Subdomain Tab View

Updated
  • Updated on Nov 19, 2025
  • 3 minute(s) read
Prev Next

A wildcard subdomain, such as *.test.com, catches all unresolved queries under your apex domain, simplifying management but potentially masking shadow IT or takeover risks. Is it a tidy configuration, or a blind spot hiding rogue subdomains that are exploited for phishing? Manual crawls across DNS providers overlook these sprawls, inflating your unseen Attack Surface.

The Subdomains view lists all discovered subdomains for an apex or target domain, displaying structures such as wildcards and their corresponding resolutions in Total View. It lists entries (e.g., www.test.com, mail.test.com) with timelines and Raw Data, flagging special setups like wildcard records that resolve dynamically, empowering teams to map, monitor, and mitigate exposures from forgotten or malicious subs.

Available in Community and Enterprise editions, this view pulls data from Silent Push's Passive DNS (PADNS) integrations, complementing Dangling DNS for obsolete pointers and Infrastructure Variance for ownership drifts.

Subdomains balloon attack surfaces: attackers register lookalikes for brand abuse or pivot via wildcards to unmonitored hosts. It provides exhaustive inventories with change tracking, enabling SOCs to spot anomalies such as sudden *.test.com spikes that signal enumeration scans. It aids risk scoring; e.g., 28 subs on test.com might include five high-risk wildcards, streamlining audits and hygiene for resource-strapped defenders.

Teams tie findings to compliance (e.g., GDPR subdomain scopes) or threat hunts, correlating wildcards with PADNS histories to trace resolutions back to benign versus suspicious IPs, which is crucial for IR playbooks or Vendor assessments.

How It Works

Silent Push's aggregation engine harvests subdomain data from global DNS queries and passive sources, compiling lists without third-party silos. The Domain Wide View toggle expands scans to capture wildcard impacts across the apex (e.g., resolving *.test.com queries to reveal hidden subs like invalid-ns.test.com). Wildcards are directly tied to PADNS, generating broad resolutions logged in passive DNS datasets. Silent Push cross-references these datasets to detect patterns, such as repeated hits on non-existent subdomains, flagging potential probes or misconfigurations.

Core fields track discovery timelines; filters refine by date or type. It interconnects views: A wildcard overlap might echo Dangling DNS lapses (e.g., unresolved *. entries), while feeding Threat Feeds to trigger alerts on new subs.

Generate a Sset of Results

Input a domain (e.g., test.com) in the search bar to open Total View, then click the Subdomains view. To refine your search, toggle Domain Wide View for wildcard expansions, apply filters (e.g., post-2025-08-15), and include raw data for TTLs/IPs.

Example

  • Query test.com in Subdomains: Total Results show 28 entries, with a note on the wildcard *.test.com) record; clickable for resolution details.

  • Domain Wide View reveals expansions like invalid-ns.test.com (First Seen: 2025-08-26 16:09:00, Last Seen: 2025-08-26 16:09:00), tied to a 30-day period scan.

  • The table ranks *.test.com first, expanding to PADNS logs of wildcard resolutions (e.g., querying sub.test.com resolves via *.), with a trend line noting 824 PADNS hits.

  • Hover the entry for notes: Description flags wildcard's role in masking 15 shadow subs, potentially vulnerable to enumeration TTPs.

Overview of test.com domain with subdomains and basic raw data options highlighted.

Fields

  • First Seen: The initial discovery date of the subdomain (e.g., 2025-08-26 16:09:00), which serves as a baseline for anchoring change-detection timelines.

  • Last Seen: The most recent observation (e.g., 2025-08-26 16:09:00), highlighting active vs. dormant subs, gaps might signal deprovisioning risks.

  • Query: The subdomain string (e.g., *.test.com), with wildcards expandable to show resolved variants via PADNS.

Subdomains view

The table view logs all entries with sortable attributes for triage. For sparse domains like example.io, it may return under 10 results.

It includes subdomains (e.g., mail.test.com), resolution types, and PTR (Pointer) records.

  • Expand for raw: Wildcard queries in blue, invalid resolutions in red.

  • Hover rows for expanded information: Resolution paths, TTL diffs, and pivot links to Whois or Web Search.

Use case

Map wildcards to PADNS to detect takeover attempts, such as *.test.com resolving to attacker-controlled IPs.

Subdomains results

  • The view supports bulk actions via Select All (e.g., Download CSV for audits), Basic Raw Data toggles for unfiltered IPs/TTTLs, and Clear Filters resets.

  • Enable Monitor for real-time alerts on additions, or Save To feeds/drafts for tracking wildcard evolutions. Integrate with a SIEM to detect subdomain bloom spikes.

Related articles