v2digga

Discovery

Free Subdomain Finder

Find the subdomains of any domain. digga enumerates them passively from Certificate Transparency logs and other public sources, so no traffic ever reaches the target.

Apex, subdomain, or URL. We figure it out.

Trygoogle.comwikipedia.orggithub.comvercel.comcloudflare.comopenai.com

What you get

Everything in one report.

  • 01

    Passive only

    Subdomains come from public records like Certificate Transparency logs. digga never sends a single request to the target domain.

  • 02

    Many sources merged

    Results from several public sources are combined and deduplicated into one clean, sorted list.

  • 03

    Streamed results

    Names stream back to your browser as they are discovered, so you see findings appear instead of waiting on a spinner.

  • 04

    Click through to records

    Open any discovered subdomain to inspect its own DNS, registration, and certificate data.

What is a subdomain finder?

A subdomain finder discovers the hostnames that sit under a domain, such as mail.example.com, api.example.com, or staging.example.com. Security teams use it to map attack surface, engineers use it to take inventory of deployed services, and researchers use it to understand how an organization is structured. digga finds subdomains passively, which means it collects them from public records rather than probing the target.

How passive enumeration works

Every time a TLS certificate is issued, the hostname is logged in public Certificate Transparency logs. Those logs, together with other public datasets, reveal subdomains that have ever been given a certificate or otherwise published. digga queries these sources, merges the results, and removes duplicates. Because the data already exists publicly, nothing is ever sent to the domain you are researching.

Why map subdomains?

Forgotten staging servers, legacy apps, and misconfigured services are a common way in for attackers. Listing the subdomains attached to a domain is the fastest way to see the full footprint, triage which hosts to harden, and confirm that a deploy or a decommission did what you expected. It is equally useful for due diligence and competitive research.

Is passive discovery safe and legal?

Passive enumeration only reads public records, so it does not touch the target and does not generate traffic that could be mistaken for an attack. That makes it a safe first step for asset inventory and authorized security work. It also means the list reflects what is publicly observable, not necessarily every subdomain that exists.

Keep digging

Related tools.

DNS LookupSSL and TLS Certificate CheckerWHOIS Lookup

FAQ

Questions, answered.

Is this subdomain finder free?
Yes, completely free with no signup. digga is open source under AGPL 3.0.
How does subdomain discovery work?
digga gathers subdomains from public sources such as Certificate Transparency logs, then merges and deduplicates them. It is fully passive.
Does it send traffic to my domain?
No. Discovery is passive and reads only public records, so nothing is ever sent to the target domain itself.
Will it find every subdomain?
Not necessarily. Passive sources reveal names that have been logged publicly, for example through issued certificates. Subdomains that were never published may not appear.
Can I use this for security research?
Yes. Passive subdomain enumeration is a standard, low risk step for asset inventory and authorized attack surface mapping.

Ready to dig?

Enter a domain to run the subdomain finder now.

Apex, subdomain, or URL. We figure it out.