All tools
Security tools

Subdomain Enumerator

Discover active subdomains via DNS wordlist enumeration — checks 70+ common names across web, mail, API, dev, admin and infrastructure categories.

70+ subdomain names DNS resolution IP shown for each Admin & dev detection Database & DevOps
Get started free Sign in

Free · No credit card · 50 credits/day

What's in the wordlist

70+ names grouped by category — each resolved via DNS to confirm it exists.

🌐 Web

www, cdn, static, assets, media, img, mobile, app, apps

🔌 API & services

api, api2, v1, v2, rest, graphql, ws, webhooks

📧 Mail

mail, smtp, pop, imap, webmail, mx, mx1, mx2

🧪 Dev & staging

dev, staging, stage, test, qa, sandbox, demo

⚙️ Admin panels

admin, backend, panel, cpanel, dashboard, portal

🗄️ Databases

db, mysql, postgres, redis, elasticsearch, kibana

🔧 DevOps

git, gitlab, github, jenkins, ci, jira, confluence

📊 Monitoring

monitor, grafana, metrics, logs, status

🔒 Network

vpn, remote, ns1, ns2, ftp, internal, intranet

📝 Content

blog, shop, store, docs, help, support

Why exposed subdomains are a risk

dev.example.com / staging.example.com high

Dev/staging environments run older software, have weaker auth (sometimes none) and may contain real production data backups. A common entry point in real attacks.

admin.example.com / panel.example.com high

Admin panels expose management interfaces. If they use basic auth or a weak default password, an attacker gains full control of the application.

mysql.example.com / redis.example.com critical

Database ports should never be internet-accessible. If a database subdomain resolves to a public IP, the service may be exposed to the internet.

git.example.com / jenkins.example.com high

Source code, CI/CD pipelines and deployment credentials. A compromised Jenkins instance often means full infrastructure access.

grafana.example.com / kibana.example.com medium

Monitoring dashboards expose internal topology, service names and potentially log data with sensitive information.

Frequently asked questions

What is subdomain enumeration?

Subdomain enumeration finds active subdomains by resolving common names via DNS. This tool checks 70+ names across web, mail, API, dev, admin and infrastructure categories. If a subdomain resolves to an IP, it exists.

Is subdomain enumeration legal?

Yes — DNS lookup is a public protocol. Resolving hostnames makes no connection to target servers. However, using discovered subdomains to access systems without permission is illegal. This tool is for auditing your own attack surface.

Why would exposed subdomains be a security risk?

Dev/staging subdomains often run older software with weaker auth. Admin panels expose management interfaces. Database subdomains may have unintended network access. Discovering and securing these is core attack surface management.

Related tools

More recon and domain investigation tools.

DNS Lookup

Query A, MX, TXT, CNAME and NS records for any domain.

WHOIS Lookup

Check domain registration, expiry and nameserver details.

Port Scanner

Scan open TCP ports on discovered subdomains.

Enumerate your subdomains now

Free account. 50 credits per day. Access to 75+ tools instantly.

Create free account →