--- title: "Subdomain Tab View" slug: "subdomain-tabs" updated: 2025-12-22T15:56:45Z published: 2025-12-22T15:56:45Z canonical: "help.silentpush.com/subdomain-tabs" --- > ## Documentation Index > Fetch the complete documentation index at: https://help.silentpush.com/llms.txt > Use this file to discover all available pages before exploring further. # Subdomain Tab View A wildcard subdomain, such as `*.test.com,` catches all unresolved queries under your apex domain, simplifying management but potentially masking shadow IT or takeover risks. Is it a tidy configuration, or a blind spot hiding rogue subdomains that are exploited for phishing? Manual crawls across DNS providers overlook these sprawls, inflating your unseen Attack Surface. The Subdomains view lists all discovered subdomains for an apex or target domain, displaying structures such as wildcards and their corresponding resolutions in [Total View](/v1/docs/total-view). It lists entries (e.g., `www.test.com`, `mail.test.com`) with timelines and Raw Data, flagging special setups like wildcard records that resolve dynamically, empowering teams to map, monitor, and mitigate exposures from forgotten or malicious subs. Available in Community and Enterprise editions, this view pulls data from Silent Push's Passive DNS (PADNS) integrations, complementing Dangling DNS for obsolete pointers and Infrastructure Variance for ownership drifts. Subdomains balloon attack surfaces: attackers register lookalikes for brand abuse or pivot via wildcards to unmonitored hosts. It provides exhaustive inventories with change tracking, enabling SOCs to spot anomalies such as sudden `*.test.com` spikes that signal enumeration scans. It aids risk scoring; e.g., 28 subs on test.com might include five high-risk wildcards, streamlining audits and hygiene for resource-strapped defenders. Teams tie findings to compliance (e.g., GDPR subdomain scopes) or threat hunts, correlating wildcards with [PADNS](/v1/docs/passive-dns-queries-1) histories to trace resolutions back to benign versus suspicious IPs, which is crucial for IR playbooks or Vendor assessments. ## How It Works Silent Push's aggregation engine harvests subdomain data from global DNS queries and passive sources, compiling lists without third-party silos. The Domain Wide View toggle expands scans to capture wildcard impacts across the apex (e.g., resolving *.test.com queries to reveal hidden subs like invalid-ns.test.com). Wildcards are directly tied to PADNS, generating broad resolutions logged in passive DNS datasets. Silent Push cross-references these datasets to detect patterns, such as repeated hits on non-existent subdomains, flagging potential probes or misconfigurations. Core fields track discovery timelines; filters refine by date or type. It interconnects views: A wildcard overlap might echo Dangling DNS lapses (e.g., unresolved *. entries), while feeding Threat Feeds to trigger alerts on new subs. ## Generate a Set of Results Input a domain (e.g., test.com) in the search bar to open Total View, then click the Subdomains view. To refine your search, toggle [Domain Wide View](/v1/docs/domain-wide-view) for wildcard expansions, apply filters (e.g., post-2025-08-15), and include raw data for TTLs/IPs. ## Example - **Query test.com in Subdomains**: Total Results show 28 entries, with a note on the wildcard `*.test.com`) record; clickable for resolution details. - **Domain Wide View** reveals expansions like invalid-ns.test.com (First Seen: 2025-08-26 16:09:00, Last Seen: 2025-08-26 16:09:00), tied to a 30-day period scan. - The **table** ranks `*.test.com` first, expanding to PADNS logs of wildcard resolutions (e.g., querying `sub.test.com` resolves via `*`.), with a trend line noting 824 PADNS hits. - **Hover the entry for notes**: Description flags wildcard's role in masking 15 shadow subs, potentially vulnerable to enumeration TTPs. ![Overview of test.com domain with subdomains and basic raw data options highlighted.](https://cdn.document360.io/8e5460b3-9d96-4b01-8bb3-6591a4af3a8c/Images/Documentation/subdomain(1).jpg) ## Fields - **First Seen**: The initial discovery date of the subdomain (e.g., 2025-08-26 16:09:00), which serves as a baseline for anchoring change-detection timelines. - **Last Seen**: The most recent observation (e.g., 2025-08-26 16:09:00), highlighting active vs. dormant subs, gaps might signal deprovisioning risks. - **Query**: The subdomain string (e.g., `*.test.com`), with wildcards expandable to show resolved variants via PADNS. ## Subdomains view The table view logs all entries with sortable attributes for triage. For sparse domains like `example.io`, it may return under 10 results. It includes subdomains (e.g., `mail.test.com`), resolution types, and PTR (Pointer) records. - **Expand for raw**: Wildcard queries in blue, invalid resolutions in red. - **Hover rows for expanded information**: Resolution paths, TTL diffs, and pivot links to Whois or [Web Search](/v1/docs/web-search). ## Use case Map wildcards to PADNS to detect takeover attempts, such as `*.test.com` resolving to attacker-controlled IPs. ## Subdomains results - The view supports bulk actions via **Select All** (e.g., Download CSV for audits), Basic Raw Data toggles for unfiltered IPs/TTTLs, and Clear Filters resets. - Enable [Monitor](/v1/docs/monitoring) for real-time alerts on additions, or Save To feeds/drafts for tracking wildcard evolutions. Integrate with a SIEM to detect subdomain bloom spikes. The total set of vulnerabilities and entry points in a system or network that could be exploited by an attacker, including software, hardware, and network configurations. Unprocessed query results in JSON format, containing detailed threat intelligence data for further analysis or integration. A dataset of historical DNS query and response records used to map domain-to-IP relationships, track infrastructure changes, and identify malicious activity. Unresolved or misconfigured DNS records that can be exploited by attackers to redirect traffic or host malicious content. The entity or organization that owns or provides a threat intelligence feed, identified as the source of the data. The date when a domain was first observed in DNS zone files, providing insight into its age and potential trustworthiness in threat intelligence analysis. The most recent date a domain appeared in zone files, indicating its ongoing presence or activity in DNS records. Publicly available data collected during domain registration or DNS updates, used to analyze domain ownership and history.