Security Glossary

Subdomain Enumeration

The process of discovering subdomains through DNS queries, certificate logs, and brute forcing to find hidden services and attack surfaces.

Subdomain Enumeration is the process of discovering subdomains belonging to a target domain during reconnaissance. Subdomains often expose forgotten services, development environments, or internal applications with weaker security.

Enumeration Techniques

Passive Methods

  • Certificate Transparency logs (crt.sh)
  • DNS aggregators (VirusTotal, SecurityTrails)
  • Search engine dorking
  • Archive.org historical data
  • GitHub/GitLab code search

Active Methods

  • DNS zone transfers (if misconfigured)
  • DNS brute forcing with wordlists
  • Recursive subdomain discovery
  • Virtual host enumeration

Common Tools

# Passive enumeration
subfinder -d example.com
amass enum -passive -d example.com
assetfinder example.com

# Active brute forcing
gobuster dns -d example.com -w wordlist.txt
ffuf -u http://FUZZ.example.com -w wordlist.txt

# DNS zone transfer attempt
dig axfr @ns1.example.com example.com

High-Value Targets

dev.example.com      # Development environment
staging.example.com  # Pre-production
admin.example.com    # Admin panels
api.example.com      # API endpoints
jenkins.example.com  # CI/CD systems
jira.example.com     # Issue trackers
vpn.example.com      # VPN gateways

See Also