// recon knowledge base

ReconAtlas  /  checklists  /  subdomain-enumeration

Subdomain Enumeration

Reconnaissance MED v1.0.0 updated 2026-04-04

Systematically discover all subdomains of a target to map the full attack surface before active testing begins.

Tools

subfinderamassassetfinderdnsxhttpxpurednsgotator

Machine-readable JSON available at:

https://reconatlas.pages.dev/api/checklists/subdomain-enumeration

Tags

reconnaissancednspassiveactiveattack-surface

// checklist steps

subenum-01

Passive DNS enumeration

Query certificate transparency logs, passive DNS databases, and public aggregators without touching the target directly.

subfinder -d target.com -all -o passive-subs.txt
amass enum -passive -d target.com -o amass-passive.txt
assetfinder --subs-only target.com >> passive-subs.txt
sort -u passive-subs.txt amass-passive.txt -o subs-dedup.txt

Always start passive to avoid detection and stay within programme rules. Merge and deduplicate all outputs before proceeding.

subenum-02

Active DNS brute-force

Brute-force subdomain names using curated wordlists against the target's authoritative DNS servers.

puredns brute all.txt target.com -r resolvers.txt -w brute-subs.txt
amass enum -active -brute -d target.com -w dns-Jhaddix.txt -o amass-brute.txt

Use a validated, up-to-date resolver list (e.g. from proabtivedns) to minimise false positives and avoid rate-limit bans.

subenum-03

DNS resolution and HTTP probing

Resolve discovered hostnames to IP addresses, then probe each for live HTTP/HTTPS services.

cat subs-dedup.txt brute-subs.txt | sort -u | dnsx -silent -o resolved.txt
cat resolved.txt | httpx -silent -title -status-code -tech-detect -o live-hosts.txt

subenum-04

Permutation and alteration scanning

Generate subdomain variations from discovered patterns and test them against DNS.

gotator -sub resolved.txt -perm permutations.txt -depth 1 -silent | dnsx -silent -o perm-hits.txt
altdns -i resolved.txt -o altdns-out.txt -w words.txt -r -s altdns-resolved.txt

Permutation scanning often reveals staging, dev, and internal subdomains that simple brute-force misses.

subenum-05

Subdomain takeover check

Identify dangling DNS records pointing to deprovisioned cloud services.

nuclei -l resolved.txt -t takeovers/ -o takeover-findings.txt
subzy run --targets resolved.txt --output takeover-subzy.txt

Overview

Subdomain enumeration is the foundation of any serious bug bounty recon workflow. A wider subdomain footprint means more entry points: forgotten staging environments, internal APIs exposed accidentally, and misconfigured services that never went through security review.

Work passively before touching the target. Many programmes flag aggressive DNS brute-force as out-of-scope activity. Confirm the rules of engagement before running active techniques.

What to look for

After collecting live hosts, prioritise any subdomain that:

  • Resolves to a cloud provider IP (AWS, GCP, Azure) — potential takeover target
  • Uses a non-standard port or returns an unusual status code
  • Includes keywords like dev, staging, internal, admin, api, vpn
  • Has a wildcard DNS record masking underlying services

// references

  1. https://github.com/projectdiscovery/subfinder
  2. https://github.com/owasp-amass/amass
  3. https://github.com/d3mondev/puredns
  4. https://github.com/projectdiscovery/dnsx
  5. https://github.com/tomnomnom/assetfinder
← All checklists JSON ↗