What is subdomain enumeration?

Subdomain enumeration is the process of discovering all subdomains associated with a root domain - such as mail.example.com, staging.example.com, or vpn.example.com - to map the full external attack surface of an organisation.

Why do security teams need subdomain enumeration?

Organisations typically don't have a complete inventory of their subdomains. Forgotten staging environments, decommissioned services, and shadow IT create subdomains that remain DNS-resolvable and potentially exploitable. You cannot secure assets you don't know exist.

What are the main subdomain enumeration techniques?

The main techniques are: certificate transparency log analysis (querying public CT logs for issued certificates), DNS brute-forcing (testing common subdomain names against the DNS), passive aggregation (collecting subdomains from search engines, threat intelligence feeds, and historical DNS data), and permutation scanning (generating variations of known subdomains).

What is the best subdomain enumeration tool?

For active enumeration, Subfinder by ProjectDiscovery is fast and comprehensive. OWASP Amass is more thorough but slower. For continuous automated discovery as part of attack surface management, EASM platforms like SurfaceLoop combine multiple enumeration methods and track changes over time.

How often should I enumerate subdomains?

Continuously. New subdomains appear whenever teams deploy services, create DNS records, or provision cloud resources. Weekly enumeration catches most changes; daily scanning ensures new subdomains are discovered before attackers find them.

What is a subdomain takeover?

A subdomain takeover occurs when a subdomain's DNS record points to an external service (like an S3 bucket, GitHub Pages, or Heroku app) that has been deprovisioned. An attacker can claim the orphaned resource and serve their own content on your subdomain, potentially for phishing or malware distribution.

Subdomain Enumeration: The Complete Guide

Key Takeaways

Subdomain enumeration maps the full external attack surface by discovering all subdomains under a root domain, including forgotten staging environments and shadow IT.
Passive techniques like certificate transparency logs and DNS aggregators reveal subdomains without sending traffic to the target, while active brute-forcing and permutation scanning find additional assets.
Subdomain takeover occurs when a DNS record points to a deprovisioned external service that an attacker can claim, enabling phishing and malware hosting on your domain.
No single enumeration technique finds everything - the most thorough approach combines passive sources with active scanning and runs continuously, not as a one-time audit.
Every discovered subdomain should have an identified owner, be fed into vulnerability scanning, and have its DNS record removed promptly when the underlying service is decommissioned.

Why does subdomain enumeration matter?

Every organisation has more subdomains than they think. DNS is cumulative - records are added for new services, projects, and environments, but rarely cleaned up when those services are decommissioned.

A company might know about www, mail, app, and api. But a thorough enumeration reveals staging.example.com (an old test environment still running), jenkins.dev.example.com (a CI/CD server with default credentials), old-blog.example.com (a WordPress site that hasn’t been patched in two years), and vpn-backup.example.com (a decommissioned VPN gateway whose DNS record still resolves).

Each of these is an entry point. Each exists outside the security team’s visibility. Subdomain enumeration closes this gap.

What are the main enumeration techniques?

Passive enumeration

Passive techniques discover subdomains without sending any traffic to the target. They query external data sources:

Certificate transparency logs. Every publicly trusted SSL/TLS certificate is logged in CT logs - a public, append-only record. Querying CT logs (via crt.sh, Certstream, or CT log APIs) reveals every subdomain for which a certificate has been issued, including internal-facing services that use public certificates.

Search engine indexing. Google, Bing, and specialised search engines (Shodan, Censys) index subdomains discovered during crawling. Google dorks like site:*.example.com -www can reveal indexed subdomains.

DNS aggregators and threat intelligence feeds. Services like VirusTotal, SecurityTrails, and PassiveDNS databases collect historical DNS resolution data. They can reveal subdomains that existed in the past, even if they no longer resolve - useful for identifying dangling DNS records vulnerable to takeover.

Code repositories. GitHub, GitLab, and Bitbucket searches often reveal subdomains mentioned in configuration files, scripts, documentation, and commit messages.

Active enumeration

Active techniques send queries to the target’s DNS infrastructure:

DNS brute-forcing. Test a wordlist of common subdomain names (admin, mail, vpn, staging, dev, test, api, cdn, etc.) against the target domain’s DNS servers. Tools like Subfinder, Amass, and MassDNS automate this with large wordlists and high-speed DNS resolution.

DNS zone transfers. If a DNS server is misconfigured to allow zone transfers (AXFR) from any source, a single query returns every record in the zone. This is rare on well-configured servers but still worth checking.

Permutation and alteration scanning. Generate subdomain variations based on known subdomains. If api.example.com exists, test api-v2, api-staging, api-dev, api-test, api-old. Tools like dnsgen and altdns specialise in this.

Combining techniques

No single technique finds everything. The most thorough approach layers passive sources (CT logs, DNS aggregators, search engines) with active techniques (brute-forcing, permutation scanning). OWASP Amass, for example, combines dozens of data sources with DNS resolution in a single tool.

How SurfaceLoop handles this

SurfaceLoop combines certificate transparency analysis, passive DNS aggregation, and active enumeration to continuously discover subdomains across your root domains. New subdomains are flagged automatically - so shadow IT, forgotten services, and newly created environments don’t escape your visibility.

See Subdomain Enumeration feature →

What does subdomain enumeration reveal?

The subdomains you discover typically fall into several categories:

Active production services. Your known infrastructure - www, api, mail, app. These should already be in your security program.

Development and staging environments. staging.example.com, dev.example.com, test.example.com. Often running older code, weaker security configurations, and sometimes connected to production databases.

Shadow IT. Tools and services deployed by teams without security team involvement - project management platforms, monitoring dashboards, wiki instances, file sharing tools.

Decommissioned services. Services that were shut down, but whose DNS records were never removed. These create dangling DNS records that may be vulnerable to subdomain takeover.

Third-party services. Subdomains delegated to external providers - CDNs, email services, marketing platforms, SaaS tools. These expand your attack surface into infrastructure you don’t directly control.

Which tools are used for subdomain enumeration?

Tool	Type	Strengths
Subfinder	Passive	Fast, lightweight, excellent API source coverage
OWASP Amass	Passive + Active	Most comprehensive, best for thorough one-time audits
MassDNS	Active (brute-force)	Extremely fast DNS resolution for large wordlists
crt.sh	Passive (CT logs)	Free web interface for CT log queries
dnsgen / altdns	Permutation	Generates subdomain variations from discovered names
Subzy / Subjack	Takeover detection	Checks discovered subdomains for takeover vulnerability

What is subdomain takeover and why is it dangerous?

Subdomain takeover is one of the most impactful findings from enumeration. It occurs when:

A subdomain’s DNS record (usually a CNAME) points to an external service - such as an S3 bucket, GitHub Pages site, Heroku app, or Azure endpoint
The external resource is deprovisioned (the S3 bucket is deleted, the Heroku app is removed)
The DNS record remains in place, still pointing to the now-unclaimed resource
An attacker claims the resource on the external platform and serves their own content on your subdomain

A successful takeover lets an attacker:

Serve phishing pages on your domain (e.g., auth.example.com)
Host malware with your domain’s reputation
Set cookies for your domain, enabling session attacks
Damage brand trust

Our article on subdomain takeover covers detection and prevention in detail.

How do you build a continuous enumeration program?

One-time enumeration gives you a snapshot. Continuous enumeration gives you security:

Baseline your subdomains. Run a thorough initial enumeration and document all discovered subdomains with their purpose and owner.
Set up continuous scanning. Automate enumeration on at least a weekly schedule. Flag new subdomains for review.
Establish an ownership model. Every subdomain should have an identified owner responsible for its security posture.
Clean up DNS. Remove DNS records for decommissioned services. This eliminates takeover risk and reduces your attack surface.
Integrate with your vulnerability management. Every newly discovered subdomain should be fed into your vulnerability scanner and EASM platform for security assessment.

Frequently asked questions