Subfinder — Fast Passive Subdomain Discovery Tool

Introduction

Subdomain enumeration is a foundational step in security assessments and reconnaissance. Subfinder focuses exclusively on passive discovery, querying public data sources rather than brute-forcing DNS. This makes it fast, stealthy, and unlikely to trigger security alerts on the target.

What Subfinder Does

• Queries 40+ passive data sources including certificate transparency logs, search engines, DNS aggregators, and threat intelligence feeds
• Aggregates and deduplicates results from all sources into a clean list of subdomains
• Supports bulk input for enumerating subdomains across multiple domains simultaneously
• Outputs results in plain text, JSON, or JSONL for integration with other tools
• Handles API key management for premium data sources via a provider config file

Architecture Overview

Subfinder runs a concurrent pipeline: it dispatches queries to all configured data sources in parallel, collects responses, normalizes subdomain formats, deduplicates results, and streams output. Each data source is implemented as a provider plugin with a common interface. The provider config file (~/.config/subfinder/provider-config.yaml) stores API keys. Rate limiting and retry logic are handled per-provider.

Self-Hosting & Configuration

• Install via go install, download binaries from GitHub releases, or run with Docker
• Add API keys for premium sources (SecurityTrails, Shodan, Censys, VirusTotal) in ~/.config/subfinder/provider-config.yaml
• Use -rl flag to set global rate limiting and -t for concurrency control
• Filter results with -cs for domain scope and exclude patterns with -es
• Integrate into CI/CD pipelines for continuous subdomain monitoring of your own assets

Key Features

• Purely passive: no DNS brute-force or active probing means zero traffic to the target
• 40+ built-in data sources with support for adding custom providers
• Provider config file for managing API keys across multiple premium sources
• Recursive subdomain discovery for finding deeply nested subdomains
• Seamless pipeline integration with httpx, nuclei, and other ProjectDiscovery tools

Comparison with Similar Tools

• Amass — more comprehensive with both active and passive modes; Subfinder is lighter and faster for passive-only enumeration
• Assetfinder — similar passive approach but fewer data sources and less active development
• Sublist3r — Python-based passive subdomain finder; Subfinder is faster (Go-based) with more sources
• Findomain — Rust-based subdomain finder; comparable speed but smaller provider ecosystem
• crt.sh — single source (certificate transparency); Subfinder aggregates crt.sh plus 40+ additional sources

FAQ

Q: Is subfinder legal to use? A: Subfinder queries public data sources passively. It does not send any traffic to the target domain. Always ensure you have authorization for the broader assessment context.

Q: How do I add API keys for better results? A: Edit ~/.config/subfinder/provider-config.yaml and add keys for services like SecurityTrails, Shodan, Censys, and others. Run subfinder -ls to see all available providers.

Q: Can I use subfinder for continuous monitoring? A: Yes. Run subfinder on a schedule and diff the output against previous results to detect new subdomains. The JSON output format makes this straightforward to automate.

Q: How many subdomains can subfinder find? A: Results depend on the target and configured sources. For large organizations, subfinder typically finds hundreds to thousands of subdomains. Adding API keys for premium sources significantly increases coverage.

Sources

• https://github.com/projectdiscovery/subfinder
• https://docs.projectdiscovery.io/tools/subfinder/overview