In our journey through DNS discovery, we’ve used active tools like dnsrecon and dnsenum that directly “touch” a target’s infrastructure. While effective, active probing can be noisy. To stay under the radar while gathering a massive footprint, we turn to subfinder. As of 2026, subfinder remains the gold standard for passive subdomain discovery. Developed by the Project Discovery team, it doesn’t brute-force a target directly. Instead, it queries over 30+ external APIs and public data sources (like Censys, Chaos, and GitHub) to find subdomains already indexed by the internet.
Why subfinderis the Industry Standard
- Passive & Stealthy: It complies with all source licenses and usage restrictions. Since it doesn’t send packets to the target, it generates zero noise in the target’s logs.
- Go-Based Performance: Written in Go, it’s incredibly fast and modular. You can install it with:
- go install -v github.com/projectdiscovery/subfinder/v2/cmd/subfinder@latest
- API-First Design: While it works out of the box, its true power is unlocked when you provide API keys for services like VirusTotal or SecurityTrails in its provider-config.yaml.
Essential Flags for the Modern Auditor
To get the most out of subfinder, use these specific flags for automation:
- -all: Uses every available source for enumeration—slower, but maximizes discovery.
- -silent: Suppresses the banner and extra logs; only outputs discovered hostnames.
- -duc (Disable Update Check): Speeds up execution by skipping the version check.
- -oJ: Outputs results in JSONL (JSON Lines) format, which includes the discovery source for each entry—vital for verifying data.
It performs a “stealth” scan on a domain and uses the jq utility to format the JSON output into a readable report for a security audit.