Skip to main content
KX Toolkit
Sign in Get started
Text Analysis Tools 29 tools
Keyword Tools 14 tools
Backlink Tools 12 tools
Website Management Tools 20 tools
Meta Tag Tools 4 tools
Image Tools 25 tools
Password & Encryption 17 tools
Unit Converter Tools 24 tools
Website Tracking 7 tools
Domain Tools 5 tools
Calculators 14 tools
Developer Tools 33 tools
CSS Tools 14 tools
Color Tools 13 tools
Social Media Tools 17 tools
PDF Tools 10 tools
Productivity Tools 6 tools
Audio Tools 5 tools
Video Tools 3 tools
Bulk Tools 35 tools
View all tools on one page View all categories

Subdomain Finder

The tool queries Certificate Transparency logs, which are public, append-only ledgers of every TLS certificate issued by participating CAs. Whenever a host gets an HTTPS certificate, its name shows up in CT logs forever. By searching for entries that match a target domain, the fi

Domain Tools
Searches public Certificate Transparency logs (crt.sh). May take a few seconds.

The tool queries Certificate Transparency logs, which are public, append-only ledgers of every TLS certificate issued by participating CAs. Whenever a host gets an HTTPS certificate, its name shows up in CT logs forever. By searching for entries that match a target domain, the fi

This free Subdomain Finder from KX Toolkit is part of our all-in-one online toolkit. It runs entirely in your browser, so your data never leaves your device for client-side operations. 100% free, forever - no paywall, no credit card, no trial.

How to use the Subdomain Finder

  1. Enter the domain or IP address.
  2. Pick the record type if the tool supports filtering.
  3. Run the lookup - most checks return in under a second.
  4. Copy the records for your DNS migration or audit notes.

What you can do with the Subdomain Finder

  • Audit DNS before a domain migration.
  • Verify SSL certificate expiry and chain.
  • Check domain age and history before buying.
  • Diagnose email-delivery issues (SPF, DKIM, DMARC).

Why use KX Toolkit's Subdomain Finder

  • Browser-based: Works on Windows, macOS, Linux, iOS and Android - no install, no extension.
  • Privacy-first: Client-side tools never upload your data; server-side tools delete files right after processing.
  • Mobile-friendly: Full feature parity on phones and tablets - not a stripped-down view.
  • Fast: Optimised for instant feedback. No artificial waiting screens, no email-gated downloads.
  • One hub for everything: 300+ tools across SEO, text, image, PDF, code, color, calculators and more - skip switching between sites.

Tips for the best results

DNS changes propagate at different speeds across resolvers - run the same check from Google (8.8.8.8) and Cloudflare (1.1.1.1) before declaring a problem.

Related Domain Tools

If you find this tool useful, explore the full Domain Tools collection or browse our complete tool directory. KX Toolkit is built for marketers, developers, designers, students and anyone who needs a quick utility without signing up for yet another SaaS.

How does the Subdomain Finder discover subdomains?
The tool queries Certificate Transparency logs, which are public, append-only ledgers of every TLS certificate issued by participating CAs. Whenever a host gets an HTTPS certificate, its name shows up in CT logs forever. By searching for entries that match a target domain, the finder builds a list of subdomains observed in the wild. This passive technique never touches the target itself.
Will my employer or the target know I scanned them?
No. Reading Certificate Transparency logs is purely client-side from the target's perspective. The tool sends queries to public CT log search APIs, not to the target's servers. There are no DNS lookups, no HTTP requests, and no traffic of any kind aimed at the target. This makes the Subdomain Finder safe for reconnaissance, due diligence, and bug bounty work without triggering alerts.
Why are some subdomains missing from the results?
CT logs only capture hosts that obtained a publicly trusted TLS certificate. Internal-only subdomains served over HTTP, with private CA certificates, or behind VPNs do not appear. Wildcard certificates also hide individual hostnames behind a single *.example.com entry. To get full coverage, combine the Subdomain Finder with active DNS brute-forcing tools, but be aware those may trigger security monitoring.
Why do I see subdomains that no longer exist?
CT logs are append-only, so a certificate issued five years ago for an experimental host still shows up today even if the host was deleted. Resolve each result against current DNS to see which are live. The finder lists everything it discovered so you can audit the historical attack surface, then verify which entries still resolve before investing time in further analysis.
Is using the Subdomain Finder legal?
Reading public CT logs is legal in most jurisdictions because the data is published openly by the certificate authorities themselves. Acting on what you find is a separate question. Before probing any of the discovered hosts, scanning them, or attempting access, ensure you have written authorization or are operating under a sanctioned bug bounty program. Reconnaissance is allowed; unauthorized access is not.
How can I prevent sensitive subdomains from leaking?
Once a name is in CT logs, it is public forever. The defenses are to avoid putting secrets in hostnames, to use wildcard certificates so individual subdomains stay hidden, and to rely on private certificate authorities for internal services that should never face the internet. Plan your naming convention with this in mind, because there is no way to scrub a leaked subdomain from the global CT record.

No reviews yet

Be the first to share your experience with the Subdomain Finder.

Domain Tools
View all

Domain Age Checker

Find out how old a domain is using WHOIS data.

Domain Hosting Checker

Find the hosting provider and nameservers for any domain.

Typo-squatting Detector

Generate common typo and TLD variants of a domain, then check which are actually...

MX Record Lookup

An MX, or Mail Exchanger, record tells the internet which servers are responsibl...

NS Record Lookup

NS, or Name Server, records identify the authoritative DNS servers for a domain....

TXT Record Lookup

TXT records hold arbitrary text strings attached to a domain. Originally meant f...