curl "https://domscan.net/v1/subdomains?domain=example.com"
Example Response
{
"domain": "example.com",
"subdomains": [
"www.example.com",
"api.example.com",
"mail.example.com",
"dev.example.com",
"staging.example.com"
],
"count": 5,
"sources": ["ct_logs", "dns"],
"scan_time_ms": 1250
}
Key Features
CT Log Discovery
Find subdomains from Certificate Transparency logs.
DNS Enumeration
Intelligent DNS queries to discover common subdomain patterns.
Passive Reconnaissance
Non-intrusive discovery without touching target servers.
Asset Discovery
Find forgotten or shadow IT subdomains.
Security Assessment
Map attack surface for penetration testing.
Historical Data
Discover subdomains from historical certificate records.
Fast Results
Typical scans complete in under 2 seconds.
API Integration
Easy to integrate into security workflows and tools.
Frequently Asked Questions
We combine multiple sources: Certificate Transparency logs (which contain all SSL certificates ever issued), DNS enumeration of common patterns, and aggregated subdomain databases.
Yes. We use publicly available data sources (CT logs are public by design, DNS is public). We do not perform active scanning or brute-force enumeration.
CT logs capture any subdomain that has ever had an SSL certificate. For subdomains without SSL, we use common pattern matching. Results are very comprehensive but may not capture all internal-only subdomains.
Subdomain discovery is the first step in security assessment. Finding forgotten dev/staging subdomains or shadow IT often reveals security weaknesses.
Discover Subdomains
Start for free with 10,000 credits per month. Start checking domains in seconds.
View Full API Documentation