All Tools Domain Search & Pricing Domain & Web Intelligence DNS & Network Security & Email Identity & Business Monitoring Workflow Recipes

Subdomain Finder

Review public hostname evidence with clear source labels

Searching for subdomains...
Subdomains Found (0)
Interactive intelligence tool

Run the check, then ship the workflow

Use the browser tool for a fast answer, then move the same logic into scripts, monitoring, or product flows when it becomes repeatable.

1
Start with the live form

Enter a domain, URL, IP, email, or record and get a focused result without setup.

2
Review decision-ready signals

Outputs highlight statuses, risks, records, and next actions instead of raw provider noise.

3
Automate the winning workflow

Use the request and response examples to turn a one-off check into an API call or recipe.

What this tool helps you decide

Each page is shaped around a practical operational question, not just a raw lookup.

Signal

See the current DNS, registration, security, pricing, or reputation evidence.

Context

Compare the result with related checks so the next move is easier to trust.

Action

Copy examples, open linked tools, or move into API documentation when you need scale.

Trust signals before you integrate

Transparent docs, authenticated requests, and visible reliability details make it easier to evaluate DomScan before you ship.

Service status API artifacts

OpenAPI, Swagger, Postman, CLI, SDK, and MCP links are one click away.

API keys Protected access

Authenticated endpoints use API keys with clear credit costs before you call them.

Free allowance Sign Up for Free

Start with 10,000 monthly credits and upgrade only when usage grows.

Active Example Request

Start from the curl and HTTP samples, then map the parameters into your application code.

Key Features

Subdomain Finder - Free Tool | DomScan

DomScan tries crt.sh first. If it does not return hostnames, the pipeline can try HackerTarget, ThreatMiner, the Wayback Machine, and CertSpotter. It does not brute-force names or crawl the target site. Optional DNS verification checks only names already returned by discovery.

Find Subdomains

Compare the result with a known asset list, review old hostnames, or seed an authorized security inventory. Because passive coverage has gaps, this should not be your only discovery method.

Check Domain Health

Use GET /v1/subdomains?domain=example.com&sources=ct. The ct value selects the compatibility pipeline, while each entry reports its actual evidence source. Cache-only misses return 202 and all-source failures return 503; both refund credits.

Example Request

Example Request http
GET /v1/subdomains?domain=example.com&sources=ct

Example Response

Example Response json
{
  "domain": "example.com",
  "subdomains": [
    {
      "name": "api.example.com",
      "source": "crtsh",
      "first_seen": "2025-01-15T00:00:00Z",
      "verified": false,
      "dns_records": null
    }
  ],
  "summary": {
    "total_found": 1,
    "returned": 1,
    "verified_count": 0,
    "unverified_count": 1,
    "sources_used": ["crtsh"],
    "apex_included": false,
    "wildcard_suppressed_count": 0,
    "wildcard_returned_count": 0
  },
  "intelligence_summary": {
    "data_sources": ["crtsh"],
    "source_count": 1,
    "cache_status": "live",
    "returned_count": 1,
    "total_found": 1,
    "truncated": false,
    "limit": 500,
    "verification_requested": false,
    "include_wildcards": false,
    "verified_count": 0,
    "verified_ratio": 0,
    "live_dns_record_count": 0,
    "apex_included": false,
    "wildcard_suppressed_count": 0,
    "wildcard_returned_count": 0,
    "first_seen_oldest": "2025-01-15T00:00:00Z",
    "first_seen_newest": "2025-01-15T00:00:00Z",
    "warning_count": 0
  },
  "meta": {
    "query_time_ms": 184,
    "cached": false
  }
}

Built from the same API surface

The browser experience previews DomScan's structured endpoints, so teams can validate a use case before writing code.

Frequently Asked Questions

How does subdomain discovery work?

DomScan tries crt.sh first. If it does not return hostnames, the pipeline can try HackerTarget, ThreatMiner, the Wayback Machine, and CertSpotter. It does not brute-force names or crawl the target site. Optional DNS verification checks only names already returned by discovery.

Why would I want to find a domain's subdomains?

Compare the result with a known asset list, review old hostnames, or seed an authorized security inventory. Because passive coverage has gaps, this should not be your only discovery method.

Are these all the subdomains that exist?

No. This is best-effort passive coverage. Internal names and public hosts missing from the source datasets will not appear, and DNS verification does not search for additional names.

Is there an API for automated subdomain enumeration?

Use GET /v1/subdomains?domain=example.com&sources=ct. The ct value selects the compatibility pipeline, while each entry reports its actual evidence source. Cache-only misses return 202 and all-source failures return 503; both refund credits.

Related Tools & Resources