Free Domain & Subdomain Recon
Enter a domain to look up its public DNS records (A, AAAA, MX, NS, TXT) and discover its subdomains from certificate-transparency logs. It's free, instant, and needs no signup — useful for security research, due diligence, and understanding a company's public infrastructure.
What this domain-recon tool shows
- A / AAAA records — the IPv4 and IPv6 addresses the domain points to.
- MX records — the mail servers that handle the domain's email.
- NS records — the authoritative name servers (who runs the domain's DNS).
- TXT records — SPF, DKIM, verification tokens and other text metadata.
- Subdomains — names discovered from public certificate-transparency logs (crt.sh), which often reveal staging, admin, API, and internal-facing hosts.
Run a lookup
Enter a domain like example.com (no http://, no path). Results appear below.
Frequently asked questions
- How do I find a domain's subdomains?
- The fastest passive method is certificate-transparency logs: every TLS certificate a domain issues is publicly logged, and those logs list the hostnames the certificate covers. This tool queries crt.sh for names under the domain and de-duplicates them. It's passive — it never touches the target's servers.
- What is certificate transparency (crt.sh)?
- Certificate transparency is a public, append-only log of every TLS certificate issued by participating authorities. crt.sh is a free search front-end over those logs. Because subdomains usually get their own certificates, the logs are a rich, no-touch source of subdomain discovery.
- What DNS records does this look up?
- A and AAAA (IPv4/IPv6 addresses), MX (mail servers), NS (name servers), and TXT (SPF, DKIM, domain-verification tokens). All are public DNS data resolved over the standard resolver.
- Is subdomain enumeration legal?
- Passive discovery from public DNS and certificate-transparency logs uses only already-published information and does not interact with the target's systems. As always, use the results responsibly and within the law and any applicable authorization.
- Why did some records come back empty?
- A domain may simply have no record of that type (e.g. no MX if it doesn't receive mail), the domain may not exist, or a slow upstream (like crt.sh) may have timed out — in which case the DNS results still show and a note explains what was skipped.