Subdomain Finder
Discover subdomains via certificate transparency, then show CDN, ASN, and datacenter per row.
About Subdomain Finder
This tool finds subdomains by querying certificate transparency logs at crt.sh, which records every TLS certificate issued by every public CA. Any subdomain that has ever held a cert appears in the result. For each discovered subdomain (capped at 30 active probes per run for speed), the tool resolves the current IP, looks up the ASN via RIPE stat, identifies the CDN vendor if any, and cross-references the network operator against our datacenter directory to surface the facility provider where possible.
When to use it
Run this during a security assessment to map a target's externally visible attack surface. Use it during competitor research to see which subdomains they expose for marketing landing pages, staging environments, or APIs. Sysadmins use it after a migration to confirm every active subdomain points at the new infrastructure and none still point at the old origin.
How to read the results
Total found is the count from CT logs, which can include historical subdomains that no longer resolve. The probed rows show current state: IP, ASN, holder, and detected CDN. The Datacenter column links to our internal datacenter directory when the AS holder matches an operator in our directory, which often reveals the physical facility where traffic terminates. Empty CDN cells mean the subdomain is served direct from origin or uses a non-standard CDN.
Frequently asked questions
Why are some subdomains in the CT logs but do not resolve? ▾
CT logs record every certificate ever issued, including for subdomains the owner has since retired. The host might have stopped using the name, removed the DNS record, or shut down the service. The cert remains in the public log permanently.
Why is the result capped at 30 active probes? ▾
Each probe involves DNS resolution and an ASN lookup at RIPE. Synchronous PHP requests time out beyond 30 to 60 seconds, so we cap the probe count to fit. The remaining subdomains are shown in a list so you can paste any specific one back into the tool for a fresh lookup.
Can I find subdomains that never had a TLS certificate? ▾
Not through this tool. Pure HTTP subdomains, internal-only DNS, or subdomains using self-signed certs do not appear in public CT logs. Wordlist-based brute force tools can find some of those, but at the cost of being noisy and slow.
What does the Datacenter column tell me? ▾
When the ASN holder matches an operator we have facilities for, the column links to that operator's datacenter pages. This tells you which physical infrastructure provider serves the subdomain. For CDNs the operator is the CDN itself, since the user-facing IP terminates at the edge node.