Subdomain enumeration uses multiple techniques to discover all subdomains of a target domain. Understanding these methods helps you appreciate what subdomain finders can and cannot discover.
Certificate Transparency Logs
Certificate Transparency (CT) logs are public records of all SSL/TLS certificates issued. Since certificates include domain names, searching CT logs reveals subdomains with HTTPS. This is highly effective—any subdomain with an SSL certificate will appear. Tools query CT logs from Google, DigiCert, and other log operators.
DNS Brute Force
Brute force tries common subdomain names (www, mail, api, dev, staging) against the target domain via DNS queries. Wordlists contain thousands of common names. This finds subdomains with predictable names but misses unique or random ones. Rate limiting and DNS response analysis prevent detection.
Public Data Sources
Search engines, web archives (Wayback Machine), DNS datasets (SecurityTrails, VirusTotal), and WHOIS records contain subdomain references. Aggregating these sources provides historical and current subdomain data. Some subdomains only appear in these sources if they've been crawled or recorded.
DNS Zone Transfer
Zone transfers (AXFR) request the complete DNS zone file—listing all records. Properly configured servers reject transfers from unauthorized parties. Misconfigured servers may leak their entire zone, revealing all subdomains. This is a configuration vulnerability.