SecurityStatus
Sign In Scan Your Domain
How It WorksFeaturesKnowledge BaseComparePricing
Sign In Get Started
info Intelligence

Subdomain Discovery

Subdomain discovery maps your complete external attack surface by finding all subdomains associated with your domain. Many organisations have dozens of forgotten subdomains — staging environments, old apps, internal tools — each representing a potential entry point for attackers.

What SecurityStatus Checks

  • DNS brute forcing of common subdomain names
  • Certificate Transparency log lookups for historically issued certificates
  • Search engine and public DNS database queries
  • Zone transfer attempts (reveals all subdomains if misconfigured)

Why This Matters

You cannot secure what you do not know about. Forgotten subdomains running old software versions, with default credentials, or pointing to deprovisioned services are common breach entry points. Attack surface management starts with a complete inventory.

How to Fix It

  1. 1

    Review and document all discovered subdomains

    Go through the list of discovered subdomains and categorise each one: active production, active staging, inactive but live, or completely abandoned.

  2. 2

    Decommission abandoned subdomains

    Delete DNS records for subdomains that are no longer in use. Remove the associated services. An unused subdomain with a live DNS entry is a liability.

  3. 3

    Ensure all active subdomains have security configured

    Each subdomain should have SSL, security headers, and up-to-date software — the same as your main domain. Check each with SecurityStatus.

  4. 4

    Prevent DNS zone transfers

    Zone transfers expose your entire DNS zone to anyone who asks. In BIND: `allow-transfer { none; };`. Most modern DNS providers disable zone transfers by default.

Frequently Asked Questions

Can attackers find my subdomains even if they are obscure?
Yes. Certificate Transparency logs record every certificate issued, including for internal-sounding subdomains like dev.yourdomain.com or internal-api.yourdomain.com. Obscure names provide no security.
What is a DNS zone transfer?
A zone transfer (AXFR) is a mechanism for replicating DNS zones between nameservers. If misconfigured to allow transfers from any IP, anyone can request a complete copy of your DNS zone, revealing all subdomains instantly.

Related Guides

high Subdomain Takeover Read Guide high Subdomain SSL Coverage Read Guide low DNSSEC Read Guide

Check Your Domain Now

Run all 38 security checks including Subdomain Discovery and get your domain's security grade in under 2 minutes.

Scan Your Domain Free