Subdomain Finder
Discover subdomains from certificate transparency logs (Cert Spotter + crt.sh).
A subdomain finder uncovers the subdomains of a domain — hosts such as api.example.com or mail.example.com — by mining public Certificate Transparency (CT) logs, where every issued SSL/TLS certificate is recorded. Enter a domain and this tool merges results from Cert Spotter and crt.sh, listing each subdomain alongside the date it first appeared on a certificate. It runs server-side and stores nothing.
Frequently asked questions
What is a subdomain?
A subdomain is a prefix added to a domain to run a separate section or service — for example blog.example.com or shop.example.com. Each can point to its own server while sharing the registered parent domain.
How do certificate transparency logs reveal subdomains?
When a certificate authority issues an SSL/TLS certificate, it publishes the hostnames it covers to public CT logs so the web can audit mis-issuance. Searching those logs surfaces subdomains that were named on a certificate, even ones not linked anywhere publicly.
Why are some subdomains missing or the result empty?
CT logs only contain names that were explicitly listed on a certificate. A domain that secures everything with a single wildcard certificate (*.example.com) exposes no individual subdomains, so a short or empty result can be entirely correct.
Is subdomain enumeration legal?
Querying public CT logs is passive reconnaissance against data that is already public, so it is generally fine for research, asset inventory, and authorised security testing. Always get permission before probing or attacking any host you find.
Does it find subdomains behind Cloudflare or a CDN?
Yes — discovery is based on certificates rather than DNS resolution, so a subdomain shows up whether or not it sits behind a CDN. It will not reveal hosts that never had a certificate issued for their exact name.