Subdomain Finder 🔍 — Discover Subdomains via Certificate Transparency

Find every known subdomain of any domain in seconds. This subdomain finder performs passive subdomain enumeration straight from public Certificate Transparency (CT) logs via crt.sh — so you can find all subdomains of a domain without ever touching the target's infrastructure. One root domain can return hundreds to thousands of unique subdomains.

No API key, no login, no rate-limited third-party service. It's the essential first step for security recon, attack surface mapping, asset discovery, OSINT and SEO — with one clean row per subdomain, exportable to CSV or JSON.

Looking for a free subdomain enumeration tool, a subdomain lookup, a certificate transparency search over crt.sh, or a way to find subdomains of a domain in bulk? This actor does the full discover-and-export at scale, with no API key.

---

✨ Key features

• 🛰️ Passive subdomain enumeration — pulls subdomains from Certificate Transparency logs, never scanning or probing the target directly.
• 📈 High volume — a single root domain can yield hundreds to thousands of unique subdomains in one run.
• 🗂️ Bulk multi-domain — pass a whole list of root domains and enumerate them all in a single run.
• 🌿 Wildcard handling — leading *. wildcards are always stripped and deduped; optionally keep wildcard-only entries.
• ✅ Optional live filter — onlyResolvable checks each subdomain with a DNS-over-HTTPS A lookup and keeps only the ones that currently resolve.
• 🗓️ First / last seen dates — certificate validity dates from CT records, perfect for spotting fresh or stale assets.
• 🛡️ Robust against crt.sh flakiness — long timeout, multiple retries with backoff and a fresh proxy IP per attempt.
• 🔓 No API key — crt.sh is an open endpoint; no credentials, no sign-up.
• ⚡ No browser overhead — pure HTTP, fast and low cost.
• 💾 Export-ready — download results as JSON, CSV or Excel, or pull them via the Apify API.

💡 Use cases

• Security recon & penetration testing — map an organization's full external attack surface before an authorized test.
• Bug bounty & OSINT — quickly enumerate in-scope assets for a target using passive reconnaissance with zero direct contact.
• Attack-surface management — discover forgotten, shadow, staging or dev subdomains your team may have lost track of.
• Asset discovery & inventory — build and enrich a complete subdomain inventory for any domain you own or monitor.
• SEO & site migration — find every subdomain that may host indexable content before or after a redesign or migration.
• Brand & threat monitoring — track which subdomains appear over time and catch new or unexpected hostnames.

📦 What you get

One row per unique subdomain, including:

Field	Type	Description
subdomain	string	The unique subdomain hostname (lowercased, wildcard stripped)
domain	string	The root domain it belongs to
url	string	Convenience https:// URL for the subdomain
isWildcard	boolean	true if this name only ever appeared as a wildcard cert (*.x)
resolvable	boolean | null	true/false when onlyResolvable is on, otherwise null
firstSeen	string | null	Earliest certificate not_before date seen for this name (ISO)
lastSeen	string | null	Latest certificate not_after date seen for this name (ISO)
discoveredAt	string	ISO 8601 timestamp of when this row was produced

Example output

{
  "subdomain": "affiliate.apify.com",
  "domain": "apify.com",
  "url": "https://affiliate.apify.com",
  "isWildcard": false,
  "resolvable": null,
  "firstSeen": "2025-06-03T07:47:43",
  "lastSeen": "2026-09-07T01:14:59",
  "discoveredAt": "2026-06-15T16:50:16.726Z"
}

🚀 How to use it

1. Click Try for free / Start.
2. Enter one or more Root Domains (e.g. apify.com) — no http:// and no paths.
3. (Optional) Toggle Include Wildcard Entries to keep wildcard-only names.
4. (Optional) Toggle Only Resolvable to keep only currently-live subdomains.
5. (Optional) Set Max Results Per Domain to cap output per root domain.
6. Click Save & Start, then export the results as JSON, CSV or Excel — or pull them via the Apify API.

⚙️ Input

Field	Type	Default	Description
domains	array of strings	["apify.com"]	Root domains to enumerate. Do not include http:// or paths
includeWildcards	boolean	false	Keep subdomains that only ever appeared as a wildcard cert (*.x). The leading *. is stripped regardless
onlyResolvable	boolean	false	If true, keep only subdomains that resolve to an A record (DNS-over-HTTPS). Much slower — off by default
maxResults	integer	0	Max unique subdomains to return per root domain. 0 = no limit
proxyConfiguration	object	Apify Proxy (datacenter)	Proxy used to reach crt.sh

Example input

{
  "domains": ["apify.com", "google.com"],
  "includeWildcards": false,
  "onlyResolvable": false,
  "maxResults": 0,
  "proxyConfiguration": { "useApifyProxy": true }
}

🔍 How it works

Every time an organization issues a TLS/SSL certificate, the hostname is published to public Certificate Transparency logs. That makes CT logs one of the most complete, passive sources of subdomain data available — and you never contact the target to collect it.

1. For each root domain, the actor runs a certificate transparency search on crt.sh in two forms — %.<domain> (wildcard) and <domain> (bare) — and merges both result sets for maximum coverage.
2. Every certificate entry's name_value (which may contain multiple newline-separated names) and common_name are parsed.
3. Each name is lowercased, has any leading *. wildcard stripped, and is kept only if it falls under the queried domain.
4. Names are deduplicated into a set, keeping the earliest firstSeen and latest lastSeen dates per name.
5. Optionally, each subdomain is verified live via a DNS-over-HTTPS A lookup when onlyResolvable is enabled.
6. One row is pushed per unique subdomain.

Honest about coverage: CT logs surface hostnames that have ever had a public TLS certificate issued. Subdomains that never used a public cert (or used a private/internal CA) will not appear — this is true of any CT-based subdomain finder, and it's why passive enumeration is paired with active tools for full recon.

🧰 Tips & best practices

• Start broad, then filter. Run with defaults first to capture the full historical picture, then enable onlyResolvable on a second pass to narrow to currently-live hosts.
• Use the dates. Sort by firstSeen to spot freshly issued certs (new assets) and by lastSeen to flag stale or expiring ones.
• Batch your domains. Pass many root domains in domains for bulk enumeration in a single run instead of one run per domain.
• Mind very large targets. crt.sh is a free community service; for huge domains it can return 502/timeouts under load. The actor retries with backoff and a fresh proxy IP, and a domain that crt.sh can't serve simply returns 0 rows while the run completes.
• Combine with related tools. Feed the url column into a status checker, DNS lookup or tech-stack detector (see related actors below) to enrich your subdomain inventory.
• Use responsibly. Only enumerate domains you own or are authorized to assess.

❓ FAQ

How do I find all subdomains of a domain?

Enter the root domain (e.g. apify.com) into Root Domains and run the actor. It queries Certificate Transparency logs via crt.sh, extracts and deduplicates every hostname ever seen under that domain, and returns one row per unique subdomain — typically hundreds to thousands for a large organization.

Is this a free subdomain finder without an API key?

Yes. crt.sh is an open Certificate Transparency endpoint, so this actor needs no API key, no login and no third-party credentials. You only pay for the Apify platform usage of the run.

How is this different from a DNS brute-force tool?

A brute-force tool guesses subdomain names against a wordlist and actively queries the target's DNS. This actor is passive: it reads hostnames that organizations already published to public CT logs, so it never touches the target's infrastructure — and it often surfaces names no wordlist would guess. For complete coverage, pair passive CT enumeration with an active tool.

Can I export subdomains to CSV or JSON?

Yes. Every result is one row in an Apify dataset, so you can export the full subdomain list to CSV, JSON or Excel, or pull it programmatically via the Apify API — ready to drop into a spreadsheet or pipeline.

Does it find sub-subdomains and wildcard domains?

Yes. Any depth of hostname that appears in a certificate (e.g. dev.api.example.com) is returned. Wildcard certs (*.example.com) always have the leading *. stripped; enable Include Wildcard Entries to also keep names that only ever appeared as a wildcard, flagged with isWildcard: true.

Why are some subdomains not live?

CT logs are historical — a certificate may have been issued for a host that no longer resolves. Enable Only Resolvable to run a DNS-over-HTTPS A-record check and keep only subdomains that currently resolve.

How many subdomains will I get?

It depends entirely on the target. Small sites may return a handful; large organizations return hundreds or thousands of unique names. There's no hard cap unless you set Max Results Per Domain.

🔗 Related actors by the same author

• Bulk DNS Records Lookup — resolve A, AAAA, MX, TXT, NS and more for any list of domains.
• Bulk WHOIS Lookup — pull WHOIS/RDAP registration data for domains in bulk.
• Website Tech Stack Detector — detect the frameworks, CMS, analytics and servers a site runs on.
• Bulk URL Status Checker — check HTTP status codes and redirects for any list of URLs.

📝 Changelog

2026-06-15

• Initial release — subdomain discovery via Certificate Transparency logs, CSV/JSON export, no API key.