subfinder: Passive subdomain enumeration tool
Passive subdomain discovery via DNS resolution and validation.
Learn more about subfinder
Subfinder is a passive subdomain enumeration tool that aggregates subdomain intelligence from multiple online data sources without actively scanning target infrastructure. The tool queries over 30 sources including certificate transparency logs, search engines, and threat intelligence platforms through their respective APIs, then consolidates and deduplicates the discovered subdomains. It implements DNS resolution capabilities to validate discovered subdomains and can optionally resolve their IP addresses while filtering wildcard DNS entries. The architecture supports concurrent source querying with configurable rate limiting and timeouts to balance discovery speed against API restrictions. Subfinder operates as a command-line utility designed for reconnaissance phases of security assessments and continuous subdomain monitoring workflows.
Configurable Passive Sources
Query 40+ curated data sources without touching target infrastructure. Select, exclude, or combine sources individually with per-source rate limits and recursive subdomain filtering capabilities.
Built-in DNS Validation
Automatic resolution and wildcard elimination verify discovered subdomains before output. Supports custom resolver lists to reduce false positives and validate results against actual DNS records.
Pipeline-Native Design
STDIN/STDOUT support enables direct integration with security toolchains. Batch process domain lists with multiple output formats (JSON, plaintext) and YAML-based configuration for reproducible workflows.
package main
import (
"github.com/projectdiscovery/subfinder/v2/pkg/runner"
)
func main() {
options := &runner.Options{
Threads: 10,
Timeout: 30,
Domains: []string{"example.com"},
}
subfinder, _ := runner.NewRunner(options)
subfinder.RunEnumeration()
}Adds environment variable support for config files and a new driftnet source; module moved to root directory.
- –Set config file paths via environment variables for flexible deployment across environments.
- –Query the new driftnet source for additional subdomain enumeration coverage.
Adds environment variable support for API keys and two new subdomain sources; removes deprecated binaryedge source.
- –Set API keys via environment variables instead of config files for easier automation and CI/CD integration.
- –Update integrations if using binaryedge source (removed) or Hunter/Quake sources (pagination bugs fixed).
Maintenance release updating dependencies with no documented breaking changes or new features.
- –Release notes do not specify which dependencies were updated or their impact on functionality.
- –No migration steps, configuration changes, or security fixes are documented in this release.
See how people are using subfinder
Top in Security
Related Repositories
Discover similar tools and frameworks used by developers
OSINT-Framework
Structured web catalog of free OSINT tools.
openssl
C-based cryptographic library implementing TLS, DTLS, and QUIC protocols.
semgrep
Pattern-based code scanner for 30+ languages.
gitleaks
Regex-based secret scanner for git repositories.
spiderfoot
Python reconnaissance framework with 200+ OSINT modules.