Sign In
Access your IPWhois.net account
No account? Create one

Subdomain Finder

How This Tool Finds Subdomains

Subdomain discovery by DNS brute force is one of the oldest and most reliable techniques in network reconnaissance. The idea is simple: take a list of names commonly used as subdomains and check each one against the target domain. If api.example.com resolves to an IP address, it exists. If it does not resolve, it does not. No guessing, no scraping, no special permissions needed.

This tool checks over 200 names drawn from real-world usage across thousands of domains: infrastructure names like mail, vpn and ns1; development environments like staging, dev and uat; common web services like api, cdn and static; admin panels, monitoring tools, databases and more. Results appear as each batch of 20 is processed so you can see findings in real time rather than waiting for the full scan to complete.

Understanding the Results

IP Address

The IPv4 address the subdomain resolves to. A subdomain pointing to several different IPs is load balanced, usually behind a cloud provider or CDN. Each IP is linked directly to the full geolocation and ASN lookup on IPWhois.net so you can see who owns the infrastructure at a glance.

CNAME Record

Many subdomains do not point directly to an IP but instead use a CNAME alias pointing to another hostname. This is common with third-party services: help.example.com might CNAME to example.zendesk.com, revealing that the company uses Zendesk for support. CNAME targets often expose which CDN, SaaS platform, cloud provider or marketing tool is behind a given subdomain.

HTTP Status Code

Each active subdomain gets a quick HTTPS probe to see what it returns. A 200 means the subdomain is serving content. A 301 or 302 is a redirect, often to the main domain or a login page. A 403 means the server is there but refusing access. A 404 means something is listening but the path was not found. No response within 3 seconds shows as a dash.

Frequently Asked Questions

Will this find every subdomain?

No, and any tool claiming otherwise is overselling itself. DNS brute force only finds what is in its wordlist. Custom or randomly generated subdomain names will not appear here. For exhaustive enumeration you would combine brute force with certificate transparency log mining, web crawling and passive DNS data. Tools like Amass or Subfinder do exactly that. This tool covers the most common names that appear across real deployments and is useful for a fast overview without setting anything up locally.

What is a wildcard DNS record?

A wildcard entry like *.example.com makes every possible subdomain resolve to the same IP address, whether or not there is actually a service behind it. Some domains use wildcards to catch typos and redirect visitors to the main site. When this tool detects a wildcard it warns you, because in that case every subdomain in the list will technically "resolve" even if nothing is really there. The HTTP status column becomes more important in that situation: a 200 confirms something real is running, while a 404 or no response suggests it is just the wildcard catching the query.

Is it legal to run this on any domain?

DNS queries are public by design. Anyone can look up DNS records for any domain, which is why tools like this exist. That said, if you are doing security testing rather than just curiosity, you should have explicit permission from the domain owner before proceeding beyond passive DNS lookups.

Why does the scan run in batches?

Each DNS query and HTTP probe has a timeout. Firing all 200 simultaneously would overload the timeout management and produce incomplete results. Processing 20 at a time keeps each batch fast and reliable and lets results stream to the page progressively instead of making you wait for a single long response.