5 sources + DNS brute · Graceful degradation · Free

Subdomain Enumeration API — 5 sources, always-on DNS brute, never empty.

crt.sh + certspotter + hackertarget + AlienVault OTX + VirusTotal queried in parallel, plus an always-on DNS bruteforce as the structural floor. Returns real subdomain data even when 4 of 5 upstream sources are down. Deduplicated, sorted, free tier.

Start free → See code examples Live sample (openai.com)
1,000 free requests/mo No credit card required Graceful degradation
Try it

See it work with any domain.

Type any domain to see the live Subdomain list response from the API. Free, no signup — rate-limited to 5 lookups/day per browser.

GET /domain/{d}/subdomains
Try: openai.comanthropic.comcloudflare.comgithub.com 0 / 5 today 
// Click "Run lookup" to see the live API response for this endpoint
Want everything in one call?
Use /lookup/{domain} to get WHOIS + DNS + SSL + subdomains + email security in a single REST call. Same API key, same pricing, same response format — just bundled. Great for lead enrichment, fraud detection, full domain audits.
See the all-in-one endpoint →
Why this Subdomain API

5 sources + DNS brute. Always returns real data.

CT log aggregators rate-limit and time out constantly. Single-source subdomain tools fail silently when upstream is broken. This API queries 5 sources in parallel with always-on DNS bruteforce as the structural floor, so you always get usable results.

5 parallel sources
crt.sh, certspotter, hackertarget, AlienVault OTX, VirusTotal — queried concurrently via asyncio.gather. Total response time bounded by the slowest single upstream, not the sum of all.
Always-on DNS bruteforce
A ~686-word curated wordlist (covers common infra patterns: api, mail, dev, staging, vpn, etc.) brute-forced against public resolvers (1.1.1.1, 8.8.8.8, 9.9.9.9) with 100 concurrent lookups. ALWAYS runs, regardless of upstream availability.
Graceful degradation
Live test (May 2026): 4 of 5 upstreams timing out simultaneously still returned 78 subdomains for cloudflare.com via VirusTotal + DNS brute. The architecture is designed so the response is never empty regardless of upstream conditions.
Deduplicated & sorted
Union of all sources merged, deduplicated, and alphabetically sorted. The sources_used field shows which sources contributed and any rate-limit / timeout warnings.
24h cache for repeat queries
Successful responses cached for 24 hours per domain. Subsequent calls for the same domain return cached data in <100ms while preserving upstream rate-limit budget. CT log data changes slowly enough that 24h cache is acceptable for nearly all use cases.
Bundled with full domain intel
Get just subdomains via /domain/{d}/subdomains, or grab subdomains + DNS + WHOIS + SSL + email security in a single /lookup/{d} call. Same API key, same pricing.
Response shape

Deduplicated list + transparency on which sources contributed.

Below: a real response for cloudflare.com. The sources_used array tells you what each source contributed (or why it failed) so you can audit data quality.

GET/domain/cloudflare.com/subdomains
{
  "domain": "cloudflare.com",
  "count": 204,
  "returned": 204,
  "sources_used": [
    "crt.sh ok +156",             // crt.sh contributed 156 unique
    "certspotter ok +81",
    "hackertarget limited: API count exceeded",
    "otx ok +12",
    "virustotal ok +40",
    "dns-brute ok +19 (wordlist 686)"  // always runs
  ],
  "warnings": [],                 // coverage-aware: only populated if count <20
  "subdomains": [
    "api.cloudflare.com",
    "blog.cloudflare.com",
    "developers.cloudflare.com",
    "workers.cloudflare.com",
    // ... 200 more, deduplicated and sorted
  ]
}
Code examples

Drop it into your recon pipeline.

Authenticate with your RapidAPI key, then call GET /domain/{domain}/subdomains. Returns within 5-15 seconds typically (multiple upstreams need time to complete).

curl "https://domain-intelligence-api.p.rapidapi.com/domain/cloudflare.com/subdomains" \
  -H "X-RapidAPI-Host: domain-intelligence-api.p.rapidapi.com" \
  -H "X-RapidAPI-Key: YOUR_RAPIDAPI_KEY"
import requests

domain = "cloudflare.com"
url = f"https://domain-intelligence-api.p.rapidapi.com/domain/{domain}/subdomains"
headers = {
    "X-RapidAPI-Host": "domain-intelligence-api.p.rapidapi.com",
    "X-RapidAPI-Key": "YOUR_RAPIDAPI_KEY",
}
r = requests.get(url, headers=headers, timeout=30)
data = r.json()
print(f"Found {data['count']} subdomains")
for sub in data["subdomains"][:10]:
    print(f"  - {sub}")
// Node 18+ has built-in fetch — no import needed
const domain = "cloudflare.com";
const res = await fetch(
  `https://domain-intelligence-api.p.rapidapi.com/domain/${domain}/subdomains`,
  { headers: {
      "X-RapidAPI-Host": "domain-intelligence-api.p.rapidapi.com",
      "X-RapidAPI-Key": "YOUR_RAPIDAPI_KEY",
  }}
);
const data = await res.json();
console.log(`Found ${data.count} subdomains`);
console.log(data.subdomains.slice(0, 10));
<?php
$domain = "cloudflare.com";
$ch = curl_init("https://domain-intelligence-api.p.rapidapi.com/domain/$domain/subdomains");
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_TIMEOUT, 30);
curl_setopt($ch, CURLOPT_HTTPHEADER, [
    "X-RapidAPI-Host: domain-intelligence-api.p.rapidapi.com",
    "X-RapidAPI-Key: YOUR_RAPIDAPI_KEY",
]);
$data = json_decode(curl_exec($ch), true);
curl_close($ch);
echo "Found " . $data["count"] . " subdomains";
Use cases

Common things people build with this Subdomain API.

Security teams, bug bounty hunters, IT operations, and infrastructure auditors are the primary users.

Attack surface management
Enumerate every subdomain across your owned domains. Catch shadow IT, deprecated services still online, dev/staging environments leaked to the public internet. Run weekly to track delta.
Bug bounty & pentest recon
Standard first step on any engagement. Get the full subdomain footprint in 10-30 seconds instead of running 4 separate CLI tools and merging their output by hand.
Asset inventory automation
Feed subdomain lists into vuln scanners, fuzzing tools, screenshot diff systems. Your inventory stays current without manual scripting.
Threat intelligence enrichment
When investigating a phishing domain or malicious IP, enumerate sibling subdomains to find related infrastructure. Often reveals C2 patterns, staging domains, or other parts of the campaign.
CT log monitoring (subdomain change detection)
Run daily on your owned domains. Diff today's list against yesterday's. Alert on new subdomain appearances — useful for catching unauthorized cert issuance, MitM setup, or shadow IT going live.
Competitive infrastructure analysis
Map a competitor's full subdomain footprint to understand their product structure (api., admin., staging., support., billing., etc.) Useful for sales intelligence and competitive teardowns.
Pricing

Pay only for what you use.

Billed monthly via RapidAPI. Same pricing across all endpoints (subdomains, DNS, WHOIS, SSL, email security, and bundled /lookup). Cancel anytime.

BASIC
$0/mo
For evaluation, small recon engagements, and one-off audits.
  • 1,000 requests / month
  • All endpoints included
  • No credit card required
Start free
Most popular
PRO
$9.99/mo
For production recon pipelines and ongoing attack surface monitoring.
  • 50,000 requests / month
  • Higher rate limits
  • Email support
Choose PRO
ULTRA
$39.99/mo
For security platforms with continuous monitoring features.
  • 500,000 requests / month
  • SLA: 99.9% uptime
  • Priority support
Choose ULTRA
MEGA
$149.99/mo
For threat intel platforms and high-volume security vendors.
  • 5,000,000 requests / month
  • Highest concurrency
  • Dedicated support
Choose MEGA
FAQ

Frequently asked questions.

Quick answers to common developer questions about the subdomain enumeration API.

Is your Subdomain Enumeration API free?+
Yes. Free tier includes 1,000 requests per month with no credit card required. Paid tiers start at $9.99/mo for 50,000 requests.
What data sources does this aggregate?+
5 upstream sources queried concurrently: crt.sh (Certificate Transparency logs), certspotter (CT log mirror), hackertarget (passive DNS), AlienVault OTX (passive DNS), and VirusTotal (passive DNS via v3 API). Plus an always-on DNS bruteforce against a ~686-word curated wordlist via public resolvers. All 6 sources run in parallel via asyncio.gather.
What if some upstream sources are down or rate-limited?+
Graceful degradation. The DNS bruteforce always runs as a structural floor regardless of upstream availability, so you always get real subdomain data even when 4 of 5 CT/passive-DNS sources are timing out. The response includes a sources_used array showing which sources contributed and which failed.
Is this passive enumeration or active scanning?+
Mostly passive. The 5 CT/passive-DNS sources query existing data (CT log archives, DNS scanner databases) without touching the target. The DNS bruteforce performs DNS lookups against public resolvers (1.1.1.1, 8.8.8.8, 9.9.9.9) which doesn't generate any network traffic to the target's own infrastructure.
How fresh are the results?+
CT log data is typically minutes-to-hours fresh (CT logs are append-only public records that update in near real-time). Passive DNS data varies by provider (typically hours to a few days old). DNS bruteforce results are always live. We cache the deduplicated response for 24 hours to reduce upstream rate-limit burn.
What's the rate limit?+
Free tier: 1,000/mo. Pro: 50,000/mo. Ultra: 500,000/mo. Mega: 5M/mo. Subdomain enumeration calls each take longer than other endpoints (multiple upstreams + bruteforce) so per-second rate limits are slightly more conservative.
Can I expand the bruteforce wordlist?+
The hosted version uses a fixed curated ~686-word list optimized for common infrastructure patterns. Self-hosters can swap the wordlist by editing app/subdomains.py in the open-source repo (MIT-licensed on GitHub).
How does this compare to Sublist3r, OWASP Amass, or Subfinder?+
All four discover subdomains. The differences: those are CLI tools you run locally (good for one-off recon but require setup and credential management per source); ours is a hosted REST API with no setup, returning structured JSON. We also handle upstream key management (OTX, VirusTotal) and rate-limit handling on our side, so you don't have to maintain credentials for each source.

Stop merging 4 CLI tool outputs by hand.

Free tier · No credit card · All endpoints included

Get your API key →