# Subfinder — Fast Passive Subdomain Discovery Tool

> Subfinder is a subdomain discovery tool written in Go by ProjectDiscovery that uses passive sources like certificate transparency logs, search engines, and DNS datasets to enumerate subdomains without active scanning.

## Install

Save as a script file and run:

# Subfinder — Fast Passive Subdomain Discovery Tool

## Quick Use
```bash
# Install with Go
go install github.com/projectdiscovery/subfinder/v2/cmd/subfinder@latest

# Find subdomains for a domain
subfinder -d example.com

# Use all sources with verbose output
subfinder -d example.com -all -v

# Pipe into httpx for live host detection
subfinder -d example.com -silent | httpx -silent
```

## Introduction
Subdomain enumeration is a foundational step in security assessments and reconnaissance. Subfinder focuses exclusively on passive discovery, querying public data sources rather than brute-forcing DNS. This makes it fast, stealthy, and unlikely to trigger security alerts on the target.

## What Subfinder Does
- Queries 40+ passive data sources including certificate transparency logs, search engines, DNS aggregators, and threat intelligence feeds
- Aggregates and deduplicates results from all sources into a clean list of subdomains
- Supports bulk input for enumerating subdomains across multiple domains simultaneously
- Outputs results in plain text, JSON, or JSONL for integration with other tools
- Handles API key management for premium data sources via a provider config file

## Architecture Overview
Subfinder runs a concurrent pipeline: it dispatches queries to all configured data sources in parallel, collects responses, normalizes subdomain formats, deduplicates results, and streams output. Each data source is implemented as a provider plugin with a common interface. The provider config file (`~/.config/subfinder/provider-config.yaml`) stores API keys. Rate limiting and retry logic are handled per-provider.

## Self-Hosting & Configuration
- Install via `go install`, download binaries from GitHub releases, or run with Docker
- Add API keys for premium sources (SecurityTrails, Shodan, Censys, VirusTotal) in `~/.config/subfinder/provider-config.yaml`
- Use `-rl` flag to set global rate limiting and `-t` for concurrency control
- Filter results with `-cs` for domain scope and exclude patterns with `-es`
- Integrate into CI/CD pipelines for continuous subdomain monitoring of your own assets

## Key Features
- Purely passive: no DNS brute-force or active probing means zero traffic to the target
- 40+ built-in data sources with support for adding custom providers
- Provider config file for managing API keys across multiple premium sources
- Recursive subdomain discovery for finding deeply nested subdomains
- Seamless pipeline integration with httpx, nuclei, and other ProjectDiscovery tools

## Comparison with Similar Tools
- **Amass** — more comprehensive with both active and passive modes; Subfinder is lighter and faster for passive-only enumeration
- **Assetfinder** — similar passive approach but fewer data sources and less active development
- **Sublist3r** — Python-based passive subdomain finder; Subfinder is faster (Go-based) with more sources
- **Findomain** — Rust-based subdomain finder; comparable speed but smaller provider ecosystem
- **crt.sh** — single source (certificate transparency); Subfinder aggregates crt.sh plus 40+ additional sources

## FAQ
**Q: Is subfinder legal to use?**
A: Subfinder queries public data sources passively. It does not send any traffic to the target domain. Always ensure you have authorization for the broader assessment context.

**Q: How do I add API keys for better results?**
A: Edit `~/.config/subfinder/provider-config.yaml` and add keys for services like SecurityTrails, Shodan, Censys, and others. Run `subfinder -ls` to see all available providers.

**Q: Can I use subfinder for continuous monitoring?**
A: Yes. Run subfinder on a schedule and diff the output against previous results to detect new subdomains. The JSON output format makes this straightforward to automate.

**Q: How many subdomains can subfinder find?**
A: Results depend on the target and configured sources. For large organizations, subfinder typically finds hundreds to thousands of subdomains. Adding API keys for premium sources significantly increases coverage.

## Sources
- https://github.com/projectdiscovery/subfinder
- https://docs.projectdiscovery.io/tools/subfinder/overview

---
Source: https://tokrepo.com/en/workflows/asset-e5c51ebc
Author: Script Depot