# Subdomain Finder - Discover Subdomains via CT Logs (`logiover/subdomain-finder`) Actor Discover every subdomain of any domain using Certificate Transparency logs (crt.sh). Fast bulk subdomain enumeration for security recon, attack-surface mapping, asset discovery and SEO. No API key — export to CSV or JSON. - **URL**: https://apify.com/logiover/subdomain-finder.md - **Developed by:** [Logiover](https://apify.com/logiover) (community) - **Categories:** Developer tools, SEO tools - **Stats:** 2 total users, 1 monthly users, 100.0% runs succeeded, 0 bookmarks - **User rating**: No ratings yet ## Pricing from $3.50 / 1,000 results This Actor is paid per event. You are not charged for the Apify platform usage, but only a fixed price for specific events. Since this Actor supports Apify Store discounts, the price gets lower the higher subscription plan you have. Learn more: https://docs.apify.com/platform/actors/running/actors-in-store#pay-per-event ## What's an Apify Actor? Actors are a software tools running on the Apify platform, for all kinds of web data extraction and automation use cases. In Batch mode, an Actor accepts a well-defined JSON input, performs an action which can take anything from a few seconds to a few hours, and optionally produces a well-defined JSON output, datasets with results, or files in key-value store. In Standby mode, an Actor provides a web server which can be used as a website, API, or an MCP server. Actors are written with capital "A". ## How to integrate an Actor? If asked about integration, you help developers integrate Actors into their projects. You adapt to their stack and deliver integrations that are safe, well-documented, and production-ready. The best way to integrate Actors is as follows. In JavaScript/TypeScript projects, use official [JavaScript/TypeScript client](https://docs.apify.com/api/client/js.md): ```bash npm install apify-client ``` In Python projects, use official [Python client library](https://docs.apify.com/api/client/python.md): ```bash pip install apify-client ``` In shell scripts, use [Apify CLI](https://docs.apify.com/cli/docs.md): ````bash # MacOS / Linux curl -fsSL https://apify.com/install-cli.sh | bash # Windows irm https://apify.com/install-cli.ps1 | iex ```bash In AI frameworks, you might use the [Apify MCP server](https://docs.apify.com/platform/integrations/mcp.md). If your project is in a different language, use the [REST API](https://docs.apify.com/api/v2.md). For usage examples, see the [API](#api) section below. For more details, see Apify documentation as [Markdown index](https://docs.apify.com/llms.txt) and [Markdown full-text](https://docs.apify.com/llms-full.txt). # README ## Subdomain Finder 🔍 — Discover Subdomains via Certificate Transparency **Find every known subdomain of any domain in seconds.** This **subdomain finder** performs passive **subdomain enumeration** straight from public **Certificate Transparency (CT) logs** via [crt.sh](https://crt.sh) — so you can **find all subdomains of a domain** without ever touching the target's infrastructure. One root domain can return hundreds to thousands of unique subdomains. **No API key, no login, no rate-limited third-party service.** It's the essential first step for security recon, **attack surface** mapping, asset discovery, OSINT and SEO — with one clean row per subdomain, exportable to CSV or JSON. > Looking for a free **subdomain enumeration tool**, a **subdomain lookup**, a **certificate transparency search** over **crt.sh**, or a way to **find subdomains of a domain** in **bulk**? This actor does the full discover-and-export at scale, with **no API key**. --- ### ✨ Key features - 🛰️ **Passive subdomain enumeration** — pulls subdomains from Certificate Transparency logs, never scanning or probing the target directly. - 📈 **High volume** — a single root domain can yield hundreds to thousands of unique subdomains in one run. - 🗂️ **Bulk multi-domain** — pass a whole list of root domains and enumerate them all in a single run. - 🌿 **Wildcard handling** — leading `*.` wildcards are always stripped and deduped; optionally keep wildcard-only entries. - ✅ **Optional live filter** — `onlyResolvable` checks each subdomain with a DNS-over-HTTPS A lookup and keeps only the ones that currently resolve. - 🗓️ **First / last seen dates** — certificate validity dates from CT records, perfect for spotting fresh or stale assets. - 🛡️ **Robust against crt.sh flakiness** — long timeout, multiple retries with backoff and a fresh proxy IP per attempt. - 🔓 **No API key** — crt.sh is an open endpoint; no credentials, no sign-up. - ⚡ **No browser overhead** — pure HTTP, fast and low cost. - 💾 **Export-ready** — download results as **JSON, CSV** or Excel, or pull them via the Apify API. ### 💡 Use cases - **Security recon & penetration testing** — map an organization's full external **attack surface** before an authorized test. - **Bug bounty & OSINT** — quickly enumerate in-scope assets for a target using passive reconnaissance with zero direct contact. - **Attack-surface management** — discover forgotten, shadow, staging or dev subdomains your team may have lost track of. - **Asset discovery & inventory** — build and enrich a complete subdomain inventory for any domain you own or monitor. - **SEO & site migration** — find every subdomain that may host indexable content before or after a redesign or migration. - **Brand & threat monitoring** — track which subdomains appear over time and catch new or unexpected hostnames. ### 📦 What you get One row per **unique subdomain**, including: | Field | Type | Description | |---|---|---| | `subdomain` | string | The unique subdomain hostname (lowercased, wildcard stripped) | | `domain` | string | The root domain it belongs to | | `url` | string | Convenience `https://` URL for the subdomain | | `isWildcard` | boolean | `true` if this name only ever appeared as a wildcard cert (`*.x`) | | `resolvable` | boolean \| null | `true`/`false` when `onlyResolvable` is on, otherwise `null` | | `firstSeen` | string \| null | Earliest certificate `not_before` date seen for this name (ISO) | | `lastSeen` | string \| null | Latest certificate `not_after` date seen for this name (ISO) | | `discoveredAt` | string | ISO 8601 timestamp of when this row was produced | #### Example output ```json { "subdomain": "affiliate.apify.com", "domain": "apify.com", "url": "https://affiliate.apify.com", "isWildcard": false, "resolvable": null, "firstSeen": "2025-06-03T07:47:43", "lastSeen": "2026-09-07T01:14:59", "discoveredAt": "2026-06-15T16:50:16.726Z" } ```` ### 🚀 How to use it 1. Click **Try for free / Start**. 2. Enter one or more **Root Domains** (e.g. `apify.com`) — no `http://` and no paths. 3. (Optional) Toggle **Include Wildcard Entries** to keep wildcard-only names. 4. (Optional) Toggle **Only Resolvable** to keep only currently-live subdomains. 5. (Optional) Set **Max Results Per Domain** to cap output per root domain. 6. Click **Save & Start**, then export the results as **JSON, CSV** or Excel — or pull them via the Apify API. ### ⚙️ Input | Field | Type | Default | Description | |---|---|---|---| | `domains` | array of strings | `["apify.com"]` | Root domains to enumerate. Do **not** include `http://` or paths | | `includeWildcards` | boolean | `false` | Keep subdomains that only ever appeared as a wildcard cert (`*.x`). The leading `*.` is stripped regardless | | `onlyResolvable` | boolean | `false` | If `true`, keep only subdomains that resolve to an A record (DNS-over-HTTPS). Much slower — off by default | | `maxResults` | integer | `0` | Max unique subdomains to return **per root domain**. `0` = no limit | | `proxyConfiguration` | object | Apify Proxy (datacenter) | Proxy used to reach crt.sh | #### Example input ```json { "domains": ["apify.com", "google.com"], "includeWildcards": false, "onlyResolvable": false, "maxResults": 0, "proxyConfiguration": { "useApifyProxy": true } } ``` ### 🔍 How it works Every time an organization issues a TLS/SSL certificate, the hostname is published to public **Certificate Transparency logs**. That makes CT logs one of the most complete, passive sources of subdomain data available — and you never contact the target to collect it. 1. For each root domain, the actor runs a **certificate transparency search** on **crt.sh** in two forms — `%.` (wildcard) and `` (bare) — and merges both result sets for maximum coverage. 2. Every certificate entry's `name_value` (which may contain multiple newline-separated names) and `common_name` are parsed. 3. Each name is lowercased, has any leading `*.` wildcard stripped, and is kept only if it falls under the queried domain. 4. Names are **deduplicated** into a set, keeping the earliest `firstSeen` and latest `lastSeen` dates per name. 5. Optionally, each subdomain is verified live via a **DNS-over-HTTPS** A lookup when `onlyResolvable` is enabled. 6. One row is pushed per unique subdomain. **Honest about coverage:** CT logs surface hostnames that have *ever* had a public TLS certificate issued. Subdomains that never used a public cert (or used a private/internal CA) will not appear — this is true of any CT-based subdomain finder, and it's why passive enumeration is paired with active tools for full recon. ### 🧰 Tips & best practices - **Start broad, then filter.** Run with defaults first to capture the full historical picture, then enable `onlyResolvable` on a second pass to narrow to currently-live hosts. - **Use the dates.** Sort by `firstSeen` to spot freshly issued certs (new assets) and by `lastSeen` to flag stale or expiring ones. - **Batch your domains.** Pass many root domains in `domains` for **bulk** enumeration in a single run instead of one run per domain. - **Mind very large targets.** crt.sh is a free community service; for huge domains it can return `502`/timeouts under load. The actor retries with backoff and a fresh proxy IP, and a domain that crt.sh can't serve simply returns 0 rows while the run completes. - **Combine with related tools.** Feed the `url` column into a status checker, DNS lookup or tech-stack detector (see related actors below) to enrich your subdomain inventory. - **Use responsibly.** Only enumerate domains you own or are authorized to assess. ### ❓ FAQ #### How do I find all subdomains of a domain? Enter the root domain (e.g. `apify.com`) into **Root Domains** and run the actor. It queries Certificate Transparency logs via crt.sh, extracts and deduplicates every hostname ever seen under that domain, and returns one row per unique subdomain — typically hundreds to thousands for a large organization. #### Is this a free subdomain finder without an API key? Yes. crt.sh is an open Certificate Transparency endpoint, so this actor needs **no API key**, no login and no third-party credentials. You only pay for the Apify platform usage of the run. #### How is this different from a DNS brute-force tool? A brute-force tool guesses subdomain names against a wordlist and actively queries the target's DNS. This actor is **passive**: it reads hostnames that organizations already published to public CT logs, so it never touches the target's infrastructure — and it often surfaces names no wordlist would guess. For complete coverage, pair passive CT enumeration with an active tool. #### Can I export subdomains to CSV or JSON? Yes. Every result is one row in an Apify dataset, so you can export the full subdomain list to **CSV, JSON** or Excel, or pull it programmatically via the Apify API — ready to drop into a spreadsheet or pipeline. #### Does it find sub-subdomains and wildcard domains? Yes. Any depth of hostname that appears in a certificate (e.g. `dev.api.example.com`) is returned. Wildcard certs (`*.example.com`) always have the leading `*.` stripped; enable **Include Wildcard Entries** to also keep names that only ever appeared as a wildcard, flagged with `isWildcard: true`. #### Why are some subdomains not live? CT logs are historical — a certificate may have been issued for a host that no longer resolves. Enable **Only Resolvable** to run a DNS-over-HTTPS A-record check and keep only subdomains that currently resolve. #### How many subdomains will I get? It depends entirely on the target. Small sites may return a handful; large organizations return hundreds or thousands of unique names. There's no hard cap unless you set **Max Results Per Domain**. ### 🔗 Related actors by the same author - [**Bulk DNS Records Lookup**](https://apify.com/logiover/bulk-dns-records-lookup) — resolve A, AAAA, MX, TXT, NS and more for any list of domains. - [**Bulk WHOIS Lookup**](https://apify.com/logiover/bulk-whois-rdap-lookup) — pull WHOIS/RDAP registration data for domains in bulk. - [**Website Tech Stack Detector**](https://apify.com/logiover/website-tech-stack-detector) — detect the frameworks, CMS, analytics and servers a site runs on. - [**Bulk URL Status Checker**](https://apify.com/logiover/bulk-url-status-checker) — check HTTP status codes and redirects for any list of URLs. ### 📝 Changelog #### 2026-06-15 - Initial release — subdomain discovery via Certificate Transparency logs, CSV/JSON export, no API key. # Actor input Schema ## `domains` (type: `array`): One or more root domains to enumerate subdomains for (e.g. apify.com). Do not include http:// or paths. ## `includeWildcards` (type: `boolean`): Keep wildcard certificate names like \*.example.com as a subdomain entry. Off by default (the leading \*. is always stripped either way). ## `onlyResolvable` (type: `boolean`): If enabled, each subdomain is checked with a DNS-over-HTTPS A-record lookup and only live ones are kept. This is much slower. Off by default for speed. ## `maxResults` (type: `integer`): Maximum unique subdomains to return per root domain. Set 0 for no limit. ## `proxyConfiguration` (type: `object`): Proxy used to reach crt.sh. Datacenter proxy is recommended (crt.sh is an open endpoint). ## Actor input object example ```json { "domains": [ "apify.com" ], "includeWildcards": false, "onlyResolvable": false, "maxResults": 0, "proxyConfiguration": { "useApifyProxy": true } } ``` # Actor output Schema ## `results` (type: `string`): The dataset containing every unique subdomain discovered from Certificate Transparency logs for the requested domains. # API You can run this Actor programmatically using our API. Below are code examples in JavaScript, Python, and CLI, as well as the OpenAPI specification and MCP server setup. ## JavaScript example ```javascript import { ApifyClient } from 'apify-client'; // Initialize the ApifyClient with your Apify API token // Replace the '' with your token const client = new ApifyClient({ token: '', }); // Prepare Actor input const input = { "domains": [ "apify.com" ] }; // Run the Actor and wait for it to finish const run = await client.actor("logiover/subdomain-finder").call(input); // Fetch and print Actor results from the run's dataset (if any) console.log('Results from dataset'); console.log(`💾 Check your data here: https://console.apify.com/storage/datasets/${run.defaultDatasetId}`); const { items } = await client.dataset(run.defaultDatasetId).listItems(); items.forEach((item) => { console.dir(item); }); // 📚 Want to learn more 📖? Go to → https://docs.apify.com/api/client/js/docs ``` ## Python example ```python from apify_client import ApifyClient # Initialize the ApifyClient with your Apify API token # Replace '' with your token. client = ApifyClient("") # Prepare the Actor input run_input = { "domains": ["apify.com"] } # Run the Actor and wait for it to finish run = client.actor("logiover/subdomain-finder").call(run_input=run_input) # Fetch and print Actor results from the run's dataset (if there are any) print("💾 Check your data here: https://console.apify.com/storage/datasets/" + run["defaultDatasetId"]) for item in client.dataset(run["defaultDatasetId"]).iterate_items(): print(item) # 📚 Want to learn more 📖? Go to → https://docs.apify.com/api/client/python/docs/quick-start ``` ## CLI example ```bash echo '{ "domains": [ "apify.com" ] }' | apify call logiover/subdomain-finder --silent --output-dataset ``` ## MCP server setup ```json { "mcpServers": { "apify": { "command": "npx", "args": [ "mcp-remote", "https://mcp.apify.com/?tools=logiover/subdomain-finder", "--header", "Authorization: Bearer " ] } } } ``` ## OpenAPI specification ```json { "openapi": "3.0.1", "info": { "title": "Subdomain Finder - Discover Subdomains via CT Logs", "description": "Discover every subdomain of any domain using Certificate Transparency logs (crt.sh). Fast bulk subdomain enumeration for security recon, attack-surface mapping, asset discovery and SEO. No API key — export to CSV or JSON.", "version": "1.0", "x-build-id": "e4Ea1prQAZaMm0uWp" }, "servers": [ { "url": "https://api.apify.com/v2" } ], "paths": { "/acts/logiover~subdomain-finder/run-sync-get-dataset-items": { "post": { "operationId": "run-sync-get-dataset-items-logiover-subdomain-finder", "x-openai-isConsequential": false, "summary": "Executes an Actor, waits for its completion, and returns Actor's dataset items in response.", "tags": [ "Run Actor" ], "requestBody": { "required": true, "content": { "application/json": { "schema": { "$ref": "#/components/schemas/inputSchema" } } } }, "parameters": [ { "name": "token", "in": "query", "required": true, "schema": { "type": "string" }, "description": "Enter your Apify token here" } ], "responses": { "200": { "description": "OK" } } } }, "/acts/logiover~subdomain-finder/runs": { "post": { "operationId": "runs-sync-logiover-subdomain-finder", "x-openai-isConsequential": false, "summary": "Executes an Actor and returns information about the initiated run in response.", "tags": [ "Run Actor" ], "requestBody": { "required": true, "content": { "application/json": { "schema": { "$ref": "#/components/schemas/inputSchema" } } } }, "parameters": [ { "name": "token", "in": "query", "required": true, "schema": { "type": "string" }, "description": "Enter your Apify token here" } ], "responses": { "200": { "description": "OK", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/runsResponseSchema" } } } } } } }, "/acts/logiover~subdomain-finder/run-sync": { "post": { "operationId": "run-sync-logiover-subdomain-finder", "x-openai-isConsequential": false, "summary": "Executes an Actor, waits for completion, and returns the OUTPUT from Key-value store in response.", "tags": [ "Run Actor" ], "requestBody": { "required": true, "content": { "application/json": { "schema": { "$ref": "#/components/schemas/inputSchema" } } } }, "parameters": [ { "name": "token", "in": "query", "required": true, "schema": { "type": "string" }, "description": "Enter your Apify token here" } ], "responses": { "200": { "description": "OK" } } } } }, "components": { "schemas": { "inputSchema": { "type": "object", "required": [ "domains" ], "properties": { "domains": { "title": "Root Domains", "type": "array", "description": "One or more root domains to enumerate subdomains for (e.g. apify.com). Do not include http:// or paths.", "items": { "type": "string" } }, "includeWildcards": { "title": "Include Wildcard Entries", "type": "boolean", "description": "Keep wildcard certificate names like *.example.com as a subdomain entry. Off by default (the leading *. is always stripped either way).", "default": false }, "onlyResolvable": { "title": "Only Resolvable (Live) Subdomains", "type": "boolean", "description": "If enabled, each subdomain is checked with a DNS-over-HTTPS A-record lookup and only live ones are kept. This is much slower. Off by default for speed.", "default": false }, "maxResults": { "title": "Max Results Per Domain", "minimum": 0, "type": "integer", "description": "Maximum unique subdomains to return per root domain. Set 0 for no limit.", "default": 0 }, "proxyConfiguration": { "title": "Proxy Configuration", "type": "object", "description": "Proxy used to reach crt.sh. Datacenter proxy is recommended (crt.sh is an open endpoint).", "default": { "useApifyProxy": true } } } }, "runsResponseSchema": { "type": "object", "properties": { "data": { "type": "object", "properties": { "id": { "type": "string" }, "actId": { "type": "string" }, "userId": { "type": "string" }, "startedAt": { "type": "string", "format": "date-time", "example": "2025-01-08T00:00:00.000Z" }, "finishedAt": { "type": "string", "format": "date-time", "example": "2025-01-08T00:00:00.000Z" }, "status": { "type": "string", "example": "READY" }, "meta": { "type": "object", "properties": { "origin": { "type": "string", "example": "API" }, "userAgent": { "type": "string" } } }, "stats": { "type": "object", "properties": { "inputBodyLen": { "type": "integer", "example": 2000 }, "rebootCount": { "type": "integer", "example": 0 }, "restartCount": { "type": "integer", "example": 0 }, "resurrectCount": { "type": "integer", "example": 0 }, "computeUnits": { "type": "integer", "example": 0 } } }, "options": { "type": "object", "properties": { "build": { "type": "string", "example": "latest" }, "timeoutSecs": { "type": "integer", "example": 300 }, "memoryMbytes": { "type": "integer", "example": 1024 }, "diskMbytes": { "type": "integer", "example": 2048 } } }, "buildId": { "type": "string" }, "defaultKeyValueStoreId": { "type": "string" }, "defaultDatasetId": { "type": "string" }, "defaultRequestQueueId": { "type": "string" }, "buildNumber": { "type": "string", "example": "1.0.0" }, "containerUrl": { "type": "string" }, "usage": { "type": "object", "properties": { "ACTOR_COMPUTE_UNITS": { "type": "integer", "example": 0 }, "DATASET_READS": { "type": "integer", "example": 0 }, "DATASET_WRITES": { "type": "integer", "example": 0 }, "KEY_VALUE_STORE_READS": { "type": "integer", "example": 0 }, "KEY_VALUE_STORE_WRITES": { "type": "integer", "example": 1 }, "KEY_VALUE_STORE_LISTS": { "type": "integer", "example": 0 }, "REQUEST_QUEUE_READS": { "type": "integer", "example": 0 }, "REQUEST_QUEUE_WRITES": { "type": "integer", "example": 0 }, "DATA_TRANSFER_INTERNAL_GBYTES": { "type": "integer", "example": 0 }, "DATA_TRANSFER_EXTERNAL_GBYTES": { "type": "integer", "example": 0 }, "PROXY_RESIDENTIAL_TRANSFER_GBYTES": { "type": "integer", "example": 0 }, "PROXY_SERPS": { "type": "integer", "example": 0 } } }, "usageTotalUsd": { "type": "number", "example": 0.00005 }, "usageUsd": { "type": "object", "properties": { "ACTOR_COMPUTE_UNITS": { "type": "integer", "example": 0 }, "DATASET_READS": { "type": "integer", "example": 0 }, "DATASET_WRITES": { "type": "integer", "example": 0 }, "KEY_VALUE_STORE_READS": { "type": "integer", "example": 0 }, "KEY_VALUE_STORE_WRITES": { "type": "number", "example": 0.00005 }, "KEY_VALUE_STORE_LISTS": { "type": "integer", "example": 0 }, "REQUEST_QUEUE_READS": { "type": "integer", "example": 0 }, "REQUEST_QUEUE_WRITES": { "type": "integer", "example": 0 }, "DATA_TRANSFER_INTERNAL_GBYTES": { "type": "integer", "example": 0 }, "DATA_TRANSFER_EXTERNAL_GBYTES": { "type": "integer", "example": 0 }, "PROXY_RESIDENTIAL_TRANSFER_GBYTES": { "type": "integer", "example": 0 }, "PROXY_SERPS": { "type": "integer", "example": 0 } } } } } } } } } } ```