# Real Subdomain Finder (`onescales/real-subdomain-finder`) Actor Discover every subdomain for any domain. Queries 40+ OSINT sources including cert transparency, DNS archives & web scanners. Results enriched with DNS validation, HTTP probing, and subdomain takeover detection. No API keys required. - **URL**: https://apify.com/onescales/real-subdomain-finder.md - **Developed by:** [One Scales](https://apify.com/onescales) (community) - **Categories:** Automation, Developer tools, Other - **Stats:** 7 total users, 4 monthly users, 100.0% runs succeeded, 3 bookmarks - **User rating**: 5.00 out of 5 stars ## Pricing from $0.05 / actor start This Actor is paid per event and usage. You are charged both the fixed price for specific events and for Apify platform usage. Since this Actor supports Apify Store discounts, the price gets lower the higher subscription plan you have. Learn more: https://docs.apify.com/platform/actors/running/actors-in-store#pay-per-event ## What's an Apify Actor? Actors are a software tools running on the Apify platform, for all kinds of web data extraction and automation use cases. In Batch mode, an Actor accepts a well-defined JSON input, performs an action which can take anything from a few seconds to a few hours, and optionally produces a well-defined JSON output, datasets with results, or files in key-value store. In Standby mode, an Actor provides a web server which can be used as a website, API, or an MCP server. Actors are written with capital "A". ## How to integrate an Actor? If asked about integration, you help developers integrate Actors into their projects. You adapt to their stack and deliver integrations that are safe, well-documented, and production-ready. The best way to integrate Actors is as follows. In JavaScript/TypeScript projects, use official [JavaScript/TypeScript client](https://docs.apify.com/api/client/js.md): ```bash npm install apify-client ``` In Python projects, use official [Python client library](https://docs.apify.com/api/client/python.md): ```bash pip install apify-client ``` In shell scripts, use [Apify CLI](https://docs.apify.com/cli/docs.md): ````bash # MacOS / Linux curl -fsSL https://apify.com/install-cli.sh | bash # Windows irm https://apify.com/install-cli.ps1 | iex ```bash In AI frameworks, you might use the [Apify MCP server](https://docs.apify.com/platform/integrations/mcp.md). If your project is in a different language, use the [REST API](https://docs.apify.com/api/v2.md). For usage examples, see the [API](#api) section below. For more details, see Apify documentation as [Markdown index](https://docs.apify.com/llms.txt) and [Markdown full-text](https://docs.apify.com/llms-full.txt). # README **Real Subdomain Finder** is a bulk passive subdomain enumeration tool that discovers every subdomain associated with any domain — no API keys required. It queries 40+ OSINT sources simultaneously including certificate transparency logs, DNS archives, and internet scanning databases. Results are automatically enriched with DNS validation, HTTP probing, and subdomain takeover detection — so you know not just what subdomains exist, but which ones are alive, what they're running, and which ones may be vulnerable to hijacking. Built for security researchers, penetration testers, bug bounty hunters, and digital marketers who need fast, reliable subdomain enumeration at scale. [![Watch the video](https://img.youtube.com/vi/tcvsf-qX9hc/maxresdefault.jpg)](https://www.youtube.com/watch?v=tcvsf-qX9hc) **Use cases include:** - **Penetration testing & bug bounty recon** — map the full attack surface of a target domain before an engagement - **Subdomain takeover hunting** — automatically flag subdomains pointing to unclaimed Heroku apps, orphaned S3 buckets, abandoned GitHub Pages, and 100+ other services - **Attack surface monitoring** — periodically enumerate your own domains to discover shadow IT and unauthorized subdomains - **Competitor & brand research** — discover subdomains to understand infrastructure footprint or find domains at risk of phishing abuse - **Infrastructure mapping** — surface staging, dev, and internal subdomains that may be publicly accessible --- ### Features - **40+ passive OSINT sources** — certificate transparency (crt.sh, Certspotter), DNS archives (SecurityTrails, PassiveTotal), internet scanners (Shodan, Censys, FOFA), search engines, VirusTotal, AlienVault OTX, and more - **DNS validation** — resolves each discovered subdomain (A record + CNAME fallback) to confirm it exists and returns live IPs - **HTTP probing** — sends HTTPS/HTTP requests to every subdomain to detect live web servers, capture page titles, server headers, HTTP status codes, and redirect chains - **Subdomain takeover detection** — checks every live subdomain against 100+ known-vulnerable service fingerprints from the [can-i-take-over-xyz](https://github.com/EdOverflow/can-i-take-over-xyz) database (GitHub Pages, Heroku, AWS S3, Shopify, Fastly, and more) - **Bulk domain input** — enumerate subdomains for one domain or hundreds in a single run - **No API keys needed** — fully functional out of the box - **Streaming results** — subdomains written to the dataset as they are discovered, not buffered until the end - **Stable at scale** — concurrency-controlled enrichment with per-item error handling ensures large domain runs never crash - **Source attribution** — every result includes the OSINT source that found it --- ### How to Use #### Input | Field | Type | Required | Default | Description | |---|---|---|---|---| | `domains` | String list | ✅ | `example.com` | Apex domains to enumerate (e.g. `example.com`). Do not include `https://` or subdomains. | | `timeoutMinutes` | Integer | ❌ | `5` | Max time subfinder runs per domain (1–60 minutes). Increase for large enterprise domains. | **Example input row (takeover detected):** ```json { "domains": [ "example.com", "onescales.com" ] } ```` #### Output One row per discovered subdomain. Results stream to the dataset in real time during the run. Every row includes subdomain discovery, DNS resolution, HTTP probe, and takeover check results. | Field | Type | Description | |---|---|---| | `inputDomain` | String | The apex domain you submitted | | `subdomain` | String | Discovered subdomain (fully-qualified hostname) | | `source` | String | The OSINT source that found this subdomain | | `dnsResolves` | Boolean | `true` if the subdomain resolved via DNS; `false` if not | | `dnsIps` | String | Comma-separated IP addresses or CNAME targets | | `httpStatus` | Integer | HTTP response status code (e.g. `200`, `301`, `404`) | | `httpTitle` | String | Page `` tag content; empty if not HTML or unreachable | | `httpRedirectUrl` | String | Final URL after redirects; empty if no redirect occurred | | `httpServer` | String | `Server` response header (e.g. `nginx`, `cloudflare`) | | `isLive` | Boolean | `true` if HTTP status < 500 | | `takeoverRisk` | String | `"high"` if a known takeover fingerprint matched; `"none"` if clean | | `takeoverService` | String | Name of the vulnerable service (e.g. `GitHub Pages`, `Heroku`, `AWS S3`) | | `checkedAt` | String | ISO 8601 scan timestamp | | `error` | String | Error message if scan failed; blank on success | **Example output row (takeover detected):** ```json { "inputDomain": "example.com", "subdomain": "blog.example.com", "source": "crtsh", "dnsResolves": true, "dnsIps": "1.1.1.1", "httpStatus": 404, "httpTitle": "There isn't a GitHub Pages site here.", "httpRedirectUrl": "", "httpServer": "GitHub.com", "isLive": true, "takeoverRisk": "high", "takeoverService": "GitHub Pages", "checkedAt": "2025-01-15T10:23:45.000Z", "error": "" } ``` #### API, Automation & AI This actor is available via the [Apify API](https://docs.apify.com/api/v2) — integrate subdomain discovery directly into your security pipelines, CI/CD workflows, or custom tooling. Results can be retrieved as JSON, CSV, or XML from the dataset endpoint. For AI-powered workflows, Real Subdomain Finder is accessible via the [Apify MCP server](https://docs.apify.com/api/mcp), allowing AI agents and LLM-based tools to run subdomain enumeration and consume results as part of automated recon pipelines. #### Recommended Memory **512 MB** is sufficient for most runs. For large domain lists (100+ domains), **1024 MB** or more is recommended. *** ### Support For bugs, feature requests, or questions — reach us at https://docs.google.com/forms/d/e/1FAIpQLSfsKyzZ3nRED7mML47I4LAfNh\_mBwkuFMp1FgYYJ4AkDRgaRw/viewform?usp=dialog Built and maintained by [One Scales Inc.](https://onescales.com) **Powered by:** - [Subfinder](https://github.com/projectdiscovery/subfinder) by ProjectDiscovery (MIT License) - [can-i-take-over-xyz](https://github.com/EdOverflow/can-i-take-over-xyz) by EdOverflow (CC BY 4.0) — subdomain takeover fingerprints # Actor input Schema ## `domains` (type: `array`): Apex domains to find subdomains for (e.g. example.com). Do not include https:// or subdomains. ## `timeoutMinutes` (type: `integer`): Maximum time to allow subfinder to run per domain before killing the process and saving partial results. ## Actor input object example ```json { "domains": [ "onescales.com" ], "timeoutMinutes": 5 } ``` # Actor output Schema ## `subdomainResults` (type: `string`): All discovered subdomains with source and scan metadata. # API You can run this Actor programmatically using our API. Below are code examples in JavaScript, Python, and CLI, as well as the OpenAPI specification and MCP server setup. ## JavaScript example ```javascript import { ApifyClient } from 'apify-client'; // Initialize the ApifyClient with your Apify API token // Replace the '<YOUR_API_TOKEN>' with your token const client = new ApifyClient({ token: '<YOUR_API_TOKEN>', }); // Prepare Actor input const input = { "domains": [ "onescales.com" ] }; // Run the Actor and wait for it to finish const run = await client.actor("onescales/real-subdomain-finder").call(input); // Fetch and print Actor results from the run's dataset (if any) console.log('Results from dataset'); console.log(`💾 Check your data here: https://console.apify.com/storage/datasets/${run.defaultDatasetId}`); const { items } = await client.dataset(run.defaultDatasetId).listItems(); items.forEach((item) => { console.dir(item); }); // 📚 Want to learn more 📖? Go to → https://docs.apify.com/api/client/js/docs ``` ## Python example ```python from apify_client import ApifyClient # Initialize the ApifyClient with your Apify API token # Replace '<YOUR_API_TOKEN>' with your token. client = ApifyClient("<YOUR_API_TOKEN>") # Prepare the Actor input run_input = { "domains": ["onescales.com"] } # Run the Actor and wait for it to finish run = client.actor("onescales/real-subdomain-finder").call(run_input=run_input) # Fetch and print Actor results from the run's dataset (if there are any) print("💾 Check your data here: https://console.apify.com/storage/datasets/" + run["defaultDatasetId"]) for item in client.dataset(run["defaultDatasetId"]).iterate_items(): print(item) # 📚 Want to learn more 📖? Go to → https://docs.apify.com/api/client/python/docs/quick-start ``` ## CLI example ```bash echo '{ "domains": [ "onescales.com" ] }' | apify call onescales/real-subdomain-finder --silent --output-dataset ``` ## MCP server setup ```json { "mcpServers": { "apify": { "command": "npx", "args": [ "mcp-remote", "https://mcp.apify.com/?tools=onescales/real-subdomain-finder", "--header", "Authorization: Bearer <YOUR_API_TOKEN>" ] } } } ``` ## OpenAPI specification ```json { "openapi": "3.0.1", "info": { "title": "Real Subdomain Finder", "description": "Discover every subdomain for any domain. Queries 40+ OSINT sources including cert transparency, DNS archives & web scanners. Results enriched with DNS validation, HTTP probing, and subdomain takeover detection. No API keys required.", "version": "1.0", "x-build-id": "NkRVaNXcSdsk0MyaL" }, "servers": [ { "url": "https://api.apify.com/v2" } ], "paths": { "/acts/onescales~real-subdomain-finder/run-sync-get-dataset-items": { "post": { "operationId": "run-sync-get-dataset-items-onescales-real-subdomain-finder", "x-openai-isConsequential": false, "summary": "Executes an Actor, waits for its completion, and returns Actor's dataset items in response.", "tags": [ "Run Actor" ], "requestBody": { "required": true, "content": { "application/json": { "schema": { "$ref": "#/components/schemas/inputSchema" } } } }, "parameters": [ { "name": "token", "in": "query", "required": true, "schema": { "type": "string" }, "description": "Enter your Apify token here" } ], "responses": { "200": { "description": "OK" } } } }, "/acts/onescales~real-subdomain-finder/runs": { "post": { "operationId": "runs-sync-onescales-real-subdomain-finder", "x-openai-isConsequential": false, "summary": "Executes an Actor and returns information about the initiated run in response.", "tags": [ "Run Actor" ], "requestBody": { "required": true, "content": { "application/json": { "schema": { "$ref": "#/components/schemas/inputSchema" } } } }, "parameters": [ { "name": "token", "in": "query", "required": true, "schema": { "type": "string" }, "description": "Enter your Apify token here" } ], "responses": { "200": { "description": "OK", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/runsResponseSchema" } } } } } } }, "/acts/onescales~real-subdomain-finder/run-sync": { "post": { "operationId": "run-sync-onescales-real-subdomain-finder", "x-openai-isConsequential": false, "summary": "Executes an Actor, waits for completion, and returns the OUTPUT from Key-value store in response.", "tags": [ "Run Actor" ], "requestBody": { "required": true, "content": { "application/json": { "schema": { "$ref": "#/components/schemas/inputSchema" } } } }, "parameters": [ { "name": "token", "in": "query", "required": true, "schema": { "type": "string" }, "description": "Enter your Apify token here" } ], "responses": { "200": { "description": "OK" } } } } }, "components": { "schemas": { "inputSchema": { "type": "object", "required": [ "domains" ], "properties": { "domains": { "title": "Domains to Enumerate", "type": "array", "description": "Apex domains to find subdomains for (e.g. example.com). Do not include https:// or subdomains.", "items": { "type": "string", "maxLength": 253 } }, "timeoutMinutes": { "title": "Per-Domain Timeout (minutes)", "minimum": 1, "maximum": 60, "type": "integer", "description": "Maximum time to allow subfinder to run per domain before killing the process and saving partial results.", "default": 5 } } }, "runsResponseSchema": { "type": "object", "properties": { "data": { "type": "object", "properties": { "id": { "type": "string" }, "actId": { "type": "string" }, "userId": { "type": "string" }, "startedAt": { "type": "string", "format": "date-time", "example": "2025-01-08T00:00:00.000Z" }, "finishedAt": { "type": "string", "format": "date-time", "example": "2025-01-08T00:00:00.000Z" }, "status": { "type": "string", "example": "READY" }, "meta": { "type": "object", "properties": { "origin": { "type": "string", "example": "API" }, "userAgent": { "type": "string" } } }, "stats": { "type": "object", "properties": { "inputBodyLen": { "type": "integer", "example": 2000 }, "rebootCount": { "type": "integer", "example": 0 }, "restartCount": { "type": "integer", "example": 0 }, "resurrectCount": { "type": "integer", "example": 0 }, "computeUnits": { "type": "integer", "example": 0 } } }, "options": { "type": "object", "properties": { "build": { "type": "string", "example": "latest" }, "timeoutSecs": { "type": "integer", "example": 300 }, "memoryMbytes": { "type": "integer", "example": 1024 }, "diskMbytes": { "type": "integer", "example": 2048 } } }, "buildId": { "type": "string" }, "defaultKeyValueStoreId": { "type": "string" }, "defaultDatasetId": { "type": "string" }, "defaultRequestQueueId": { "type": "string" }, "buildNumber": { "type": "string", "example": "1.0.0" }, "containerUrl": { "type": "string" }, "usage": { "type": "object", "properties": { "ACTOR_COMPUTE_UNITS": { "type": "integer", "example": 0 }, "DATASET_READS": { "type": "integer", "example": 0 }, "DATASET_WRITES": { "type": "integer", "example": 0 }, "KEY_VALUE_STORE_READS": { "type": "integer", "example": 0 }, "KEY_VALUE_STORE_WRITES": { "type": "integer", "example": 1 }, "KEY_VALUE_STORE_LISTS": { "type": "integer", "example": 0 }, "REQUEST_QUEUE_READS": { "type": "integer", "example": 0 }, "REQUEST_QUEUE_WRITES": { "type": "integer", "example": 0 }, "DATA_TRANSFER_INTERNAL_GBYTES": { "type": "integer", "example": 0 }, "DATA_TRANSFER_EXTERNAL_GBYTES": { "type": "integer", "example": 0 }, "PROXY_RESIDENTIAL_TRANSFER_GBYTES": { "type": "integer", "example": 0 }, "PROXY_SERPS": { "type": "integer", "example": 0 } } }, "usageTotalUsd": { "type": "number", "example": 0.00005 }, "usageUsd": { "type": "object", "properties": { "ACTOR_COMPUTE_UNITS": { "type": "integer", "example": 0 }, "DATASET_READS": { "type": "integer", "example": 0 }, "DATASET_WRITES": { "type": "integer", "example": 0 }, "KEY_VALUE_STORE_READS": { "type": "integer", "example": 0 }, "KEY_VALUE_STORE_WRITES": { "type": "number", "example": 0.00005 }, "KEY_VALUE_STORE_LISTS": { "type": "integer", "example": 0 }, "REQUEST_QUEUE_READS": { "type": "integer", "example": 0 }, "REQUEST_QUEUE_WRITES": { "type": "integer", "example": 0 }, "DATA_TRANSFER_INTERNAL_GBYTES": { "type": "integer", "example": 0 }, "DATA_TRANSFER_EXTERNAL_GBYTES": { "type": "integer", "example": 0 }, "PROXY_RESIDENTIAL_TRANSFER_GBYTES": { "type": "integer", "example": 0 }, "PROXY_SERPS": { "type": "integer", "example": 0 } } } } } } } } } } ```