Automatically discover and monitor all subdomains under your root domains. Track DNS changes, detect subdomain takeovers, and identify misconfigurations before they become security incidents.
Subdomains represent a significant portion of your external attack surface. Without monitoring, forgotten or misconfigured subdomains create security vulnerabilities.
Detect dangling DNS records that point to deprovisioned services (AWS S3, Heroku, Azure). Attackers exploit these to host phishing sites or steal session cookies.
Receive alerts when DNS records change unexpectedly. Detect unauthorized modifications, accidental misconfigurations, or DNS hijacking attempts.
Track certificate expiration dates across all subdomains. Avoid service interruptions and browser warnings from expired certificates.
Scheduled scans run automatically without manual intervention. New subdomains are discovered and added to monitoring within minutes of DNS propagation.
Export subdomain inventories, vulnerability reports, and historical change logs. Meet compliance requirements for asset management documentation.
Receive notifications via email, Slack, or webhook integration. Configure alert thresholds and severity levels to reduce notification noise.
Set up continuous subdomain monitoring in three steps. No complex configuration required.
Enter your root domain and verify ownership using a TXT DNS record. Optionally integrate with your DNS provider for automated domain sync.
Our system enumerates subdomains using multiple techniques: DNS zone transfers, certificate transparency logs, DNS brute-forcing, and reverse DNS lookups.
Scheduled scans run every 24 hours. Receive immediate alerts when new subdomains appear, DNS records change, or security issues are detected.
Our platform uses multiple techniques to ensure comprehensive subdomain enumeration
Queries authoritative nameservers for all DNS record types (A, AAAA, CNAME, MX, TXT). Attempts zone transfers when possible and performs recursive queries to discover subdomain hierarchies. This method discovers active subdomains currently responding to DNS queries.
Monitors public Certificate Transparency logs where SSL/TLS certificates are recorded. Extracts Subject Alternative Names (SANs) to discover subdomains even if they're not publicly advertised via DNS. This reveals subdomains that may have been decommissioned but had certificates issued.
Uses curated wordlists of common subdomain names (api, www, staging, dev, admin) combined with your organization's naming patterns. Tests thousands of potential subdomains while respecting rate limits. Discovers subdomains that aren't linked or referenced elsewhere.
Performs reverse PTR record queries on IP ranges associated with your infrastructure. Discovers subdomains configured on shared hosting or cloud platforms where multiple domains share IP addresses. Useful for identifying subdomains on CDNs or load balancers.
Queries search engine indexes (Google, Bing) using site: operators to find publicly indexed subdomains. Discovers subdomains that appear in search results, web archives, or cached pages. Particularly effective for finding old or forgotten subdomains.
Directly connects to Cloudflare, AWS Route 53, Google Cloud DNS, and Azure DNS APIs. Pulls complete zone files to ensure 100% subdomain coverage without enumeration gaps. Automatically syncs when new records are added to your DNS provider.
One of the most critical risks from unmonitored subdomains
A subdomain takeover occurs when a subdomain's DNS record points to an external service (like AWS S3, Heroku, GitHub Pages, or Azure) that has been deprovisioned or deleted. The DNS record remains active, but the target service no longer belongs to you. Attackers can claim that service and control your subdomain.
For example: Your marketing team created promo.yourcompany.com pointing to an AWS S3 bucket for a campaign. The campaign ended, the S3 bucket was deleted, but the DNS CNAME record remained. An attacker creates a new S3 bucket with the same name and now controls promo.yourcompany.com—using your domain to host phishing pages, steal cookies, or damage your brand reputation.
Our subdomain monitoring tool performs active checks on every discovered subdomain:
When a potential takeover is detected, you receive an immediate high-priority alert with remediation steps: either remove the DNS record or reclaim the service endpoint.
Subdomain takeovers have affected major organizations including Microsoft, Uber, and the UK government. Attackers use taken-over subdomains for phishing campaigns (appearing to come from your domain), malware distribution, stealing authentication cookies, and SEO manipulation. The average time between subdomain decommissioning and takeover discovery is 6-12 months—providing attackers extended access.
Connect your DNS provider for automatic subdomain synchronization
Authenticate using Cloudflare API token with Zone:Read permissions. Automatically import all zones and subdomains under your account. Continuous sync ensures new DNS records are detected within 5 minutes of creation in Cloudflare dashboard.
Setup time: 2 minutes | Auto-sync: Every 5 minutes
Connect using IAM role with route53:ListHostedZones and route53:ListResourceRecordSets permissions. Supports multiple AWS accounts and all hosted zone types (public and private). Pull complete zone files including alias records and weighted routing policies.
Setup time: 3 minutes | Auto-sync: Every 10 minutes
Authenticate with service account having dns.managedZones.list and dns.resourceRecordSets.list permissions. Import subdomains across multiple GCP projects. Supports DNSSEC-enabled zones and Cloud DNS integration with GKE.
Setup time: 3 minutes | Auto-sync: Every 10 minutes
Connect using service principal with Reader role on DNS zones. Supports both Azure DNS and Azure Private DNS zones. Automatically discovers subdomains across all subscriptions in your tenant with proper RBAC permissions.
Setup time: 4 minutes | Auto-sync: Every 10 minutes
DNS provider integration is optional. You can add domains manually and use our active discovery methods instead. Integrations provide the advantage of guaranteed completeness—every subdomain in your DNS zones is monitored without enumeration gaps.
All API credentials are encrypted at rest using AES-256. We never make modifications to your DNS records.
Monitor development, staging, and QA subdomains. Ensure test environments don't leak sensitive data and maintain proper access controls.
Identify dangling CNAME records before attackers exploit them. Detect forgotten subdomains pointing to decommissioned cloud resources.
Keep your DNS zone clean by identifying orphaned records. Remove subdomains for retired services and consolidate redundant entries.
Maintain accurate subdomain inventory for compliance frameworks (SOC 2, ISO 27001). Generate audit reports showing all internet-facing assets.
Use consistent subdomain naming patterns (env-service-region.domain.com). This makes it easier to identify legitimate subdomains and spot unauthorized additions. Document your naming schema and enforce it through deployment pipelines and infrastructure-as-code.
Create processes for subdomain creation, modification, and retirement. Require approval workflows for new subdomains. When decommissioning services, ensure DNS records are removed simultaneously—not left dangling for later cleanup.
Quarterly reviews of all subdomains to identify candidates for retirement. Remove DNS records for development projects that ended, marketing campaigns that concluded, or test environments no longer needed. Unused subdomains represent unnecessary attack surface.
Set monitoring frequency based on your change velocity. High-traffic production environments may need hourly scans, while stable infrastructure can use daily scans. Configure different alert severities: critical for takeovers, high for SSL expiration, medium for DNS changes.
Export regular reports showing all discovered subdomains, their purpose, owner/team, and criticality. This inventory becomes essential for incident response, audit compliance, and merger/acquisition due diligence. Update documentation when organizational changes occur.
Periodically create intentionally vulnerable test subdomains pointing to deprovisioned services (in controlled environments). Verify your monitoring detects them within expected timeframes. Use these tests to validate alert routing and team response procedures.
| Capability | Manual Tools (Sublist3r, Amass) | bspeka Subdomain Monitoring |
|---|---|---|
| Initial subdomain discovery | ✓ One-time scan | ✓ Automated + continuous |
| Ongoing monitoring | ✗ Requires manual re-scanning | ✓ Scheduled automatic scans |
| Change detection | ✗ Manual comparison needed | ✓ Automatic alerts on changes |
| Subdomain takeover detection | ✗ Manual verification required | ✓ Automated vulnerability checks |
| SSL certificate monitoring | ✗ Not included | ✓ Expiration tracking + alerts |
| DNS provider integration | ✗ Not available | ✓ Cloudflare, Route 53, Azure DNS |
| Historical tracking | ✗ No change history | ✓ Complete audit logs |
| Team collaboration | ✗ Local tool output only | ✓ Multi-user dashboard |
| Setup time | Manual configuration required | 15 minutes to production |
Free plan includes 1 domain with weekly scans. Professional plan offers 10 domains with continuous monitoring for €99/month.
Start Free Trial