Subdomain Enumeration Techniques

Subdomain Enumeration Techniques and tools

What is Subdomain Enumeration?

Subdomain enumeration is the process of finding valid sub-domains for one or more domain.

Sub-domain enumeration can reveal a lot of domains/sub-domains that are in scope of a security assessment which in turn increases the chances of finding vulnerabilities.

There are Passive and Active enumeration technics :

Passive Enumeration

  • Using search engines
  • ASN Discovery
  • Using public dataset
  • Certificate Transparency
  • Using 3rd party Aggregators
  • SAN (Subject Alternate Name)
  • DNS enum using cloudfare

Active Enumeration

  • Bruteforce/Dictionary Enumeration
  • HTTP Headres
  • Zone transfers
  • Zone walking (DNSSEC)
  • DNS records
  • DNS Cache Snooping

Search engines for enumeration

subdomain enumeration using search engine dorking

Most of the major search engines provides advanced search operators to refine search results called “Google dorks”. Read our post about Dorking.

ASN Discovery

An ASN lookup is the act of querying the different RIR’s databases(Regional Internet Registry) in order to get information about an Autonomous System Number (ASN). Some tools for IP to ASN lookup are Cymru ASN Lookup, he.net

There are also tools available for ASN to IP lookup. eg: nmap script

Public datasets

There are many public datasets like censys.io, CT, Sonar, RIR, Rapid7 dataset with internet wide scan data which contains dns informations

Certificate transparency

Finding CT logs using cert.sh - subdomain enumeration
cert.sh results

Certificate Transparency project is meant to log, audit, and monitor certificates that Certificate Authorities (CA) issue. SSL/TLS certificates generally contain domain names, sub-domain names and email addresses. These logs are available publicly and anyone can look through these logs. There are CT search engines like cert.sh, censys.io, google transparency report, Facebook tool.

Using 3rd party services

We can also use 3rd party services that collects DNS enumeration details for our information gathering. VirusTotal runs its own passive DNS replication service. By selecting the third-party sites, the enumeration process can be optimized. More results will be obtained with less time required. Some of them are :

Using SAN

The Subject Alternative Name (SAN) is an extension that allows users to specify additional host names for a single SSL certificate. It is possible to extract domain names from SAN field of the SSL/TLS certificate. Appsecco’s python script is usefull tool for this kind of enumeration.

Subdomain enumeration from SAN

Using Cloudfare

We can use cloudfare to dig through DNS data. “Add site” section in the cloudfare can be used to leak such information. There are automated scripts available for this.

Brute force/Dictionary Enumeration

brute forc enumeration using dnsrecon

We can use brute-force techniques to find valid subdomain informations of a domain using dictionary of subdomains, permutations method etc. Main tools used are Subbrute, DNSRecon, Altdns. For performing this technique all we have to do is to give a name list and it will try to resolve the A,AAA and CNAME records against the domain by trying each entry one by one.

HTTP Headers

Content Security Policy(CSP) in the HTTP header may allows you to create a whitelist of sources of trusted subdomain informations. we can access it by using curl. Automated scripts are also available.

$ curl --head -s -L https://example.com | grep -iE 'Content-Security|CSP'

DNS Zone Transfers

Zone transfer is the process of copying the contents of the zone file on a primary DNS server to a secondary DNS server. It is one of the many mechanisms available for administrators to replicate DNS databases across a set of DNS servers. If zone transfers are not securely configured, anyone can initiate a zone transfer against a nameserver and get a copy of the zone file. By design, zone file contains a lot of information about the zone and the hosts that reside in the zone.

DNS zone transfers

To initiate an AXFR zone-transfer request from a secondary server we need to get the list of DNS servers for the domain:

$ dig +short ns vulnarabledomain.come

Now, we can get initiate an AXFR request to get a copy of the zone from the primary server:

$ dig +multi AXFR @ns1.vulnarabledomain.com vulnarabledomain.com

Zone Walking (DNSSEC NSEC Records)

Zone Walking is a technique that is used by attackers to enumerate the full content of DNSSEC-signed DNS zones if zone is not configured properly. The information obtained can help us to map network hosts by enumerating the contents of a zone. DNSRecon is a useful tool for Zone walking.

DNS Cache Snooping

DNS cache snooping is occurred when the DNS server has a specific DNS record cached. This DNS record will often reveal plenty of information.However DNS cache snooping is not happening very often. DNSRecon can be used to perform cache snooping :

$ ./dnsrecon.py -t snoop -n Sever -D <Dict>

Tools for Subdomain Enumeration


The OWASP Amass Project is very useful tool especially for passive DNS enumeration.

To discover subdomains that belong to a given domain :

$ amass --passive -d <TARGET-DOMAIN>


MassDNS is a simple high-performance DNS stub resolver targeting those who seek to resolve a massive amount of domain names.

It includes a Python script allowing you to resolve all IPv4 PTR records:

$ ./scripts/ptr.py | ./bin/massdns -r lists/resolvers.txt -t PTR -w ptr.txt

MassDNS allows you to brute force subdomains using the included subbrute.py script:

$ ./scripts/subbrute.py lists/names.txt example.com | ./bin/massdns -r lists/resolvers.txt -t A -o S -w results.txt

As an additional method of reconnaissance, the ct.py script extracts subdomains from certificate transparency logs by scraping the data from crt.sh:

$ ./scripts/ct.py example.com | ./bin/massdns -r lists/resolvers.txt -t A -o S -w results.txt


Altdns is a DNS recon tool that allows for the discovery of subdomains through alterations and permutations. uasge:

$ altdns -i subdomains.txt -o data_output -w words.txt -r -s results_output.txt


To perform standard DNS enumeration with the DNSRecon the command that we have to use :

$ ./dnsrecon.py -d <domain>
standard enumeration using dnsrecon

DNSRecon provides the ability to perform enumeration via Zone Transfers with the commands :

$ ./dnsrecon.py -d <domain> -a
$ ./dnsrecon.py -d <domain> -t axfr

DNSRecon can perform a reverse lookup for PTR (Pointer) records against IPv4 and IPv6 address ranges.To run reverse lookup enumeration the command

reverse domain lookup using dnsrecon
$ ./dnsrecon.py -r <startIP-endIP>

Reverse DNS lookup can be performed against all ranges in SPF records with the command :

$ ./dnsrecon.py -d <domain> -s

In order to run the Domain Name Brute-Force we need to type:

$ ./dnsrecon.py -d  -D <namelist> -t brt
brute forc enumeration using dnsrecon

The command that can be used in order to perform cache snooping is the following:

$ ./dnsrecon.py -t snoop -n Sever -D <Dict>

In order to perform the zone walking we need to type the command:

$ ./dnsrecon.py -d <host> -t zonewalk


Subdomain enumeration is an important part of reconnaissance which helps to increase the scope of a security assessment which in turn increases the chances of finding vulnerabilities.

Passive OSINT sources are fast and more efficiant compared to terminal based tools useful for generating live subdomains list.

Leave a Reply

Your email address will not be published.