// tools

OSINT: Finding Subdomains

If you work in security consulting, bug bounties, or network intelligence, sooner or later you need to enumerate subdomains. It comes up from both sides of the table - a consultant mapping a client’s internet presence, or a company auditing its own footprint. In more than a decade of doing this, the recurring surprise is how often organisations have no idea what old assets they’re still running. Those forgotten hosts are exactly what gets exploited: to damage a brand, to reach the network itself, or as a quiet hop toward data everyone assumed was well guarded.

The most common approach I’ve relied on is an old-school Google search with dorks: site:example.com. To dig deeper you iterate, subtracting the subdomains you’ve already seen - site:example.com -www, then site:example.com -www -test, and so on - pushing past example.com, www.example.com, test.example.com, and the rest. Over time I also tried purpose-built tools like Pentest-Tools, DNSDumpster, Cloudpiercer, and Netcraft. Most were either expensive or underwhelming. Meh.

Then, during a conversation with the SPYSE team - the same crew behind CertDB - I learned about their newer project, FindSubdomains: a free, genuinely excellent tool for enumerating subdomains. I’d already covered CertDB in detail, and after FindSubdomains impressed me just as much, it earned its own review. It doesn’t just list subdomains - it surfaces a wealth of intelligence alongside them:

  1. IP addresses
  2. DNS records
  3. Countries
  4. Subnets
  5. AS blocks
  6. Organization names

Any of these can be used to filter or search the results - which is genuinely powerful.

So how does FindSubdomains stack up against the usual options? Let’s benchmark them on a single domain - apple.com. Starting with the old-school Google search: it falls apart after four or five iterations, and the moment you try to automate it, Google throws a reCAPTCHA. It’s fine for eyeballing a handful of targeted domains, but useless for enumerating subdomains at scale. Not recommended for this.

Pentest-Tools next - though it isn’t free and wants you to buy credits. On a free search the results were unconvincing: just 87 subdomains for apple.com, with little more than the subdomain and its IP address. Netcraft and DNSDumpster were similarly disappointing - Netcraft returned 180 records with no way to download or filter them, and DNSDumpster capped out at 150 behind a clunky UI. In short, none of them delivered a clean, intelligent list of subdomains.

Is it any different - any better?#

The short answer: absolutely. Credit to the SPYSE team - it’s far better than anything I’d used before.

The same apple.com search through FindSubdomains returned 1,900+ subdomains. Remarkable.

Where the others failed to break even 200 results, FindSubdomains nailed it with over 1,900. Bravo.

And all 1,900+ are yours without a single cent, a pop-up ad, a credit system, or a cap. You can browse them in the UI or download the lot as a TXT file, and each entry carries its IP address, geographic region, IP segment, and AS block. That’s remarkable open-source intelligence in seconds - no scripts, no endless iterations.

The SPYSE team fully live up to the project’s stated goal:

FindSubdomains is designed to automate subdomain discovery. This task often falls to security specialists studying a company as a black box in search of vulnerabilities - and to marketers and entrepreneurs competitively analysing other players, hoping to spot a competitor’s new direction early, or to learn about their internal infrastructure.

Search and Filter#

The filters are excellent when you need something specific from a domain, a subdomain, or any of the fields above. There are also some ready-made views worth bookmarking:

  1. Top 100 sites and their subdomains
  2. Sites with the most subdomains
  3. Top countries by subdomain count - e.g. United States, India, China
  4. Most common subdomain names - my favourite

That last one is handy when surveying a client’s network, or when you want to surprise a client with the scale of their own digital footprint.

Dashboard and Custom Tasks#

After signing in - and sign-up is painless - you land on a dashboard showing Total, Ongoing, and Remaining tasks. You can kick off a new task by domain or by word; the word search is handy when you don’t know the full domain name. These custom tasks supplement anything missing from the main site or the existing database (which, believe me, is huge). Each task can return up to 50,000 subdomains and takes around six minutes - you can set an alert and get an email when it finishes.

Under the hood, it combines several techniques:

  1. Crawling the site and analysing its pages and resource files to infer subdomains;
  2. AXFR (DNS zone transfer) requests, which for some domains still leak a surprising amount;
  3. Searching and matching against historical data.

Impressive as it is, I’d have loved an API - a programmable way to run tasks from the command line. I can probably rig something up with curl, but a proper API key would have made automation far more comfortable.

Usage Scenarios#

A few ways I put this tool to work:

  1. Reconnaissance during a pentest - gathering information on the target network.
  2. As a supporting tool for network intelligence on firms and their domains.
  3. Auditing your own company’s network and digital footprint - you’ll often be surprised by the unaccounted exposure.
  4. Tracking external-facing subdomains - UAT, SIT, staging, and the like - that should be locked down or allow-listed. It’s alarming how often these environments are wide open, and how often they hold production data.

To sum up: after CertDB, this is another tool that shows the potential of the SPYSE team. FindSubdomains has made subdomain discovery genuinely faster and easier for me, and I’d happily recommend it to anyone who needs to find subdomains.