Subfinder
Fast passive subdomain discovery tool querying 40+ data sources for stealthy reconnaissance without sending requests to the target.
Continue your mission
Fast passive subdomain discovery tool querying 40+ data sources for stealthy reconnaissance without sending requests to the target.
# Subfinder
Subfinder is a passive subdomain enumeration tool developed and maintained by ProjectDiscovery. It exists because attack surface visibility requires knowing every subdomain an organization exposes to the internet, and manual discovery cannot keep pace with the rate at which infrastructure changes. Subfinder solves the problem of comprehensive, non-intrusive subdomain discovery by querying dozens of passive data sources simultaneously, returning results without sending a single packet to the target itself. Security teams use it during reconnaissance to map the external attack surface before an engagement begins, and defenders run it continuously to detect new subdomains that may have been provisioned outside of formal change management. Its speed, breadth of source coverage, and clean output format make it a foundational tool in any external reconnaissance workflow.
---
Subfinder is a passive reconnaissance tool written in Go, distributed as an open-source binary under the MIT license by ProjectDiscovery. Its technical function is to query third-party passive data repositories and aggregate all known subdomain records associated with a given root domain. The tool returns these results as deduplicated lists suitable for downstream processing, optionally filtered through live DNS resolution to confirm active hosts.
Subfinder is not an active scanner. It does not send DNS queries to the target's authoritative nameservers, does not perform zone transfers, and does not interact with any infrastructure owned or operated by the target organization. This distinguishes it from tools like dnsx (which resolves DNS directly), Nmap (which sends packets to live hosts), or Gobuster in DNS mode (which brute-forces subdomains against resolvers). Subfinder purely reads what third parties have already indexed.
Subfinder is also distinct from Amass, another popular subdomain enumeration tool. Amass supports both passive and active modes, performs graph-based analysis of DNS infrastructure, and maps organizational relationships. Subfinder is intentionally narrower in scope: fast passive data aggregation optimized for high coverage and pipeline integration, not deep infrastructure mapping.
Subfinder does not replace a full asset inventory system. It discovers subdomains that have been observed by external parties, but it will not surface internal subdomains, subdomains that have never been crawled or indexed, or infrastructure that has only existed briefly. It is a starting point, not a complete picture.
The tool ships with support for over 50 passive sources and accepts a provider configuration file in YAML format where API keys for premium services are stored. Without API keys, coverage is meaningful but limited. With a full complement of API keys, coverage becomes significantly broader, particularly for targets with mature online presence and historical infrastructure.
---
When Subfinder is invoked with a target domain, it initializes a concurrent query engine that dispatches requests to each configured passive source simultaneously. The architecture is source-agnostic: each data provider is implemented as a separate module conforming to a common interface, which means adding new sources requires minimal code changes and the query logic scales horizontally.
Source Categories and Their Role
Subfinder draws from several categories of passive data sources. Certificate transparency logs, including crt.sh and Certspotter, record every TLS certificate issued by trusted certificate authorities. Because modern TLS certificates enumerate the domains they cover (including wildcard certificates that reveal the structure of subdomain naming conventions), CT logs are among the richest sources of subdomain intelligence. A company that provisions a certificate for api.payments.example.com and admin.payments.example.com has effectively published those names to a public ledger.
DNS aggregators like DNSdumpster and RapidDNS maintain historical DNS records gathered through passive DNS sensors distributed across the internet. These sensors observe DNS resolution traffic without intercepting it and record the mappings they see, building databases of historical name-to-IP relationships. Subfinder queries these databases to surface subdomains that may no longer be active but were previously resolvable.
Threat intelligence platforms including VirusTotal, Shodan, Censys, and SecurityTrails maintain their own subdomain indexes, built through active crawling, passive DNS, certificate ingestion, and customer-submitted data. SecurityTrails in particular maintains one of the most comprehensive historical DNS databases available, making it an extremely high-value source when an API key is configured.
Search engines contribute through their public search APIs, surfacing subdomains that appear in indexed web content. Web archive services like the Wayback Machine and Common Crawl similarly expose subdomains referenced in archived pages, capturing infrastructure that may have been retired but was once publicly accessible.
The Query and Deduplication Pipeline
Each source module returns a raw list of subdomain strings. Subfinder normalizes these strings, strips wildcards, and deduplicates across all sources before presenting output. This means a subdomain discovered by five different sources appears only once in the final list. The deduplication logic handles case normalization, trailing-dot removal, and other formatting inconsistencies introduced by different source APIs.
Optional DNS Resolution
By default, Subfinder does not resolve discovered subdomains. It simply returns the list of names. When the -r or --resolve flag is used, Subfinder pipes the discovered names through a DNS resolution step using configurable resolvers. Only names that resolve successfully are included in the final output. This step introduces a small amount of network activity, but it is directed at public DNS resolvers (such as 1.1.1.1 or 8.8.8.8), not the target's infrastructure. The target organization does not observe this resolution activity.
Practical Scenario: Pre-Engagement Reconnaissance
Consider a penetration tester engaged to assess the external attack surface of a mid-sized financial services firm with the root domain examplefinancial.com. The tester runs Subfinder with a full provider configuration file containing API keys for Shodan, SecurityTrails, VirusTotal, and Censys. Within two to three minutes, Subfinder returns 340 unique subdomains. The tester pipes this output directly to httpx to identify which subdomains are serving live HTTP or HTTPS responses. Of the 340 discovered names, 214 resolve to live hosts. Among those, httpx identifies a host at legacy-auth.examplefinancial.com serving an outdated SSO portal that the security team believed had been decommissioned. That forgotten asset becomes the first target of the engagement.
This scenario illustrates the core value of Subfinder: it surfaces what actually exists, not what stakeholders believe exists.
Integration and Automation
Subfinder is designed for pipeline use. Its output can be piped directly into httpx for HTTP probing, Nuclei for templated vulnerability scanning, or Katana for web crawling. ProjectDiscovery's automation platform, Nuclei, accepts Subfinder output natively. For continuous monitoring, Subfinder can be run on a scheduled basis and its output diffed against a previous baseline to detect newly appearing subdomains, which may indicate shadow IT, unauthorized provisioning, or acquisition integration gaps.
Configuration is managed through a YAML file at ~/.config/subfinder/provider-config.yaml. This file maps each source name to one or more API keys, allowing the tool to authenticate with premium data sources. Rate limiting is handled per-source to avoid API throttling. Concurrency is configurable with the -t flag, and timeout controls prevent slow sources from blocking the pipeline.
---
Organizations consistently underestimate the size of their external attack surface. Internal asset inventories are maintained by IT and security teams and reflect what those teams know about. Subfinder reveals what the internet knows about, which is often a different and larger set of assets.
Forgotten subdomains are not merely a cosmetic problem. A decommissioned subdomain that still resolves to an active IP address may be running software that has not received security updates in years. A subdomain pointing to a cloud service that has since been removed can be vulnerable to subdomain takeover, where an attacker registers the underlying resource and begins serving content from the organization's domain. Subdomain takeover has been documented as a real attack vector against organizations of all sizes. In 2019, a researcher demonstrated subdomain takeover vulnerabilities across dozens of major organizations by identifying subdomains with dangling CNAME records pointing to unclaimed cloud storage buckets, GitHub Pages, and Heroku instances. In several cases, the affected organizations were unaware the subdomains existed.
Without regular passive enumeration, security teams operate on stale asset inventories. Vulnerability management programs that scope assessments based on known assets will miss exposure on unknown subdomains. Bug bounty programs may receive researcher-reported findings on assets the security team did not know were in scope.
A common misconception is that passive enumeration is only useful for offensive operations. Defenders benefit equally. Running Subfinder against your own domain on a weekly basis, diffing the output against a known-good baseline, and routing new discoveries through a vulnerability scanner is a concrete, low-cost defensive operation that can detect shadow IT, misconfigured infrastructure, and unauthorized provisioning before attackers find it.
Another misconception is that HTTPS usage prevents subdomain discovery. Certificate transparency logs exist specifically because certificates are public records. An organization that provisions a certificate for any subdomain has added that subdomain to a permanent, publicly searchable log. The remedy is not to avoid certificates but to maintain awareness of every name an organization is certifying and to treat those names as part of the managed attack surface.
---
CDA approaches external attack surface management through the Planetary Defense Model, with Subfinder positioned firmly within the Verified Surface Discovery (VSD) domain. VSD is the systematic process of identifying every asset an organization exposes to external parties, regardless of whether internal teams are aware of it. Subfinder is a primary instrument in that process.
CDA's methodology, Continuous Surface Reduction (CSR), is grounded in a single operational principle: every surface you expose is a surface we eliminate. This means attack surface work is not a point-in-time assessment. CDA runs Subfinder and equivalent passive enumeration tools on a scheduled cadence against all client root domains, compares output against the current verified asset registry, and escalates any new subdomain for immediate triage. The triage question is always the same: is this asset known, authorized, and current in its patch and configuration state?
Where most engagements treat subdomain discovery as a one-time reconnaissance step, CDA treats it as a continuous monitoring function. A subdomain that appears between Tuesday and Wednesday may represent a developer provisioning a staging environment, an acquired company's infrastructure being merged into the parent domain, or unauthorized activity. The tool itself does not distinguish these cases. The CDA analyst does, by correlating new subdomain discoveries against change management records, cloud provisioning logs, and asset ownership databases.
CDA also extends Subfinder's output through the Threat Intelligence and Detection (TID) domain. Newly discovered subdomains are automatically submitted to a downstream scanning pipeline that runs Nuclei templates covering known vulnerabilities, exposed configuration files, and subdomain takeover conditions. This means the time between a subdomain appearing in passive data sources and a security team being aware of its risk posture is measured in hours, not weeks.
CDA's specific operational differentiation is the integration of Subfinder output into a continuous asset graph rather than a flat list. Each discovered subdomain is linked to its certificate history, associated IP ranges, hosting provider, and historical DNS records. This graph supports lateral reasoning: if a newly discovered subdomain shares infrastructure with a known asset that carries a critical vulnerability, that relationship is surfaced automatically.
---
---
---
CDA Theater missions that address topics covered in this article.
Guide to AWS Security Hub for centralized finding aggregation, continuous compliance monitoring, and automated remediation across AWS organizations.
Vendor assessment guide for HashiCorp Vault.
Wireshark is the leading network protocol analyzer for traffic capture and security investigation.
Written by CDA Editorial
Found an issue? Help improve this article.