What is the DNS Subdomain Enumerator?
A hyper-aggressive hybrid reconnaissance tool that maps the entire external footprint of a target domain by combining historical Certificate Transparency logs with active Wordlist Bruteforcing.
How it Works under the hood
The engine connects via API to crt.sh to extract 10 years of SSL certificate registrations, parsing all historical subdomains. Concurrently, our Node.js server fires asynchronous DNS.lookup UDP requests using an 80-word tactical corporate dictionary (vpn, admin, auth, sso, etc). All discovered vectors are then deduplicated and statically resolved to flag Live IPs vs Historical nodes.
SysAdmin & Security Use Cases
- »Discover forgotten development APIs and staging environments.
- »Map out corporate mail and VPN gateways (Mail Exchangers, NS Records).
- »Identify potential shadow IT externally facing endpoints.
- »Gather attack surface intelligence before a Penetration Test.