Log In
Request Demo Start 30-Day Trial
Back
Glossary Glossary

Subdomain Enumeration




Subdomain enumeration is the process of identifying and mapping the subdomains associated with a given domain name. It allows security teams to get a complete layout of their organizations’ websites.

Since subdomains are generally Internet-facing assets, they are often targeted in cyber attacks and can serve as potential attack entry points. For this reason, subdomain enumeration is a crucial part of external attack surface management (EASM), particularly of the attack surface mapping process.

Table of Contents

Subdomain Enumeration: A Deep Dive

Why Is Subdomain Enumeration Important?

Subdomain enumeration is a critical security process because it can contribute to the following:

  • Attack surface reduction: Each subdomain represents a potential attack vector, contributing to attack surface expansion. As such, security teams need to ensure that all subdomains are necessary and well secured. The first step to achieve that goal is to get a list of all the subdomains under a given domain name.
  • Hidden application or shadow IT discovery: Subdomains are often used for internal applications, development environments, and testing purposes. Some of them may not be approved by security teams and potentially lack in security controls.
  • Vulnerability detection: Once subdomains are enumerated, security teams can proceed with vulnerability scanning and uncover issues that could lead to subdomain takeover, sensitive data exposure, or unauthorized system access.
  • Forgotten asset discovery: Organizations sometimes forget about old subdomains that are no longer in use. They can become security risks if not adequately secured. Enumerating subdomains can help uncover forgotten and unprotected subdomains.
Subdomain enumeration

What Are the Types of Subdomain Enumeration?

There are two main types of subdomain enumeration—passive and active. Some organizations combine both techniques to get the most out of security processes.

What Is Active Subdomain Enumeration?

Active subdomain enumeration involves directly interacting with a target domain or its associated systems to identify subdomains.

This type of subdomain enumeration is resource-intensive and may have legal and ethical implications since it requires sending a large number of requests to a target domain. Because of its intrusive nature, active subdomain enumeration may trigger security alerts.

Active Subdomain Enumeration Techniques

DNS brute forcing and DNS zone transfers are examples of active subdomain enumeration techniques, which we will explain in greater detail below.

DNS Brute Forcing

DNS brute forcing involves systematically guessing the names of possible subdomains and checking if they resolve to valid IP addresses. The list of subdomains for testing is typically based on common patterns and involves generic terms, such as “blog,” “mail,” and “www.”

Each subdomain should then be queried to check if it resolves to an IP address. A successful resolution means the subdomain likely exists. The person behind the subdomain enumeration can then analyze the IP address, determine its purpose, and find potential vulnerabilities.

DNS Zone Transfers

Another way to obtain a list of subdomains is to request a copy of the entire DNS zone through a DNS zone transfer. This process not only reveals all subdomains but also includes their associated DNS records.

Since modern networks are often protected by firewall rules that filter DNS requests, DNS zone transfers can only be performed by authorized parties, such as domain registrars and system administrators.

What Is Passive Subdomain Enumeration?

Passive subdomain enumeration involves gathering information from publicly available sources to identify subdomains. It is a less intrusive approach than active enumeration, as it does not involve directly interacting with a target domain.

Passive Subdomain Enumeration Techniques

Some passive enumeration techniques involve obtaining subdomain information from DNS records and certificate transparency logs, among other data sources.

SSL Certificate Transparency Logs

When a new subdomain is created and a Secure Sockets Layer (SSL) certificate is issued, the certificate is typically published in a Certificate Transparency (CT) log, a public record of all certificates issued by a Certificate Authority (CA).

Analyzing CT logs can, therefore, help identify new subdomains that have certificates.

Search Engine Queries

A list of subdomains can also be obtained using search engines like Google, Bing, or DuckDuckGo to search for terms related to the target domain, such as “example.com blog” or “example.com forum.”

Another way these search engines can help is by using site operators like “site:” to search for specific domains or subdomains.

Passive DNS Repositories

Passive DNS databases collect and store historical DNS records, allowing users to analyze past DNS activities and identify subdomains that may have existed at one point. To perform subdomain enumeration using a passive DNS repository, users query it for historical DNS records related to a specific domain.

What Tools Can You Use for Subdomain Enumeration?

There are different subdomain enumeration tools relying on either passive, active, or both passive and active subdomain enumeration. The more techniques the tool uses, the more subdomains it will be able to find.

For example, Attaxion, an external attack surface management platform, offers users the choice between passive and active + passive subdomain enumeration. In both modes, it usually finds more subdomains than free passive subdomain discovery tools, but with active subdomain enumeration, the difference can be particularly drastic.

Sign up for a free 30-day trial or book a demo to see Attaxion’s subdomain enumeration in action.

For purely passive subdomain enumeration, you can try out our free Cyber Asset Finder tool.

Why Some Subdomain Enumeration Tools Are Better Than Others

As you can imagine, different discovery tools produce different results. Some miss subdomains that others find, but the latter may generate false positives. And there are also ones that are simply better than the other both in the coverage breadth and false positive counts. Here are some reasons why that happens.

  • Enumeration techniques used: We talked about how tools like Attaxion use a combination of active and passive discovery methods, and this matters because tools that combine both usually find more subdomains. However, some of the most well-known tools like Subfinder favor a purely passive approach because it ensures stealth and avoids detection. Active scanners risk being blocked or rate-limited by the target infrastructure’s Intrusion Detection Systems (IDS), Web Application Firewalls (WAFs), or DNS firewalls. These defenses limit the tool’s ability to successfully resolve or bruteforce all subdomains. If you’re using a tool that combines active and passive approaches, you may need to whitelist its source IP ranges in your security controls to avoid rate-limiting or blocking during active enumeration.
  • Data sources: Subdomain enumeration relies not only on techniques, but also on data. This data can come from various repositories, including public DNS records, passive DNS (pDNS) databases, Certificate Transparency (CT) logs, web archives, search engines, and proprietary datasets. Some tools aggregate higher quality and more current datasets than others, which results in better coverage than tools relying on less comprehensive or outdated sources. High-quality pDNS databases, for instance, retain historical mappings that reveal assets that were decommissioned but not properly secured. These assets pose a classic subdomain takeover risk due to dangling DNS records. Data quality is exactly the reason why open-source tools like the aforementioned Subfinder or OWASP Amass offer to connect those additional third-party data sources that can help increase coverage. As a paid tool, Attaxion relies on quality third-party data sources right away.
  • Wordlists and permutations: Brute-forcing tools use pre-compiled dictionaries or wordlists to discover subdomains with typical labels. The size, quality, and contextual relevance of these wordlists determine how many such subdomains a tool can discover with this technique. For example, most tools have no trouble finding common subdomains such as “dev” and “staging,” but weaker wordlists may fail to uncover environment-specific subdomains like “sftp” or “internal-api.” More advanced tools use additional generation methods, such as:
    • DNS permutations: Systematically creating variations by adding prefixes or suffixes (for example, guessing “app-qa” from “app”).
    • Fuzzy matching: Using algorithms such as Levenshtein distance to predict similar or related subdomains based on existing results.
  • Handling wildcards and duplicates: Some tools include internal logic to identify and exclude wildcard DNS records (*.example.com), while others don’t. When tools fail to implement this filtering, they report many non-existent or false subdomains. Subdomain enumeration tools need effective wildcard filtering to maintain accuracy and prevent results from becoming unusable due to noise.
  • Connection reliability, rate-limiting, and retries: When DNS queries are slow or inconsistent, lookups can fail. Tools with overly aggressive timeouts or weak retry logic may miss valid subdomains. Similarly, DNS and WHOIS queries can be rate-limited by resolvers, authoritative DNS operators, or WHOIS servers. So, tools that don’t handle this well (backoff/retries/rotating resolvers) may miss data, unless they rely on third-party data sources.
  • Target infrastructure complexity: Domains with subdomains spread across multiple environments and providers (for example, multi-cloud setups using AWS, GCP, and Azure) introduce configuration challenges. These can include CDN-specific behavior, DNS flattening, or third-party subdomain delegation. Some tools struggle to resolve these setups correctly, while others can follow complex CNAME chains and identify assets hidden behind major CDNs.

The goal of subdomain enumeration is to build a complete and accurate inventory of external assets. Any of the factors above — from relying on incomplete data to failing to retry a slow DNS query — can leave gaps in asset coverage. Tools that address these issues with stronger techniques and higher quality data help organizations reduce the risk of shadow IT and forgotten assets.

What Security Risks Can Subdomain Enumeration Help Minimize?

While subdomains can help organize content or separate different aspects of a business, they can also present certain security risks. As such, it’s essential to have an updated list of subdomains you need to keep track of, and subdomain enumeration is one way to do that.

For one, accurate and thorough subdomain enumeration helps prevent attack surface expansion. Subdomains create additional entry points for attackers. Each subdomain is essentially a separate website, which means more opportunities for threat actors to exploit vulnerabilities. Hence, they broaden an attack surface, especially when subdomains are unprotected and unmonitored.

Subdomain enumeration is also one of the first steps in preventing subdomain takeovers. These attacks occur when a subdomain’s DNS records are compromised or the subdomain is not properly configured or protected, allowing an attacker to gain control of it. The threat actor can redirect traffic to malicious websites, distribute malware, or steal sensitive information.

What Common Vulnerabilities Affect Subdomains?

Subdomain enumeration alone cannot minimize the risks mentioned above. Security teams also need to scan assets for security issues.

One type of issue to look out for is DNS misconfiguration since 21% of active subdomain records are unresolved. This instance can occur, for example, when the canonical name (CNAME) record for a subdomain points to a domain that is no longer active or owned by the organization. If left unaddressed, this misconfiguration (often called dangling DNS) exposes companies to the risk of subdomain takeover.

Another common security issue with subdomains is the presence of cross-site scripting (XSS) vulnerabilities, which allow attackers to inject malicious code into web pages. Additionally, using insecure protocols like HTTP instead of HTTPS for subdomains is a frequent problem, as it can expose sensitive data to eavesdropping and man-in-the-middle (MitM) attacks.

Who Performs Subdomain Enumeration?

Subdomain enumeration is primarily performed by security professionals, such as security analysts, penetration testers, and ethical hackers. They use the method to identify potential vulnerabilities and assess the security posture of a target organization.

Threat intelligence analysts also use subdomain enumeration to gather information about malicious actors and their infrastructure.

Meanwhile, competitive intelligence analysts may use subdomain enumeration to gain insights into their competitors’ online presence and identify new products or services.

Unfortunately, malicious actors can also use subdomain enumeration to identify vulnerabilities in the target system and launch attacks.

Subdomains constitute a significant part of an organization’s infrastructure. Subdomain enumeration can help complete an organization’s network view, enabling security teams to develop targeted security strategies to protect their assets.

Key Takeaways

  • Subdomain enumeration is the process of identifying and mapping the subdomains associated with a domain name.
  • It helps reduce attack surfaces, discover hidden applications, detect vulnerabilities, and find forgotten assets.
  • Active enumeration directly interacts with a target domain, can be resource-intensive, and has legal and ethical implications.
  • Passive enumeration is less intrusive and gathers information from publicly available sources.

Ready to see how Attaxion can help you protect your subdomains and other public-facing assets?  Start your free trial now.

Interested to Learn More?