Skip to main content
dnsverifier.com

Subdomain Finder — CT + Wayback + DNS Recon

The dnsverifier.com Subdomain Finder performs passive subdomain enumeration for any apex domain by querying Certificate Transparency logs (crt.sh), the Internet Archive Wayback Machine, and an 872-entry DNS wordlist in parallel. Each candidate is resolved live and tagged with hosting-provider fingerprints. Dangling CNAMEs pointing at unclaimed S3 / Heroku / Netlify / Azure / GitHub Pages resources are flagged as subdomain-takeover risk.

Frequently asked questions

How does the Subdomain Finder discover subdomains?
Three passive sources in parallel: (1) crt.sh — every TLS certificate ever issued for *.<your-domain> is publicly logged in Certificate Transparency, and we extract every SAN; (2) Wayback Machine — every URL archived under your domain reveals the hostname; (3) DNS wordlist — 872 curated labels (www, mail, api, dev, admin, ...) resolved via DoH.
What is Certificate Transparency?
Certificate Transparency (RFC 6962) is a public append-only log of every TLS certificate ever issued by a CA. Browsers require it. Side-effect for recon: every subdomain that has ever had a public HTTPS certificate is permanently visible. crt.sh exposes a free search interface to those logs.
What is a subdomain takeover?
When a subdomain has a CNAME pointing at a third-party service (S3 bucket, Heroku app, GitHub Pages site, Azure app, Netlify site) that no longer exists, an attacker can register the same resource at the provider and serve content under your domain. The tool flags every dangling CNAME and includes the body-fingerprint string that confirms the resource is unclaimed.
Is this active scanning? Will the target notice?
The CT-log and Wayback queries are entirely passive — the target sees nothing. The DNS wordlist bruteforce is observed only by the recursive resolver you use (Cloudflare 1.1.1.1 via DoH), not the authoritative nameserver. Live resolution generates a small burst of DNS traffic which is invisible to the application but may appear in DNS analytics.
Is this legal?
Querying public Certificate Transparency logs and public web archives is legal everywhere. Always obey the dnsverifier.com Acceptable Use Policy: only enumerate subdomains for systems you own or have authorization to test. Acting on takeover findings against systems you do not own is unauthorized access.