Subdomain Finder

The Subdomain Finder checks certificate transparency data to uncover hostnames that have appeared on public TLS certificates. This is a useful way to identify subdomains that may exist under a root domain, especially for external services such as websites, APIs, portals, gateways, and mail-related hosts.

Because certificate transparency data is based on issued certificates, the results are best treated as discovered hostnames rather than a guaranteed list of active systems. Some entries may be historical, duplicated across certificates, or no longer in use.

1. Enter a root domain such as example.com.
2. Click Search.
3. Review the list of discovered hostnames.
4. Copy individual entries, copy the full result set, or export to CSV.

This tool returns unique hostnames discovered from certificate transparency data. The results can help with reconnaissance, environment mapping, migration checks, security reviews, and DNS analysis.

Not every discovered hostname will necessarily be live. A hostname may have appeared on a certificate in the past but no longer resolve or no longer serve traffic. For that reason, subdomain discovery is usually most useful when combined with DNS lookups and validation.

What is a subdomain?

A subdomain is a hostname that exists under a parent domain, such as api.example.com or mail.example.com.

Does this show every subdomain?

No. It shows hostnames that have appeared in certificate transparency data. It is useful, but it is not a complete replacement for DNS enumeration or direct DNS analysis.

Why are some entries no longer active?

Certificate transparency includes historical certificate data. A hostname may have existed when a certificate was issued but may no longer be in use now.