VSPIC
DNS Tools

Subdomain Discovery — Certificate Transparency Search

Enumerate subdomains from public CT logs — up to 500 unique hostnames per search

How to Use This Tool

  1. Enter the apex domain (example.com) to enumerate.
  2. Query crt.sh with percent-wildcard pattern for the domain.
  3. JSON rows parse name_value fields split on newlines.
  4. Wildcard star-dot prefixes strip to concrete hostnames.
  5. Only hostnames equal to apex or ending in .apex validate.
  6. Sorted unique list returns with count and 500-host display cap.

About This Tool

Attack surface grows with forgotten staging hosts, dev labels, and legacy microsites still reachable on old certificates. VSPIC subdomain discovery queries crt.sh Certificate Transparency JSON for %.{domain} patterns, parses name_value fields, deduplicates valid hostnames under the apex, and returns domain, count, subdomains array (capped at 500 alphabetically sorted), and source crt.sh Certificate Transparency.

CT logs record TLS certificates issued by public CAs — strong for finding hostnames that received HTTPS certs even when DNS no longer resolves or internal inventories omit them. Wildcard entries (*.example.com) normalize to apex-related names. Results omit hosts never issued public certificates — pair with passive DNS lookup for resolution-oriented pivots.

Common use cases

  • View all DNS records of a domain after migration
  • Confirm DNS records after domain changes
  • Test for DNS leaks when using a VPN
  • Debug email delivery with MX and TXT records

Why use VSPIC for ?

  • Certificate Transparency coverage beyond DNS brute force.
  • Finds stale dev and staging labels from old cert issuances.
  • 500-host cap keeps responses usable for large enterprises.
  • Free without subdomain brute-force infrastructure on your side.
  • Structured subdomains array for ASM platforms and spreadsheets.
  • source field documents crt.sh provenance for audit trails.

Why Certificate Transparency finds hidden hosts

Public CAs must log every issued certificate to CT. Each log entry includes SAN and CN hostnames — api.staging.example.com may appear years after engineers forgot the server. Attackers hunt the same data for OAuth bypasses and admin panels.

Our parser lowercases hostnames, strips *. wildcard notation, and validates domain shape before adding to the set — reducing noise from malformed CT rows.

Interpreting count and subdomains list

count is total unique valid hostnames discovered. subdomains array is sorted alphabetically and sliced to 500 for response size. Compare count to array length — if count exceeds 500, export via repeated API calls with external tooling or prioritize high-risk prefixes manually.

Presence in CT does not mean the host resolves today — follow with DNS record lookup or HTTP status checker on critical names.

Attack surface management workflows

Export subdomains into vulnerability scanners and WAF inventory diff jobs. Flag unexpected production labels (prod-admin, backup, ci) for immediate review.

Re-run after acquisitions integrate new brands — CT lags DNS but catches cert-driven labels DNS brute force misses.

crt.sh dependency and timeouts

We query crt.sh with fifteen-second timeout. Heavy apex domains may timeout during crt.sh load spikes — retry off-peak. Failure message states certificate transparency lookup failed distinctly from zero results.

Enterprise teams needing SLA-backed CT APIs may mirror this workflow with paid certificate search products using the same parsing logic.

Pairing with passive DNS and reverse WHOIS

CT finds names; passive DNS ties names to IPs historically; reverse WHOIS expands registrant clusters. Combined pivot map paints full external attack surface for red team scoping.

Phishing investigations run subdomain discovery on lookalike apexes to find sibling lure hosts.

API subdomain-discovery action

GET /ip-tools/api/extended?action=subdomain-discovery&domain=example.com. Parse subdomains, count, source. Respect rate limits — large weekly ASM jobs should stagger apex queries.

Do not scan discovered hosts aggressively without authorization — CT enumeration is passive; port scanning targets may require permission.

Privacy note

CT data is public by design. Query only domains you own or are authorized to assess for security posture.

Important notes & limitations

  • Only hostnames with public TLS certs in CT appear.
  • crt.sh availability and timeouts can fail busy queries.
  • 500 cap truncates very large estates — automate pagination externally if needed.
  • Does not prove host is live — DNS may be dead while cert existed.
  • Internal-only hostnames with private CAs never enter public CT.

Frequently Asked Questions

Yes. VSPIC offers this subdomain discovery at no cost with no account required. Results load in real time.

We do not permanently store your queries on our servers. Some tools run entirely in your browser; others fetch public data for the request only.

Yes. Open the page in any modern phone or tablet browser. Results work on Wi‑Fi and mobile data.

Only hostnames appearing in public Certificate Transparency logs. Private CAs and cert-less hosts are invisible.

Response size and browser performance. count shows total found; array may truncate.

Wildcard *.apex entries normalize to hostnames under the apex when name_value includes concrete SANs.

No. It means a public cert was issued. DNS or HTTP may be dead today.

Retry later. crt.sh is a third-party free service subject to load and outages.

CT search uses issued certificate hostnames, not dictionary guessing of DNS labels.

Next step for your check

Continue with passive dns lookup on VSPIC.

Passive DNS Lookup

Related Tools

Explore more free VSPIC tools for IP, DNS, security, and network diagnostics.

Browse all toolsComparison guides

Trusted by Users Who Value Privacy

Always Free

No premium plan ever

100% Private

Files processed in browser

Instant Results

Convert in seconds

Works Everywhere

Any device, any OS