sectigo (formerly Comodo CA). It runs a PostgreSQL database that continuously ingests CT log entries from all major log operators and makes them searchable via a simple web interface. A search for %.example.com returns every TLS certificate ever issued for any subdomain of example.com, along with issuance dates, the issuing CA, and the log entry details.

The value of crt.sh goes beyond just the current subdomain list. Because CT logs are append-only, crt.sh shows you historical subdomains that may no longer be active — but whose DNS records may still resolve, making them candidates for subdomain takeover. Wildcard certificates (*.example.com) also appear here, which tells you that a large number of potential subdomains exist under a wildcard that would never appear in passive DNS individually. The raw PostgreSQL query interface is available for programmatic access without rate limits for moderate query volumes.

The limitations are all about what crt.sh does not provide: no IP addresses, no port data, no ASN information, no DNS resolution, and no interface polish. The results are a raw table of certificate records. Useful for researchers who know what they’re looking at, but not immediately actionable for someone who needs to know what services are running.

• Best for: CT-log-specific research, certificate analysis, historical subdomain hunting, wildcard certificate detection
• Limitation: raw data with no IP/port/ASN context; no UI polish; CT logs only
• Free tier: yes, fully free

4. SecurityTrails (securitytrails.com)

SecurityTrails is a paid SaaS platform specializing in DNS intelligence and historical data. Its free tier requires account registration and provides around 50 API queries per month — enough to evaluate the product but not enough for production recon workflows. Paid plans unlock bulk access and full historical data depth.

The distinctive value of SecurityTrails is its historical data: you can see not just what DNS records look like today but what they looked like months or years ago, which IP addresses a subdomain has historically resolved to, and which domains have been associated with a given IP over time. This historical view is invaluable for tracking threat actor infrastructure, identifying IP ranges that belong to an organization across cloud providers, and building attribution chains. The platform also integrates with SIEM tools and has a well-documented API that supports programmatic access.

The main barrier is cost. For individual researchers and small teams, the pricing is significant relative to free alternatives. SecurityTrails is best justified when historical DNS data is a primary requirement — for threat intelligence, advanced red team assessments, or enterprise attack surface management programs that need data depth unavailable from free sources.

• Best for: enterprise teams with budget, historical DNS tracking, threat intelligence, SIEM integration
• Limitation: paid beyond 50 queries/month; expensive for individual researchers
• Free tier: yes, with account — 50 queries/month

5. Pentest-Tools Subdomain Finder (pentest-tools.com)

Pentest-Tools.com is a commercial pentesting platform that includes a subdomain finder as one module within a broader suite of automated security testing tools. The subdomain finder combines passive enumeration with active DNS brute-force, returning results in a clean web interface with reporting capabilities. The free tier allows a limited number of scans with some features locked behind paid plans.

The strongest argument for Pentest-Tools is ecosystem integration: if you are already using the platform for web application scanning, network scanning, or vulnerability assessment, having subdomain discovery in the same interface with unified reporting is genuinely convenient. It also supports scheduled scans and team workspaces, making it better suited to ongoing engagements than one-off recon.

For users not already invested in the Pentest-Tools ecosystem, the cost-benefit is less compelling. The subdomain enumeration capability itself is comparable to running Subfinder or Amass free, and the platform cost is only justified by the surrounding tooling.

• Best for: pentesting teams already using the Pentest-Tools suite who want unified reporting
• Limitation: paid; limited value if you’re not using the broader platform
• Free tier: limited — a few free scans with feature restrictions

6. C99 Subdomain Finder (c99.nl)

C99.nl is a paid API-based service offering subdomain discovery among a collection of other reconnaissance and lookup tools. Access requires purchasing API credits, and the service is primarily designed for developers who want to integrate subdomain lookup capabilities into their own tools or pipelines via API calls rather than a web interface.

The C99 database is reportedly large and fast, and the API is well-documented for programmatic integration. It is a reasonable choice when you are building a custom recon tool or application and need a subdomain data source you can call via HTTP without standing up your own infrastructure. The cost model is usage-based, so it is more predictable than subscription services for variable workloads.

For direct use — that is, typing a domain into a box and getting results — the free options covered in this guide are more practical. C99 is really for developers and teams building on top of the API rather than using it interactively.

• Best for: developers integrating subdomain data into automated pipelines and custom tooling via API
• Limitation: requires API key and payment; not designed for interactive use
• Free tier: no meaningful free access

1. Subfinder (by ProjectDiscovery)

Subfinder is the de facto standard for passive subdomain enumeration in professional recon pipelines. Written in Go and maintained by ProjectDiscovery — the team behind nuclei, httpx, naabu, and the broader PDCP ecosystem — it queries over 30 passive sources simultaneously and outputs a deduplicated list of subdomain names to stdout, one per line. That output format is deliberately designed for pipeline composition: pipe it into httpx for HTTP probing, dnsx for DNS resolution, or nuclei for vulnerability scanning without any transformation.

The key nuance with Subfinder is the gap between its default behavior and its full capability. Without API keys configured, Subfinder falls back to a subset of free sources — crt.sh, HackerTarget, and a handful of others — and its coverage is comparable to what you get from a good online tool. The real value unlocks when you configure API keys for Shodan, Censys, SecurityTrails, VirusTotal, and Chaos in ~/.config/subfinder/provider-config.yaml. With full key configuration, Subfinder regularly finds subdomains that CT logs alone miss.

# Install via Go (requires Go 1.21+)
go install -v github.com/projectdiscovery/subfinder/v2/cmd/subfinder@latest

# Basic passive scan
subfinder -d example.com -o results.txt

# Silent mode for pipeline use
subfinder -d example.com -silent | httpx -title -status-code

# Scan a list of domains with all sources
subfinder -dL domains.txt -all -o all_results.txt

# Output in JSON for downstream processing
subfinder -d example.com -json -o results.json

• Strengths: 30+ passive sources, fast, excellent pipeline integration, actively maintained, composable with httpx and nuclei
• Weaknesses: returns subdomain names only (no IP/port/ASN natively); needs API keys for full coverage; no active enumeration
• Best for: automated pipelines, CI/CD recon, combining with other ProjectDiscovery tools, large-scale passive enumeration

2. OWASP Amass (by OWASP)

OWASP Amass is the most comprehensive subdomain enumeration tool available. It queries over 50 passive data sources, performs active DNS enumeration including brute-force with wordlists, conducts recursive enumeration (finding subdomains of subdomains), performs ASN and CIDR-based host discovery via amass intel, and tracks discovered assets in a local graph database for longitudinal analysis. The breadth of what Amass does in a single tool is unmatched.

The trade-off is complexity and resource consumption. Amass is significantly slower than Subfinder for passive enumeration — a domain that Subfinder processes in 30 seconds may take Amass 5–10 minutes or more with active modes enabled. The configuration file is extensive, and the tool has a steeper learning curve than most alternatives. For teams running it in production, a well-tuned Amass config is an asset that takes time to build.

The amass intel subcommand deserves special mention: given a company name or a known ASN, it can discover IP ranges and CIDR blocks associated with an organization and enumerate subdomains across those entire ranges — a capability no other free tool matches for infrastructure-level discovery.

# Install via Go
go install -v github.com/owasp-amass/amass/v4/...@master

# Passive enumeration only (stealthy)
amass enum -passive -d example.com -o passive_results.txt

# Active enumeration with brute-force
amass enum -active -d example.com -o active_results.txt

# ASN and CIDR discovery from company name
amass intel -org "Example Corp" -asn -ip

# Passive enumeration with config file (recommended)
amass enum -passive -d example.com -config ~/.config/amass/config.yaml

# Visualize the tracked asset graph
amass viz -d3 -d example.com

• Strengths: 50+ sources, active + passive, ASN/CIDR enumeration, historical tracking via graph database, most thorough coverage available
• Weaknesses: slow, resource-intensive, complex configuration, steeper learning curve
• Best for: thorough enterprise assessments, long-term attack surface tracking, ASN-level infrastructure discovery

3. Sublist3r (Python)

Sublist3r is a Python-based subdomain enumeration tool that scrapes search engines (Google, Bing, Yahoo, Baidu, Ask, Netcraft) alongside VirusTotal and DNSDumpster, then optionally runs a brute-force pass using the subbrute integration with the -b flag. It was one of the first accessible Python subdomain tools and introduced a lot of security professionals to automated recon workflows.

In 2026, Sublist3r is largely a historical artifact. The repository has seen minimal active maintenance for several years, search engine rate limiting frequently breaks the scraping sources mid-scan, and the result quality is noticeably worse than what Subfinder or Findomain produce from the same passive data sources. The brute-force mode works reasonably well but is slower than modern alternatives like puredns or dnsx.

It is still included here because it is widely referenced in older tutorials, Kali Linux includes it by default, and it remains a useful teaching tool for understanding how search-engine-based enumeration works. For production recon, choose Subfinder or Findomain instead.

# Install via pip
pip install sublist3r

# Basic passive scan
sublist3r -d example.com

# With brute-force on ports 80 and 443
sublist3r -d example.com -b -p 80,443

# Save output to file
sublist3r -d example.com -o results.txt

# Verbose output (shows which sources found each subdomain)
sublist3r -d example.com -v

• Strengths: easy Python install, brute-force mode, good for learning
• Weaknesses: largely unmaintained, slow, frequently broken by search engine rate limits, worse coverage than modern alternatives
• Best for: beginners learning recon concepts; not recommended for production engagements

4. Findomain (Rust)

Findomain is a passive subdomain enumeration tool written in Rust, which makes it extraordinarily fast — benchmarks consistently put it ahead of Python and even some Go tools in raw enumeration speed. It queries Certificate Transparency logs (via multiple CT providers), VirusTotal, SecurityTrails, and several other passive sources, returning results in seconds for most domains.

The Rust implementation means a single binary with no runtime dependencies — download it, make it executable, run it. There is no Python environment to manage and no Go toolchain to maintain. The output is clean, one subdomain per line, making it easy to pipe into downstream tools. Findomain is actively maintained and has been a reliable workhorse in recon pipelines where raw speed matters.

Where Findomain falls short relative to Subfinder is in source breadth. It queries fewer passive sources, and without API key configuration (VirusTotal, SecurityTrails, Spyse) it relies primarily on CT logs. For most targets the CT log coverage is substantial, but for targets with significant infrastructure not represented in certificate data, Subfinder with full keys will find more.

# Linux — download the binary
curl -LO https://github.com/Findomain/Findomain/releases/latest/download/findomain-linux
chmod +x findomain-linux

# macOS
curl -LO https://github.com/Findomain/Findomain/releases/latest/download/findomain-osx
chmod +x findomain-osx

# Basic scan
./findomain-linux -t example.com

# Save to file
./findomain-linux -t example.com -o

# With API keys (configure FINDOMAIN_CONFIG or env vars)
export FINDOMAIN_VIRUSTOTAL_API_KEY=your_key_here
./findomain-linux -t example.com

• Strengths: very fast (Rust), single binary, actively maintained, clean output
• Weaknesses: fewer passive sources than Subfinder; CT-heavy without API keys
• Best for: fast passive recon when Subfinder feels heavy; quick CT-log-focused enumeration

5. Assetfinder (by tomnomnom)

Assetfinder is a minimal, fast Go tool written by Tom Hudson (tomnomnom) that finds subdomains and related assets from a handful of passive sources including crt.sh, HackerTarget, WayBackMachine, Facebook Certificate Transparency, and a few others. It does exactly one thing: output a list of domains associated with a target, one per line.

Its strength is its simplicity and composability. The --subs-only flag filters output to confirmed subdomains of the target domain, discarding related domains that are not direct subdomains. The output pipes cleanly into httpx with zero transformation: assetfinder --subs-only example.com | httpx gives you live HTTP services in seconds. This pattern is a staple of fast bug bounty workflows where time-to-finding matters.

The limitation is coverage. Assetfinder queries significantly fewer sources than Subfinder and does not support API key configuration for expanded source access. Treat it as a fast first pass or a complement to deeper tools, not as a primary enumeration tool for thorough assessments.

# Install via Go
go install github.com/tomnomnom/assetfinder@latest

# Find all related assets
assetfinder example.com

# Subdomains only (recommended)
assetfinder --subs-only example.com

# Fast pipeline — find subs, probe HTTP, grab titles
assetfinder --subs-only example.com | httpx -title -status-code -silent

• Strengths: lightweight, fast, excellent pipeline composability, dead-simple usage
• Weaknesses: fewer sources than Subfinder; no API key support for expanded coverage
• Best for: minimal-footprint fast recon; first pass in a larger pipeline; quick bug bounty triage

6. theHarvester (Python / Kali default)

theHarvester is an OSINT tool that aggregates subdomains, email addresses, IP addresses, and employee names from search engines, public databases, and various passive sources. It ships by default in Kali Linux and is a standard tool in the OSINT phase of penetration testing. Unlike pure subdomain tools, it is explicitly designed to gather multiple types of intelligence in a single pass — making it useful when you want both subdomain discovery and email address harvesting for phishing simulation or credential spray preparation.

The subdomain discovery quality is reasonable but not state-of-the-art. Search engine sources are prone to rate limiting, and theHarvester is notably slower than purpose-built subdomain tools when you only need subdomain data. The -b all flag queries all configured sources, which includes Shodan (if configured), Bing, Google, LinkedIn, Twitter, and several others — a broad net that occasionally surfaces unique findings, particularly from social media intelligence.

# Install via pip
pip install theHarvester

# On Kali Linux it is pre-installed
# Basic scan against all sources
theHarvester -d example.com -b all

# Target specific sources
theHarvester -d example.com -b bing,google,shodan

# Output to XML report
theHarvester -d example.com -b all -f report.xml

# Limit result count to avoid rate limits
theHarvester -d example.com -b google -l 200

• Strengths: combines subdomain + email + IP + employee data in one tool; Kali default; good for OSINT-heavy initial recon
• Weaknesses: slow, dependent on search engine rate limits, subdomain coverage weaker than dedicated tools
• Best for: OSINT-heavy initial recon phases that combine email harvesting with subdomain discovery

7. Shodan (shodan.io)

Shodan is not a subdomain finder in the traditional sense — it is an internet-wide scan engine that indexes hosts, open ports, service banners, TLS certificate metadata, and application fingerprints from continuous internet scanning. But it is an essential complement to subdomain enumeration because it can reveal infrastructure that CT logs and passive DNS miss: hosts running services on non-standard ports, IoT devices, industrial control systems, and servers that have never hosted a web application.

The key Shodan query for subdomain-adjacent discovery is hostname:example.com, which returns all hosts Shodan has indexed with that hostname in their TLS certificate or DNS PTR record. This surfaces services on non-standard ports, services running without HTTP (databases, SMTP, FTP), and hosts in IP ranges that do not appear in passive DNS. The ssl.cert.subject.cn:example.com query adds certificate-based discovery on top.

The free tier of Shodan is limited to basic search results with no API access. The paid Shodan membership (one-time fee of around $49) unlocks full API access, filters, and programmatic integration. The Shodan CLI and Python library make it straightforward to incorporate into recon pipelines.

# Install Shodan CLI
pip install shodan
shodan init YOUR_API_KEY

# Find hosts by hostname
shodan search hostname:example.com

# Find by SSL certificate CN
shodan search ssl.cert.subject.cn:example.com

# Count results
shodan count hostname:example.com

# Download full result set (requires paid plan)
shodan download results hostname:example.com

• Strengths: reveals services on non-standard ports; finds infrastructure not in CT logs; service banner data
• Weaknesses: not a subdomain finder per se; paid API beyond basic search; data freshness varies
• Best for: complementing subdomain enumeration with port/service discovery; finding origin IPs behind CDNs; IoT/OT asset discovery

Workflow 1: Quick Bug Bounty Recon (No Install)

When you are triaging a new scope or doing initial reconnaissance on a target and do not have your full CLI environment available, this three-step online workflow takes under five minutes and covers the major passive sources.

Workflow 2: Deep Automated Pipeline (CLI)

For serious engagements, bug bounty programs with large scopes, or continuous attack surface monitoring, this CLI pipeline provides maximum passive coverage, live host identification, and vulnerability scanning in a reproducible, scriptable workflow. This pattern runs on Linux or macOS and requires Go-based tools installed in your PATH.

#!/bin/bash
# Deep subdomain enumeration pipeline
# Requirements: subfinder, assetfinder, httpx, nuclei
# Install ProjectDiscovery tools: https://github.com/projectdiscovery

TARGET="example.com"
WORKDIR="./recon-$TARGET"
mkdir -p "$WORKDIR"

# Step 1: Passive enumeration from multiple sources
echo "[*] Running passive enumeration..."
subfinder -d "$TARGET" -silent -o "$WORKDIR/subs_subfinder.txt"
assetfinder --subs-only "$TARGET" > "$WORKDIR/subs_assetfinder.txt"

# Optional: Amass passive for deeper coverage (slower)
# amass enum -passive -d "$TARGET" -o "$WORKDIR/subs_amass.txt"

# Step 2: Deduplicate all results
cat "$WORKDIR"/subs_*.txt | sort -u > "$WORKDIR/unique_subs.txt"
TOTAL=$(wc -l < "$WORKDIR/unique_subs.txt")
echo "[*] Found $TOTAL unique subdomains"

# Step 3: Resolve and probe live HTTP services
echo "[*] Probing for live HTTP services..."
cat "$WORKDIR/unique_subs.txt" | httpx   -silent   -title   -status-code   -tech-detect   -o "$WORKDIR/live_hosts.txt"

LIVE=$(wc -l < "$WORKDIR/live_hosts.txt")
echo "[*] $LIVE live HTTP services found"

# Step 4: Vulnerability scan against live hosts
echo "[*] Running nuclei scan..."
nuclei   -l "$WORKDIR/live_hosts.txt"   -t technologies/   -t exposures/   -t misconfiguration/   -severity medium,high,critical   -o "$WORKDIR/findings.txt"

echo "[*] Pipeline complete. Results in $WORKDIR/"
echo "    Subdomains: $WORKDIR/unique_subs.txt"
echo "    Live hosts: $WORKDIR/live_hosts.txt"
echo "    Findings:   $WORKDIR/findings.txt"

For programs with large scope or when you need active brute-force coverage on top of passive results, add a puredns or dnsx brute-force pass after Step 2, using SecLists’dns/subdomains-top1million-110000.txt wordlist against a reliable DNS resolver list. The active pass typically adds 10–30% more subdomains over passive-only results for mature targets.