Subdomain Enumerator
Discover active subdomains via DNS wordlist enumeration — checks 70+ common names across web, mail, API, dev, admin and infrastructure categories.
Free · No credit card · 50 credits/day
What's in the wordlist
70+ names grouped by category — each resolved via DNS to confirm it exists.
www, cdn, static, assets, media, img, mobile, app, apps
api, api2, v1, v2, rest, graphql, ws, webhooks
mail, smtp, pop, imap, webmail, mx, mx1, mx2
dev, staging, stage, test, qa, sandbox, demo
admin, backend, panel, cpanel, dashboard, portal
db, mysql, postgres, redis, elasticsearch, kibana
git, gitlab, github, jenkins, ci, jira, confluence
monitor, grafana, metrics, logs, status
vpn, remote, ns1, ns2, ftp, internal, intranet
blog, shop, store, docs, help, support
Why exposed subdomains are a risk
dev.example.com / staging.example.com
high
Dev/staging environments run older software, have weaker auth (sometimes none) and may contain real production data backups. A common entry point in real attacks.
admin.example.com / panel.example.com
high
Admin panels expose management interfaces. If they use basic auth or a weak default password, an attacker gains full control of the application.
mysql.example.com / redis.example.com
critical
Database ports should never be internet-accessible. If a database subdomain resolves to a public IP, the service may be exposed to the internet.
git.example.com / jenkins.example.com
high
Source code, CI/CD pipelines and deployment credentials. A compromised Jenkins instance often means full infrastructure access.
grafana.example.com / kibana.example.com
medium
Monitoring dashboards expose internal topology, service names and potentially log data with sensitive information.
Frequently asked questions
Related tools
More recon and domain investigation tools.
Enumerate your subdomains now
Free account. 50 credits per day. Access to 75+ tools instantly.
Create free account →