Is a subdomain discovery tool that discovers valid subdomains for websites by using passive online sources. It has a simple modular architecture and is optimized for speed. subfinder is built for doing one thing only - passive subdomain enumeration, and it does that very well.

We have designed subfinder to comply with all passive sources licenses, and usage restrictions, as well as maintained a consistently passive model to make it useful to both penetration testers and bug bounty hunters alike.

This tool can be easily combined with dnsx.


go install -v

Post Installation Instructions

Subfinder will work after using the installation instructions however to configure Subfinder to work with certain services, you will need to have setup API keys. The following services do not work without an API key:

Binaryedge, C99, Certspotter, Chinaz, Censys, Chaos, DnsDB, Fofa, Github, Intelx, Passivetotal,, Robtex, SecurityTrails, Shodan, Spyse, Threatbook, Virustotal, Zoomeye

Theses values are stored in the $HOME/.config/subfinder/config.yaml file which will be created when you run the tool for the first time. The configuration file uses the YAML format. Multiple API keys can be specified for each of these services from which one of them will be used for enumeration.

For sources that require multiple keys, namely Censys, Passivetotal, they can be added by separating them via a colon (:).

An example config file -

  - binaryedge
  - bufferover
  - censys
  - passivetotal
  - sitedossier
  - 0bf8919b-aab9-42e4-9574-d3b639324597
  - ac244e2f-b635-4581-878a-33f4e79a2c13
  - ac244e2f-b635-4581-878a-33f4e79a2c13:dd510d6e-1b6e-4655-83f6-f347b363def9
certspotter: []
  - [email protected]:sample_password
securitytrails: []
  - d23a554bbc1aabb208c9acfbd2dd41ce7fc9db39
  - asdsd54bbc1aabb208c9acfbd2dd41ce7fc9db39


subfinder [flags]


Flag Description Example
-all Use all sources (slow) for enumeration subfinder -d -all
-b IP address to be used as local bind subfinder -b
-config Configuration file for API Keys, etc subfinder -config config.yaml
-d Domain to find subdomains for subfinder -d
-dL File containing list of domains to enumerate subfinder -dL hackerone-hosts.txt
-exclude-sources List of sources to exclude from enumeration subfinder -exclude-sources archiveis
-max-time Minutes to wait for enumeration results (default 10) subfinder -max-time 1
-nC Don’t Use colors in output subfinder -nC
-nW Remove Wildcard & Dead Subdomains from output subfinder -nW
-ls List all available sources subfinder -ls
-o File to write output to (optional) subfinder -o output.txt
-oD Directory to write enumeration results to (optional) subfinder -oD ~/outputs
-oI Write output in Host,IP format subfinder -oI
-oJ Write output in JSON lines Format subfinder -oJ
-r Comma-separated list of resolvers to use subfinder -r,
-rL Text file containing list of resolvers to use subfinder -rL resolvers.txt
-recursive Enumeration recursive subdomains subfinder -d -recursive
-silent Show only subdomains in output subfinder -silent
-sources Comma separated list of sources to use subfinder -sources shodan,censys
-t Number of concurrent goroutines for resolving (default 10) subfinder -t 100
-timeout Seconds to wait before timing out (default 30) subfinder -timeout 30
-proxy HTTP proxy to use with subfinder subfinder -proxy http://localhost:3128
-rate-limit Maximum number of HTTP requests to send per second subfinder -rate-limit 10
-v Show Verbose output subfinder -v
-version Show current program version subfinder -version


$ subfinder -d

               __    _____           __         
   _______  __/ /_  / __(_)___  ____/ /__  _____
  / ___/ / / / __ \/ /_/ / __ \/ __  / _ \/ ___/
 (__  ) /_/ / /_/ / __/ / / / / /_/ /  __/ /    
/____/\__,_/_.___/_/ /_/_/ /_/\__,_/\___/_/ v2.4.9

Use with caution. You are responsible for your actions
Developers assume no liability and are not responsible for any misuse or damage.
By using subfinder, you also agree to the terms of the APIs used.

[INF] Enumerating subdomains for

[INF] Found 18 subdomains for in 3 seconds 672 milliseconds

URL List