Fast passive subdomain enumeration tool.

FeaturesInstallUsageAPI SetupLibraryJoin Discord



  • Fast and powerful resolution and wildcard elimination module
  • Curated passive sources to maximize results
  • Multiple Output formats supported (Json, File, Stdout)
  • Optimized for speed, very fast and lightweight on resources
  • STDIN/OUT support for integrating in workflows


subfinder -h

This will display help for the tool. Here are all the switches it supports.

   -d, -domain string[]  domains to find subdomains for
   -dL, -list string     file containing list of domains for subdomain discovery

   -s, -sources string[]           sources to use for discovery (-s crtsh,github)
   -recursive                      use only recursive sources
   -all                            Use all sources (slow) for enumeration
   -es, -exclude-sources string[]  sources to exclude from enumeration (-es archiveis,zoomeye)

   -rl, -rate-limit int  maximum number of http requests to send per second
   -t int                number of concurrent goroutines for resolving (-active only) (default 10)

   -o, -output string       file to write output to
   -oJ, -json               write output in JSONL(ines) format
   -oD, -output-dir string  directory to write output (-dL only)
   -cs, -collect-sources    include all sources in the output (-json only)
   -oI, -ip                 include host IP in output (-active only)

   -config string                flag config file (default "$HOME/.config/subfinder/config.yaml")
   -pc, -provider-config string  provider config file (default "$HOME/.config/subfinder/provider-config.yaml")
   -r string[]                   comma separated list of resolvers to use
   -rL, -rlist string            file containing list of resolvers to use
   -nW, -active                  display active subdomains only (remove wildcard)
   -proxy string                 http proxy to use with subfinder

   -ls       list all available sources
   -silent   show only subdomains in output
   -version  show version of subfinder
   -v        show verbose output
   -nc, -no-color      disable color in output

   -timeout int   seconds to wait before timing out (default 30)
   -max-time int  minutes to wait for enumeration results (default 10)


Subfinder requires go1.17 to install successfully. Run the following command to install the latest version:

go install -v

Post Installation Instructions

Subfinder will work after using the installation instructions however to configure Subfinder to work with certain services, you will need to have setup API keys. The following services do not work without an API key:

Binaryedge, C99, Certspotter, Chinaz, Censys, Chaos, DnsDB, Fofa, Github, Intelx, Passivetotal, Robtex, SecurityTrails, Shodan, Threatbook, Virustotal, WhoisXML API, Zoomeye

These values are stored in the $HOME/.config/subfinder/provider-config.yaml file which will be created when you run the tool for the first time. The configuration file uses the YAML format. Multiple API keys can be specified for each of these services from which one of them will be used for enumeration.

For sources that require multiple keys, namely Censys, Passivetotal, they can be added by separating them via a colon (:).

An example provider config file –

  - 0bf8919b-aab9-42e4-9574-d3b639324597
  - ac244e2f-b635-4581-878a-33f4e79a2c13
  - ac244e2f-b635-4581-878a-33f4e79a2c13:dd510d6e-1b6e-4655-83f6-f347b363def9
certspotter: []
  - [email protected]:sample_password
securitytrails: []
  - ghp_lkyJGU3jv1xmwk4SDXavrLDJ4dl2pSJMzj4X
  - ghp_gkUuhkIYdQPj13ifH4KA3cXRn8JD2lqir2d4

Running Subfinder

To run the tool on a target, just use the following command.

subfinder -d

               __    _____           __         
   _______  __/ /_  / __(_)___  ____/ /__  _____
  / ___/ / / / __ \/ /_/ / __ \/ __  / _ \/ ___/
 (__  ) /_/ / /_/ / __/ / / / / /_/ /  __/ /    
/____/\__,_/_.___/_/ /_/_/ /_/\__,_/\___/_/ v2.4.9

Use with caution. You are responsible for your actions
Developers assume no liability and are not responsible for any misuse or damage.
By using subfinder, you also agree to the terms of the APIs used.

[INF] Enumerating subdomains for

[INF] Found 18 subdomains for in 3 seconds 672 milliseconds

The subdomains discovered can be piped to other tools too. For example, you can pipe the subdomains discovered by subfinder to httpx httpx which will then find running http servers on the host.

echo | subfinder -silent | httpx -silent

Subfinder with docker

Pull the latest tagged subfinder docker image:

docker pull projectdiscovery/subfinder:latest

Running subfinder using docker image:

docker run projectdiscovery/subfinder:latest -d

Running subfinder using docker image with local config file:

docker run -v $HOME/.config/subfinder:/root/.config/subfinder -t projectdiscovery/subfinder -d

Subfinder Go library

Usage example:

package main

import (


func main() {
	runnerInstance, err := runner.NewRunner(&runner.Options{
		Threads:            10, // Thread controls the number of threads to use for active enumerations
		Timeout:            30, // Timeout is the seconds to wait for sources to respond
		MaxEnumerationTime: 10, // MaxEnumerationTime is the maximum amount of time in mins to wait for enumeration
		Resolvers:          resolve.DefaultResolvers, // Use the default list of resolvers by marshaling it to the config
		Sources:            passive.DefaultSources, // Use the default list of passive sources
		AllSources:         passive.DefaultAllSources, // Use the default list of all passive sources
		Recursive:          passive.DefaultRecursiveSources,	// Use the default list of recursive sources
		Providers:          &runner.Providers{}, // Use empty api keys for all providers

	buf := bytes.Buffer{}
	err = runnerInstance.EnumerateSingleDomain(context.Background(), "", []io.Writer{&buf})
	if err != nil {

	data, err := io.ReadAll(&buf)
	if err != nil {

	fmt.Printf("%s", data)



subfinder is made with 🖤 by the projectdiscovery team. Community contributions have made the project what it is. See the file for more details.

Read the disclaimer for usage at and contact us for any API removal.


View Github