How to Find Subdomains of a Domain?

Subdomains are separate sections of a primary domain (e.g., mail.yourbrand.ae, api.yourbrand.ae), each potentially pointing to a different server, application, or service. As a UAE-accredited .ae domain registrar since 2008, we at AEserver see firsthand how businesses in the UAE build out complex subdomain structures, and how many forget to clean them up. Orphaned staging environments, exposed dev panels, and dangling DNS records are far more common than most domain owners realize.

Whether you’re auditing your own .ae domain’s infrastructure, conducting authorized security research, or simply want to understand what’s publicly visible about your online presence, this guide covers practical, hands-on methods with real commands for Linux and Windows.

Why Subdomain Auditing Matters for .ae Domain Owners

When we manage DNS for thousands of .ae domains at AEserver, we regularly encounter the same patterns. A business launches staging.company.ae during development, migrates to production, and never removes the staging subdomain. Six months later, that forgotten environment, running outdated software with no SSL, becomes a liability.

Here’s why every .ae domain owner should periodically audit their subdomains:

Method 1. Google Dorks, Search Engine Operators

The fastest approach that requires zero installation. Google indexes subdomains, and you can surface them using advanced search operators. This works especially well for .ae domains since they tend to have fewer pages indexed than .com domains, making the results more focused.

Open Google and type:

site:yourbrand.ae -www

The site: operator restricts results to a specific domain, and -www excludes the main subdomain so only the others show up.

For more precise results, keep adding known subdomains as exclusions:

site:yourbrand.ae -www -shop -blog

Every time you discover a known subdomain, add it with a minus sign to force Google to reveal new results.

site:yourbrand.ae inurl:admin
site:yourbrand.ae inurl:api
site:yourbrand.ae inurl:dev
site:yourbrand.ae inurl:staging

Method 2. Certificate Transparency (crt.sh), SSL Certificate Logs

Every SSL/TLS certificate is recorded in public Certificate Transparency logs. The service crt.sh lets you search these logs and find subdomains that have ever been issued a certificate. This is particularly revealing for .ae domains, if you’ve ever ordered an SSL certificate for a subdomain, it’s in these logs permanently, even after the certificate expires.

Navigate to the following URL, replacing the domain:

The %25 is the URL-encoded % wildcard character. You’ll get a table of all certificates ever issued for subdomains of that domain.

curl -s "https://crt.sh/?q=%25.yourbrand.ae&output=json" | jq -r '.[].name_value' | sort -u

This sends a request to the crt.sh JSON API, extracts the name_value field (certificate hostnames) via jq, and outputs a unique sorted list.

(Invoke-RestMethod "https://crt.sh/?q=%25.yourbrand.ae&output=json").name_value | Sort-Object -Unique

Method 3. DNS Utilities, nslookup, dig, host

Classic DNS tools built into the OS let you verify specific subdomains and attempt DNS zone transfers.

dig mail.yourbrand.ae +short

host mail.yourbrand.ae

nslookup mail.yourbrand.ae

Resolve-DnsName mail.yourbrand.ae

If the subdomain exists, you’ll get an IP address back. If not, the response will be NXDOMAIN.

A zone transfer requests a full copy of the DNS zone. If the server is misconfigured, it will hand over the entire record list, including all subdomains.

dig NS yourbrand.ae +short

dig AXFR yourbrand.ae @ns1.yourbrand.ae

nslookup -type=NS yourbrand.ae
nslookup -type=AXFR yourbrand.ae ns1.yourbrand.ae

dig yourbrand.ae ANY +noall +answer

Resolve-DnsName yourbrand.ae -Type ANY

MX, TXT, SRV, and CNAME records frequently contain subdomain names in their values. For instance, your MX records might reveal mail.yourbrand.ae, and TXT records for email verification often reference specific subdomains.

Method 4. Online Reconnaissance Services

Specialized services aggregate data from multiple sources, DNS, certificates, search indexes, archives, and return a ready-made subdomain list. These are especially convenient if you want quick results without installing anything.

Method 5. Subdomain Brute-Forcing, Automated Enumeration

Brute-forcing means trying possible subdomain names from a wordlist. The tool prepends each word to the domain and checks whether DNS resolves it.

One of the best tools available, fast, quiet, and leverages dozens of passive sources.

go install -v github.com/projectdiscovery/subfinder/v2/cmd/subfinder@latest

subfinder -d yourbrand.ae -o subdomains.txt

subfinder -d yourbrand.ae -v -o subdomains.txt

A powerful OWASP tool that combines passive collection, DNS brute-forcing, and certificate analysis.

sudo apt install amass          # Linux
brew install amass               # macOS
choco install amass              # Windows via Chocolatey

amass enum -passive -d yourbrand.ae -o amass-results.txt

amass enum -active -d yourbrand.ae -brute -o amass-results.txt

If you don’t want to install specialized utilities, you can use built-in OS tools:

for sub in www mail ftp admin dev staging api blog shop test portal vpn webmail cpanel; do
  host $sub.yourbrand.ae | grep "has address" && echo "[+] $sub.yourbrand.ae found"
done

$subs = "www","mail","ftp","admin","dev","staging","api","blog","shop","test","portal","vpn","webmail","cpanel"
foreach ($s in $subs) {
  try {
    $r = Resolve-DnsName "$s.yourbrand.ae" -ErrorAction Stop
    Write-Host "[+] $s.yourbrand.ae → $($r.IPAddress)" -ForegroundColor Green
  } catch { }
}

Method 6. Reverse DNS & WHOIS Analysis

If you know the IP address or IP range of the target organization, you can discover subdomains through reverse DNS lookups.

dig -x 93.184.216.34 +short

host 93.184.216.34

nslookup 93.184.216.34

Resolve-DnsName 93.184.216.34 -Type PTR

for ip in $(seq 1 254); do
  host 93.184.216.$ip | grep "domain name pointer" | grep ".ae"
done

whois yourbrand.ae

whois 93.184.216.34

WHOIS reveals the owning organization and its allocated IP blocks. You can then run mass reverse DNS across those blocks. You can also use the AEserver WHOIS Lookup tool for a quick browser-based check.

Method 7. Web Archives & Historical Data

Even if a subdomain is no longer live, it may have been indexed in the past. Web archives preserve that data.

curl -s "http://web.archive.org/cdx/search/cdx?url=*.yourbrand.ae&output=text&fl=original&collapse=urlkey" | sed 's|https\?://||' | cut -d'/' -f1 | sort -u

This queries the Wayback Machine index for all URLs matching *.yourbrand.ae, extracts the hostnames, and outputs unique values.

go install github.com/tomnomnom/waybackurls@latest

echo "yourbrand.ae" | waybackurls | unfurl domains | sort -u

At securitytrails.com, enter the domain and navigate to the Historical Data section. It shows every DNS record that has ever existed, including deleted subdomains. This is particularly useful if your .ae domain has been through hosting migrations, old records from previous providers often linger.

Method 8. HTTP Header & Content Analysis

The website itself often leaks its own subdomains through HTTP headers, JavaScript files, and HTML source code.

curl -sI https://yourbrand.ae | grep -iE "location|content-security-policy|link"

Headers like Content-Security-Policy, Location (redirects), and Link frequently reference subdomains, CDNs, APIs, static assets.

curl -s https://yourbrand.ae | grep -oP '[a-zA-Z0-9._-]+\.yourbrand\.ae' | sort -u

curl -s https://yourbrand.ae | grep -oP 'src="[^"]*\.js"' | while read js; do
  curl -s "https://yourbrand.ae$js" | grep -oP '[a-zA-Z0-9._-]+\.yourbrand\.ae'
done | sort -u

Combined Approach, Maximum Coverage

No single method provides 100% results. The best approach is combining several tools and then merging and verifying the output.

#!/bin/bash
DOMAIN="yourbrand.ae"
OUTPUT="all-subs-$DOMAIN.txt"

# Source 1: crt.sh
curl -s "https://crt.sh/?q=%25.$DOMAIN&output=json" | jq -r '.[].name_value' >> $OUTPUT

# Source 2: Subfinder
subfinder -d $DOMAIN -silent >> $OUTPUT

# Source 3: Wayback Machine
curl -s "http://web.archive.org/cdx/search/cdx?url=*.$DOMAIN&output=text&fl=original&collapse=urlkey" | cut -d'/' -f3 >> $OUTPUT

# Deduplicate and sort
sort -u $OUTPUT -o $OUTPUT
echo "Unique subdomains found: $(wc -l < $OUTPUT)"

After collecting the list, you need to check which discovered subdomains actually respond:

go install -v github.com/projectdiscovery/httpx/cmd/httpx@latest

cat all-subs-yourbrand.ae.txt | httpx -silent -status-code -title

The httpx utility probes each subdomain over HTTP/HTTPS and displays the response code and page title. This lets you quickly identify live services, admin panels, and forgotten applications.

Get-Content subdomains.txt | ForEach-Object {
  try {
    $r = Invoke-WebRequest "http://$_" -TimeoutSec 3 -UseBasicParsing -ErrorAction Stop
    Write-Host "[+] $_ → $($r.StatusCode)" -ForegroundColor Green
  } catch { }
}

What to Do After You Find Your Subdomains

Discovering subdomains is only half the job. Here’s what you should do with the results:

Log into your cPanel or DNS Management Tool and delete A/CNAME records for subdomains you no longer use. This eliminates dangling DNS vulnerabilities.

Every active subdomain should have a valid SSL certificate. Consider a Wildcard SSL Certificate, it covers *.yourbrand.ae, so any current or future subdomain is automatically protected.

Subdomains like staging, dev, or admin should be IP-restricted or password-protected. If you’re on a Cloud VPS or Dedicated Server, configure firewall rules to whitelist only your office IPs.

Schedule a quarterly subdomain audit using the combined script above as part of your broader website security best practices. New subdomains can appear without your knowledge, especially in larger teams.

Summary