HOW TO: Find Subdomains Of Domain Name
If you are asking me why would anyone want to find subdomains of domain name? I would say these are much related to see how a domain name is used by a person or a company. For example, on Slashsquare we have used two subdomains ‘blog’ and ‘status’ to announce official updates. We can use the subdomains to find the other services provided by a company, like Google has several subdomains like drive.google.com, plus.google.com, etc.
Like this, there are several companies using their subdomains for various purposes and we can see how well they branded it. These tasks are also mainly used for penetration testing, i.e., to prevent illegal or unwanted access.
3 Ways We Used To Find Subdomains Of Domain Name
1. Wolfram Alpha
My first attempt was to use Wolfram Alpha (my very personal favourite tool) for checking this, so I searched for our parent company “Slashsquare” there and we got some pretty cool facts. If your site or blog is popular then it will give a detailed analysis of your server and domain names. We got these:
As you can see there is an option named “Subdomains”, click it.
These are the active public subdomains we have in fact – blog.slashsquare.org and status.slashsquare.org
Then we decided why don’t we just Google it? I mean, Google knows everything about our website that even we don’t know so why don’t we give it a try. I searched for some queries and I got a good one.
We can just use this simple query for finding the subdomains:
And we got the required result:
3. Pentest Tools
We found some awesome 3rd party for doing this task and came across Pentest Tools. Surprisingly we got a very detailed result, we were amazed with the results in fact.
It just doesn’t give you the ones that are public but also the ones used for other domain configuration purposes.