The vocabulary of the Subdomain Finder API

The 8 fields and concepts you'll meet in the response — defined in plain English, each with a real example value.

8 terms
DNS2

Subdomain

A domain that is part of a larger domain, appearing before the main domain name.

Subdomains segment a domain for different purposes: www.example.com, api.example.com, mail.example.com. They can have different servers, SSL certificates, and configurations. From a security perspective, each subdomain is a separate asset to monitor and secure.

Exampleblog.example.com, shop.example.com, admin.example.com

Wildcard DNS

A DNS configuration where any subdomain query returns the same IP address.

Wildcard records (*.example.com) match any subdomain. This complicates enumeration because every guess returns "valid." Detection involves querying obviously fake subdomains—if they resolve, a wildcard is in place. Wildcards are common on CDNs and some hosting platforms.

Example*.example.com → 192.0.2.1 (any subdomain resolves)

Discovery Methods3

Certificate Transparency

A public log system that records all SSL/TLS certificates issued by certificate authorities.

CT logs were created to detect misissued certificates. Since certificates contain domain names, searching CT logs reveals subdomains with SSL. Major CT logs are operated by Google, DigiCert, and others. This is the most effective subdomain discovery source.

Examplecrt.sh searches CT logs for certificate records

DNS Brute Force

Testing common subdomain names via DNS queries to discover valid subdomains.

Brute force uses wordlists of common names (www, mail, api, dev, ftp, vpn) and queries each against the target domain. Valid subdomains return IP addresses; invalid ones return NXDOMAIN. Effective for predictable names but misses unique subdomains.

ExampleTesting mail.target.com, www.target.com, api.target.com

Zone Transfer

A DNS mechanism (AXFR) to replicate zone data between servers, sometimes exploited for enumeration.

Zone transfers allow secondary DNS servers to copy records from primary servers. Properly configured servers only allow transfers to authorized secondaries. Misconfigured servers may respond to any request, revealing all DNS records including subdomains.

Exampledig axfr @ns1.target.com target.com

Security2

Attack Surface

All points where an attacker could potentially enter or extract data from a system.

For domains, the attack surface includes all subdomains, services, APIs, and applications. Larger attack surfaces have more potential vulnerabilities. Attack surface management involves discovering, inventorying, and securing all exposed assets.

ExampleA company's attack surface includes web servers, APIs, mail servers, VPNs

Shadow IT

Technology resources deployed without IT department knowledge or approval.

Shadow IT often appears as unauthorized subdomains—marketing sets up landing pages, developers create test environments, departments deploy SaaS tools. These unmanaged assets frequently have security gaps. Subdomain enumeration helps discover shadow IT.

ExampleMarketing deploys campaign.company.com without IT approval

Management1

Asset Inventory

A catalog of all IT assets, including domains, servers, and services.

Asset inventories track what an organization owns and exposes. Comparing subdomain discoveries against inventory reveals unknown assets (shadow IT) or missing assets (inventory gaps). Continuous discovery keeps inventories accurate.

ExampleSpreadsheet or CMDB listing all company domains and their purposes

See these fields live. Run the Subdomain Finder API free — no card, no signup wall.

Scaling up?

Volume pricing, custom SLAs, and dedicated support for high-traffic teams.

Contact sales