loading
loading
Recon
A subdomain discovery tool that finds valid subdomains using passive online sources.
overview
subfinder enumerates a domain's subdomains by querying passive sources such as certificate transparency logs, DNS aggregators, and threat-intelligence feeds, rather than brute forcing names. That makes it fast and quiet: it builds a broad map of an organization's footprint without sending traffic to the targets themselves.
Its modular architecture is built for one job and does it well. Pull from all sources for maximum coverage or a chosen few for speed, set per-provider rate limits, and emit JSONL so every result is a structured record. Active mode resolves the names and reports only the subdomains that are live.
On Trickest, subfinder is a Recon node that takes a domain or a list of domains and writes a file and a folder of names. It is the usual first node in an attack-surface workflow; pass its output to httpx to find which subdomains respond, and schedule it for continuous monitoring.
use cases
Enumerate every subdomain of a domain from passive sources to scope an engagement or build an asset inventory.
Hand discovered subdomains to httpx and a scanner so the rest of the workflow runs against the full surface.
Run subfinder on a schedule and diff results to catch newly exposed assets as they go live.
Supply a file of domains for bulk discovery and write the combined name list for downstream nodes.
reference
| Name | Type | Flag | Description |
|---|---|---|---|
| domain | STRING | -domain | Domains to find subdomains for (comma-separated). |
| list | FILE | -list | File containing a list of domains for bulk discovery. |
| json | BOOLEAN | -json | Write output in JSONL format. |
| all | BOOLEAN | -all | Use all sources for enumeration (slow). |
| active | BOOLEAN | -active | Display active subdomains only. |
| match | STRING | -match | Subdomain or list of subdomains to match (comma-separated). |
| rate-limit | STRING | -rate-limit | Maximum HTTP requests to send per second (global). |
| sources | STRING | -sources | Specific sources to use for discovery (-s crtsh,github). |
Showing key inputs. subfinder exposes 30 inputs in total.
| Name | Type | Flag | Description |
|---|---|---|---|
| ip | BOOLEAN | -ip | include host IP in output (-active only) |
| all | BOOLEAN | -all | use all sources for enumeration (slow) |
| json | BOOLEAN | -json | write output in JSONL(ines) format |
| list | FILE | -list | file containing list of domains for subdomain discovery |
| match | STRING | -match | subdomain or list of subdomain to match (comma separated) |
| proxy | STRING | -proxy | http proxy to use with subfinder |
| stats | BOOLEAN | -stats | report source statistics |
| active | BOOLEAN | -active | display active subdomains only |
| config | FILE | -config | flag config file |
| domain | STRING | -domain | domains to find subdomains for (comma separated) |
| filter | STRING | -filter | subdomain or list of subdomain to filter (comma separated) |
| silent | BOOLEAN | -silent | show only subdomains in output |
| sources | STRING | -sources | specific sources to use for discovery (-s crtsh,github). |
| threads | STRING | -t | number of concurrent goroutines for resolving (-active only) (default 10) |
| timeout | STRING | -timeout | seconds to wait before timing out (default 30) |
| verbose | BOOLEAN | -v | show verbose output |
| max-time | STRING | -max-time | minutes to wait for enumeration results (default 10) |
| no-color | BOOLEAN | -no-color | disable color in output |
| recursive | BOOLEAN | -recursive | use only sources that can handle subdomains recursively (e.g. subdomain.domain.tld vs domain.tld) |
| resolvers | STRING | -r | comma separated list of resolvers to use |
| exclude-ip | BOOLEAN | -exclude-ip | exclude IPs from the list of domains |
| match-file | FILE | -match | subdomain or list of subdomain to match |
| rate-limit | STRING | -rate-limit | maximum number of http requests to send per second (global) |
| filter-file | FILE | -filter | subdomain or list of subdomain to filter |
| rate-limits | STRING | -rate-limits | maximum number of http requests to send per second four providers in key=value format (-rls hackertarget=10/m) (default ["github=30/m", "fullhunt=60/m", "robtex=18446744073709551615/ms", "securitytrails=1/s", "shodan=1/s", "virustotal=4/m", "hackertarget=2/s", "waybackarchive=15/m", "whoisxmlapi=50/s"]) |
| resolvers-list | FILE | -rlist | file containing list of resolvers to use |
| collect-sources | BOOLEAN | -collect-sources | include all sources in the output (-json only) |
| exclude-sources | STRING | -exclude-sources | sources to exclude from enumeration (-es alienvault,zoomeyeapi) |
| provider-config | FILE | -provider-config | provider config file |
| disable-update-check | BOOLEAN | -disable-update-check | disable automatic subfinder update check |
example
# passive enumeration across all sources, quiet outputsubfinder -d example.com -all -silent -o subdomains.txtapi.example.comapp.example.comstaging.example.comdev.example.commail.example.comvpn.example.comgitlab.example.comgrafana.example.comhive-api.dev.example.comwww.staging.example.com… (53 hosts found for the real run behind this page)guidance
Use subfinder for fast, passive subdomain discovery at the start of a workflow. For active DNS brute forcing of a wordlist, pair it with subbrute. It finds names, it does not test them, so follow it with httpx to learn which subdomains are live.
Deeper, slower OSINT with active options. subfinder is quicker for a passive first pass.
Lighter passive finder. subfinder queries more sources for broader coverage.
faq
related
Asynchronous DNS brute-force tool for fast subdomain enumeration.
OWASP Amass: network mapping and external asset discovery.
OWASP Amass intel: find an organization's root domains and ranges.
OWASP Amass enumeration that produces structured JSON output.
Find related domains and subdomains via shared Google Analytics IDs.
Find domains and subdomains potentially related to a given domain.
A domain feeds subfinder, which enumerates subdomains passively and passes them to httpx so only live names land as output.
Facts on this page come from the live Trickest tool library.