Real Subdomain Finder

Real Subdomain Finder is a bulk passive subdomain enumeration tool that discovers every subdomain associated with any domain — no API keys required. It queries 40+ OSINT sources simultaneously including certificate transparency logs, DNS archives, and internet scanning databases. Results are automatically enriched with DNS validation, HTTP probing, and subdomain takeover detection — so you know not just what subdomains exist, but which ones are alive, what they're running, and which ones may be vulnerable to hijacking.

Built for security researchers, penetration testers, bug bounty hunters, and digital marketers who need fast, reliable subdomain enumeration at scale.

Use cases include:

• Penetration testing & bug bounty recon — map the full attack surface of a target domain before an engagement
• Subdomain takeover hunting — automatically flag subdomains pointing to unclaimed Heroku apps, orphaned S3 buckets, abandoned GitHub Pages, and 100+ other services
• Attack surface monitoring — periodically enumerate your own domains to discover shadow IT and unauthorized subdomains
• Competitor & brand research — discover subdomains to understand infrastructure footprint or find domains at risk of phishing abuse
• Infrastructure mapping — surface staging, dev, and internal subdomains that may be publicly accessible

---

Features

• 40+ passive OSINT sources — certificate transparency (crt.sh, Certspotter), DNS archives (SecurityTrails, PassiveTotal), internet scanners (Shodan, Censys, FOFA), search engines, VirusTotal, AlienVault OTX, and more
• DNS validation — resolves each discovered subdomain (A record + CNAME fallback) to confirm it exists and returns live IPs
• HTTP probing — sends HTTPS/HTTP requests to every subdomain to detect live web servers, capture page titles, server headers, HTTP status codes, and redirect chains
• Subdomain takeover detection — checks every live subdomain against 100+ known-vulnerable service fingerprints from the can-i-take-over-xyz database (GitHub Pages, Heroku, AWS S3, Shopify, Fastly, and more)
• Bulk domain input — enumerate subdomains for one domain or hundreds in a single run
• No API keys needed — fully functional out of the box
• Streaming results — subdomains written to the dataset as they are discovered, not buffered until the end
• Stable at scale — concurrency-controlled enrichment with per-item error handling ensures large domain runs never crash
• Source attribution — every result includes the OSINT source that found it

---

How to Use

Input

Field	Type	Required	Default	Description
domains	String list	✅	example.com	Apex domains to enumerate (e.g. example.com). Do not include https:// or subdomains.
timeoutMinutes	Integer	❌	5	Max time subfinder runs per domain (1–60 minutes). Increase for large enterprise domains.

Example input row (takeover detected):

{
    "domains": [
        "example.com",
        "onescales.com"
    ]
}

Output

One row per discovered subdomain. Results stream to the dataset in real time during the run. Every row includes subdomain discovery, DNS resolution, HTTP probe, and takeover check results.

Field	Type	Description
inputDomain	String	The apex domain you submitted
subdomain	String	Discovered subdomain (fully-qualified hostname)
source	String	The OSINT source that found this subdomain
dnsResolves	Boolean	true if the subdomain resolved via DNS; false if not
dnsIps	String	Comma-separated IP addresses or CNAME targets
httpStatus	Integer	HTTP response status code (e.g. 200, 301, 404)
httpTitle	String	Page <title> tag content; empty if not HTML or unreachable
httpRedirectUrl	String	Final URL after redirects; empty if no redirect occurred
httpServer	String	Server response header (e.g. nginx, cloudflare)
isLive	Boolean	true if HTTP status < 500
takeoverRisk	String	"high" if a known takeover fingerprint matched; "none" if clean
takeoverService	String	Name of the vulnerable service (e.g. GitHub Pages, Heroku, AWS S3)
checkedAt	String	ISO 8601 scan timestamp
error	String	Error message if scan failed; blank on success

Example output row (takeover detected):

{
  "inputDomain": "example.com",
  "subdomain": "blog.example.com",
  "source": "crtsh",
  "dnsResolves": true,
  "dnsIps": "1.1.1.1",
  "httpStatus": 404,
  "httpTitle": "There isn't a GitHub Pages site here.",
  "httpRedirectUrl": "",
  "httpServer": "GitHub.com",
  "isLive": true,
  "takeoverRisk": "high",
  "takeoverService": "GitHub Pages",
  "checkedAt": "2025-01-15T10:23:45.000Z",
  "error": ""
}

API, Automation & AI

This actor is available via the Apify API — integrate subdomain discovery directly into your security pipelines, CI/CD workflows, or custom tooling. Results can be retrieved as JSON, CSV, or XML from the dataset endpoint.

For AI-powered workflows, Real Subdomain Finder is accessible via the Apify MCP server, allowing AI agents and LLM-based tools to run subdomain enumeration and consume results as part of automated recon pipelines.

Recommended Memory

512 MB is sufficient for most runs. For large domain lists (100+ domains), 1024 MB or more is recommended.

---

Support

For bugs, feature requests, or questions — reach us at https://docs.google.com/forms/d/e/1FAIpQLSfsKyzZ3nRED7mML47I4LAfNh_mBwkuFMp1FgYYJ4AkDRgaRw/viewform?usp=dialog

Built and maintained by One Scales Inc.

Powered by:

• Subfinder by ProjectDiscovery (MIT License)
• can-i-take-over-xyz by EdOverflow (CC BY 4.0) — subdomain takeover fingerprints