5 sources + DNS brute · Graceful degradation · Free

Subdomain Enumeration API — 5 sources, always-on DNS brute, never empty.

crt.sh + certspotter + hackertarget + rapiddns + VirusTotal queried in parallel, plus an always-on DNS bruteforce as the structural floor and background enrichment aggregating 25+ passive sources for comprehensive coverage. Returns real subdomain data even when individual upstreams are rate-limited. Deduplicated, sorted, free tier.

1,000 free requests/mo No credit card required Graceful degradation
Try it

See it work with any domain.

Type any domain to see the live Subdomain list response from the API. Free, no signup — rate-limited to 5 lookups/day per browser.

GET /domain/{d}/subdomains
Try: openai.comanthropic.comcloudflare.comgithub.com 0 / 5 today
// Click "Run lookup" to see the live API response for this endpoint
Slow sources finishing in the background — updating with the full result…
Want everything in one call?
Use /lookup/{domain} to get WHOIS + DNS + SSL + subdomains + email security in a single REST call. Same API key, same pricing, same response format — just bundled. Great for lead enrichment, fraud detection, full domain audits.
Try the all-in-one lookup →
Why this Subdomain API

5 sources + DNS brute. Always returns real data.

CT log aggregators rate-limit and time out constantly. Single-source subdomain tools fail silently when upstream is broken. This API queries 5 sources in parallel with always-on DNS bruteforce as the structural floor, so you always get usable results.

5 parallel sources
crt.sh, certspotter, hackertarget, rapiddns, VirusTotal — queried concurrently for a fast first response, then background enrichment aggregates 25+ passive sources for comprehensive coverage on the next lookup.
Always-on DNS bruteforce
A 773-word curated wordlist (covers common infra patterns: api, mail, dev, staging, vpn, k8s, etc.) resolved (A + CNAME) across 8 anycast resolvers (Cloudflare, Google, Quad9, OpenDNS) at 100 concurrent. ALWAYS runs, regardless of upstream availability. Automatic wildcard-DNS detection skips zones that resolve everything, so wildcard domains return real subdomains — not false positives.
Graceful degradation
Even with several upstreams rate-limited, the always-on bruteforce plus direct CT/passive sources return a solid baseline instantly, while background enrichment (aggregating 25+ passive sources) fills in comprehensive coverage. The response is never empty regardless of upstream conditions.
Deduplicated & sorted
Union of all sources merged, deduplicated, and alphabetically sorted. The sources_used field shows which sources contributed and any rate-limit / timeout warnings.
24h cache for repeat queries
Successful responses cached for 24 hours per domain. Subsequent calls for the same domain return cached data in <100ms while preserving upstream rate-limit budget. CT log data changes slowly enough that 24h cache is acceptable for nearly all use cases.
Bundled with full domain intel
Get just subdomains via /domain/{d}/subdomains, or grab subdomains + DNS + WHOIS + SSL + email security in a single /lookup/{d} call. Same API key, same pricing.
Response shape

Deduplicated list + transparency on which sources contributed.

Below: a real response for cloudflare.com. The sources_used array tells you what each source contributed (or why it failed) so you can audit data quality.

GET/domain/cloudflare.com/subdomains
{
  "domain": "cloudflare.com",
  "count": 204,
  "returned": 204,
  "sources_used": [
    "crt.sh ok +156",             // CT logs — the richest source
    "certspotter ok +49",
    "hackertarget rate-limited",    // still full coverage without it
    "rapiddns ok +57",
    "virustotal ok +40",
    "dns-brute ok +38 (wordlist 773)"  // always runs — the structural floor
  ],
  "warnings": [],                 // coverage-aware: only populated if count <20
  "subdomains": [
    "api.cloudflare.com",
    "blog.cloudflare.com",
    "developers.cloudflare.com",
    "workers.cloudflare.com",
    // ... 200 more, deduplicated and sorted
  ]
}
Code examples

Drop it into your recon pipeline.

Authenticate with your RapidAPI key, then call GET /domain/{domain}/subdomains. Returns within 5-15 seconds typically (multiple upstreams need time to complete).

curl "https://domain-intelligence-api.p.rapidapi.com/domain/cloudflare.com/subdomains" \
  -H "X-RapidAPI-Host: domain-intelligence-api.p.rapidapi.com" \
  -H "X-RapidAPI-Key: YOUR_RAPIDAPI_KEY"
import requests

domain = "cloudflare.com"
url = f"https://domain-intelligence-api.p.rapidapi.com/domain/{domain}/subdomains"
headers = {
    "X-RapidAPI-Host": "domain-intelligence-api.p.rapidapi.com",
    "X-RapidAPI-Key": "YOUR_RAPIDAPI_KEY",
}
r = requests.get(url, headers=headers, timeout=30)
data = r.json()
print(f"Found {data['count']} subdomains")
for sub in data["subdomains"][:10]:
    print(f"  - {sub}")
// Node 18+ has built-in fetch - no import needed
const domain = "cloudflare.com";
const res = await fetch(
  `https://domain-intelligence-api.p.rapidapi.com/domain/${domain}/subdomains`,
  { headers: {
      "X-RapidAPI-Host": "domain-intelligence-api.p.rapidapi.com",
      "X-RapidAPI-Key": "YOUR_RAPIDAPI_KEY",
  }}
);
const data = await res.json();
console.log(`Found ${data.count} subdomains`);
console.log(data.subdomains.slice(0, 10));
<?php
$domain = "cloudflare.com";
$ch = curl_init("https://domain-intelligence-api.p.rapidapi.com/domain/$domain/subdomains");
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_TIMEOUT, 30);
curl_setopt($ch, CURLOPT_HTTPHEADER, [
    "X-RapidAPI-Host: domain-intelligence-api.p.rapidapi.com",
    "X-RapidAPI-Key: YOUR_RAPIDAPI_KEY",
]);
$data = json_decode(curl_exec($ch), true);
curl_close($ch);
echo "Found " . $data["count"] . " subdomains";
Use cases

Common things people build with this Subdomain API.

Security teams, bug bounty hunters, IT operations, and infrastructure auditors are the primary users.

Attack surface management
Enumerate every subdomain across your owned domains. Catch shadow IT, deprecated services still online, dev/staging environments leaked to the public internet. Run weekly to track delta.
Bug bounty & pentest recon
Standard first step on any engagement. Get the full subdomain footprint in 10-30 seconds instead of running 4 separate CLI tools and merging their output by hand.
Asset inventory automation
Feed subdomain lists into vuln scanners, fuzzing tools, screenshot diff systems. Your inventory stays current without manual scripting.
Threat intelligence enrichment
When investigating a phishing domain or malicious IP, enumerate sibling subdomains to find related infrastructure. Often reveals C2 patterns, staging domains, or other parts of the campaign.
CT log monitoring (subdomain change detection)
Run daily on your owned domains. Diff today's list against yesterday's. Alert on new subdomain appearances — useful for catching unauthorized cert issuance, MitM setup, or shadow IT going live.
Competitive infrastructure analysis
Map a competitor's full subdomain footprint to understand their product structure (api., admin., staging., support., billing., etc.) Useful for sales intelligence and competitive teardowns.
Pricing

Same plan unlocks every endpoint.

One subscription covers WHOIS, DNS, SSL, subdomains, email security, and the bundled /lookup. Billed monthly via RapidAPI. Cancel anytime.

Basic$0 /mo1,000 req/mo · no card
Pro$9.99 /mo50,000 req/mo
Ultra$39.99 /mo500,000 req/mo
Mega$149.99 /mo5,000,000 req/mo
From $0/mo — 1,000 requests free, no credit card. Compare against DomainTools, WhoisXMLAPI, and self-hosted alternatives on the main pricing page.
FAQ

Frequently asked questions.

Quick answers to common developer questions about the subdomain enumeration API.

Is your Subdomain Enumeration API free?+
Yes. Free tier includes 1,000 requests per month with no credit card required. Paid tiers start at $9.99/mo for 50,000 requests.
What data sources does this aggregate?+
5 upstream sources queried concurrently: crt.sh (Certificate Transparency logs), certspotter (CT log mirror), hackertarget (passive DNS), rapiddns (passive DNS), and VirusTotal (passive DNS via v3 API). Plus an always-on DNS bruteforce against a 773-word curated wordlist via 8 public resolvers, with automatic wildcard-DNS detection to filter false positives. All 6 sources run in parallel, and a background enrichment pass aggregates 25+ additional passive sources for comprehensive coverage, so the first lookup is fast and the next is even more complete.
What if some upstream sources are down or rate-limited?+
Graceful degradation. The DNS bruteforce always runs as a structural floor regardless of upstream availability, so you always get real subdomain data even when several CT/passive-DNS sources are timing out. The response includes a sources_used array showing which sources contributed and which failed.
Is this passive enumeration or active scanning?+
Mostly passive. The 5 CT/passive-DNS sources query existing data (CT log archives, DNS scanner databases) without touching the target. The DNS bruteforce performs DNS lookups against public resolvers (Cloudflare, Google, Quad9, OpenDNS) which doesn't generate any network traffic to the target's own infrastructure.
How fresh are the results?+
CT log data is typically minutes-to-hours fresh (CT logs are append-only public records that update in near real-time). Passive DNS data varies by provider (typically hours to a few days old). DNS bruteforce results are always live. We cache the deduplicated response for 24 hours to reduce upstream rate-limit burn.
What's the rate limit?+
Free tier: 1,000/mo. Pro: 50,000/mo. Ultra: 500,000/mo. Mega: 5M/mo. Subdomain enumeration calls each take longer than other endpoints (multiple upstreams + bruteforce) so per-second rate limits are slightly more conservative.
Can I expand the bruteforce wordlist?+
The hosted version uses a fixed curated 773-word list optimized for common infrastructure patterns. Self-hosters can swap the wordlist by editing app/subdomains.py in the open-source repo (MIT-licensed on GitHub).
How does this compare to Sublist3r, OWASP Amass, or Subfinder?+
All four discover subdomains. The differences: those are CLI tools you run locally (good for one-off recon but require setup and credential management per source); ours is a hosted REST API with no setup, returning structured JSON. We also handle upstream key management (VirusTotal) and rate-limit handling on our side, so you don't have to maintain credentials for each source.

Stop merging 4 CLI tool outputs by hand.

Free tier · No credit card · All endpoints included

Get your API key →