Frequently Asked Questions

SubDomains Finder is an OSINT (Open Source Intelligence) tool that helps you discover subdomains associated with any domain. We aggregate publicly available data from various internet sources to provide comprehensive subdomain enumeration without performing any active scanning.

Yes, SubDomains Finder is completely legal. We only aggregate and display publicly available information from the internet. No active scanning, probing, or intrusive reconnaissance is performed. All data comes from public sources like Certificate Transparency logs, DNS records, and historical scan databases.

No, we do not perform any active scanning. When you search for a domain, we query our database of cached information gathered from public sources. No packets are sent to the target domain, and no traces are left on the target infrastructure.

Our data is aggregated from multiple public sources including: Certificate Transparency logs (crt.sh), historical internet scan databases (Shodan, Censys), public DNS records, WHOIS information, and web archives. These are all publicly accessible sources of information.

Our cached data is refreshed periodically. While we strive to provide up-to-date information, some data may reflect the state of domains at the time of the last cache update. For the most current information, you can request a fresh lookup if available.

For each subdomain discovered, we can provide: the subdomain name, associated IP addresses, ASN (Autonomous System Number) information, detected open ports, running services, CPE (Common Platform Enumeration) data for software identification, and geographic location of hosting.

Absolutely! One of the primary use cases is for organizations to understand their own attack surface. Security teams use our tool to discover forgotten assets, shadow IT, and potentially vulnerable services within their own infrastructure.

We are working on providing API access for programmatic queries. For enterprise and business inquiries regarding API access, please contact us at business@subdomainsfinder.com.

CPE (Common Platform Enumeration) is a standardized naming scheme for IT systems, software, and packages. CVE (Common Vulnerabilities and Exposures) is a list of publicly disclosed security vulnerabilities. When we detect software versions, we can sometimes correlate this with known vulnerabilities.

Active scanning tools like Nmap or masscan send packets directly to target systems to discover services. This can be detected, may be legally questionable without authorization, and can potentially disrupt services. Our tool is entirely passive - we only aggregate existing public data.

Our database relies on public data sources. Subdomains that have never been indexed, are behind firewalls, use wildcard DNS, or are very new may not appear in our results. Active enumeration tools might find additional subdomains through brute-forcing, but that's beyond our passive approach.

We may log searches for rate limiting and abuse prevention purposes. We do not share individual search queries with third parties. For more details, please refer to our privacy practices.

If you discover exposed services or potential vulnerabilities in your own organization, we recommend following responsible disclosure practices. For third-party organizations, only report vulnerabilities through official bug bounty programs or responsible disclosure channels. Never exploit or access systems without authorization.

Our data comes from public sources that we don't control. To reduce your internet footprint, consider: removing unnecessary DNS records, properly configuring firewalls, using wildcard certificates strategically, and following security best practices. The visibility reflects what's publicly accessible.

Yes! Many bug bounty hunters use OSINT tools like ours for reconnaissance. Since we don't actively scan targets, using our tool falls within the scope of most bug bounty programs. Always verify the program's rules regarding reconnaissance tools.