Subfinder: Subdomain Discovery Tool

Last Release: 06/07/2022     Last Commit: 06/07/2022

Subfinder: Subdomain Discovery Tool

Subfinder is a tool which allows you to find valid subdomains through passive online sources. It uses a modular architecture which allows it to be fast and simple. This tool only has one function, which is to find the subdomains of a target domain.

Subfinder: Subdomain Discovery Tool

After submitting a target domain to Subfinder, it will go through at least 26 sources to find all of the various subdomains of the target domain. The subdomains can then be outputted in multiple formats such as Json, File and Stdout. It allows the user to enter multiple target domains at once, while the stdin/stdout features allow it to be integrated with other tools as part of a workflow.


  • Simple and modular code base making it easy to contribute.
  • Fast and Powerful Resolution and wildcard elimination module
  • Curated passive sources to maximize results (26 Sources as of now)
  • Multiple Output formats supported (json, file, stdout)
  • Optimized for speed, very fast and lightweight on resources
  • stdin and stdout support for integrating in workflows

Supported Platforms:

  • Linux
  • Windows
  • OS X


  • Go 1.13+

Subfinder Install

Option 1

Download the pre-built binaries from the release page, then extract using tar:

$ tar -xzvf subfinder-linux-amd64.tar

Move it to your path:

$ mv subfinder-linux-amd64 /usr/bin/subfinder

Option 2

Install in one command using Go:

$ go get -v

Option 3

For automatic installation:

$ docker pull ice3man/subfinder

For manual installation:

$ git clone
docker build -t ice3man/subfinder .
docker run -it ice3man/subfinder



To run the tool on a target, use the following command:

$ subfinder -d


Use the following command:

$ docker run -v $HOME/.config/subfinder:/root/.config/subfinder -it ice3man/subfinder -d >

For some of the available sources, API keys will be required which must be specified in the following file:

$ HOME/.config/subfinder/config.yaml file
The sources for which API keys are required are listed below:

– Virustotal,Passivetotal, SecurityTrails, Censys, Binaryedge, Shodan, URLScan

Subfinder has many switches which are shown below:

$ Usage of ./subfinder:
  -config string
    	Configuration file for API Keys, etc (default "/home/user/.config/subfinder/config.yaml")
  -d string
    	Domain to find subdomains for
  -dL string
    	File containing list of domains to enumerate
  -exclude-sources string
    	List of sources to exclude from enumeration
  -max-time int
    	Minutes to wait for enumeration results (default 10)
    	Don't Use colors in output
    	Remove Wildcard & Dead Subdomains from output
  -o string
    	File to write output to (optional)
  -oD string
    	Directory to write enumeration results to (optional)
    	Write output in Host,IP format
    	Write output in JSON lines Format
  -r string
    	Comma-separated list of resolvers to use
  -rL string
    	Text file containing list of resolvers to use
    	Show only subdomains in output
  -sources string
    	Comma separated list of sources to use
  -t int
    	Number of concurrent goroutines for resolving (default 10)
  -timeout int
    	Seconds to wait before timing out (default 30)
  -v	Show Verbose output
    	Show version of subfinder

Usage example$ sudo ./subfinder -d -v
        _     __ _         _         
____  _| |__ / _(_)_ _  __| |___ _ _ 
(_-< || | '_ \  _| | ' \/ _  / -_) '_|
/__/\_,_|_.__/_| |_|_||_\__,_\___|_| v2
[WRN] Use with caution. You are responsible for your actions
[WRN] Developers assume no liability and are not responsible for any misuse or damage.
[WRN] By using subfinder, you also agree to the terms of the APIs used.
[INF] Enumerating subdomains for

Browse Information Gathering Tools.

Documentation Box
Download Box