Free Domain & Subdomain Recon

Enter a domain to look up its public DNS records (A, AAAA, MX, NS, TXT) and discover its subdomains from certificate-transparency logs. It's free, instant, and needs no signup — useful for security research, due diligence, and understanding a company's public infrastructure.

What this domain-recon tool shows

  • A / AAAA records — the IPv4 and IPv6 addresses the domain points to.
  • MX records — the mail servers that handle the domain's email.
  • NS records — the authoritative name servers (who runs the domain's DNS).
  • TXT records — SPF, DKIM, verification tokens and other text metadata.
  • Subdomains — names discovered from public certificate-transparency logs (crt.sh), which often reveal staging, admin, API, and internal-facing hosts.

Run a lookup

Enter a domain like example.com (no http://, no path). Results appear below.


Frequently asked questions

How do I find a domain's subdomains?
The fastest passive method is certificate-transparency logs: every TLS certificate a domain issues is publicly logged, and those logs list the hostnames the certificate covers. This tool queries crt.sh for names under the domain and de-duplicates them. It's passive — it never touches the target's servers.
What is certificate transparency (crt.sh)?
Certificate transparency is a public, append-only log of every TLS certificate issued by participating authorities. crt.sh is a free search front-end over those logs. Because subdomains usually get their own certificates, the logs are a rich, no-touch source of subdomain discovery.
What DNS records does this look up?
A and AAAA (IPv4/IPv6 addresses), MX (mail servers), NS (name servers), and TXT (SPF, DKIM, domain-verification tokens). All are public DNS data resolved over the standard resolver.
Is subdomain enumeration legal?
Passive discovery from public DNS and certificate-transparency logs uses only already-published information and does not interact with the target's systems. As always, use the results responsibly and within the law and any applicable authorization.
Why did some records come back empty?
A domain may simply have no record of that type (e.g. no MX if it doesn't receive mail), the domain may not exist, or a slow upstream (like crt.sh) may have timed out — in which case the DNS results still show and a note explains what was skipped.