Subdomain tab

New
  • Updated on Oct 27, 2025
  • 3 minute(s) read
Prev Next

A wildcard subdomain like *.test.com catches all unresolved queries under your apex domain, simplifying management but potentially masking shadow IT or takeover risks. Is it a tidy config, or a blind spot hiding rogue subdomains exploited for phishing? Manual crawls across DNS providers overlook these sprawls, inflating your unseen Attack Surface.

The Subdomains tab enumerates all discovered subdomains for an apex or target domain, surfacing structures like wildcards and their resolutions in Total View. It lists entries (e.g., www.test.com, mail.test.com) with timelines and Raw Data, flagging special setups like wildcard records that resolve dynamically, empowering teams to map, monitor, and mitigate exposures from forgotten or malicious subs.

Available for domains in Community and Enterprise editions, this tab pulls from Silent Push's Passive DNS (PADNS) integrations, complementing Dangling DNS for obsolete pointers and Infrastructure Variance for ownership drifts.

Why is it useful?

Subdomains balloon attack surfaces: attackers register lookalikes for brand abuse or pivot via wildcards to unmonitored hosts. This tab delivers exhaustive inventories with change tracking, letting SOCs spot anomalies like sudden *.test.com spikes signaling enumeration scans. It aids risk scoring; e.g., 28 subs on test.com might include five high-risk wildcards, streamlining audits and hygiene for resource-strapped defenders.

Teams tie findings to compliance (e.g., GDPR subdomain scopes) or threat hunts, correlating wildcards with PADNS histories to trace resolutions back to benign vs. suspicious IPs, crucial for IR playbooks or Vendor assessments.

How does it work?

Silent Push's aggregation engine harvests subdomain data from global DNS queries and passive sources, compiling lists without third-party silos. The Domain Wide View toggle expands scans to capture wildcard impacts across the apex (e.g., resolving *.test.com queries to reveal hidden subs like invalid-ns.test.com). Wildcards tie directly to PADNS: They generate broad resolutions logged in passive DNS datasets, where Silent Push cross-references to detect patterns like repeated hits on non-existent subs, flagging potential probes or misconfigs.

Core fields track discovery timelines; filters refine by date or type. It interconnects tabs: A wildcard overlap might echo Dangling DNS lapses (e.g., unresolved *. entries), while feeding Threat Feeds for alert triggers on new subs.

Generate a set of results

Input a domain (e.g., test.com) in the search bar to open Total View, then click the Subdomains tab. To refine your search, toggle Domain Wide View for wildcard expansions, apply filters (e.g., post-2025-08-15), and include raw data for TTLs/IPs.

Example

  • Query test.com in Subdomains: Total Results show 28 entries, with a note on the wildcard *.test.com) record; clickable for resolution details.

  • Domain Wide View reveals expansions like invalid-ns.test.com (First Seen: 2025-08-26 16:09:00, Last Seen: 2025-08-26 16:09:00), tied to a 30-day period scan.

  • The table ranks *.test.com first, expanding to PADNS logs of wildcard resolutions (e.g., querying sub.test.com resolves via *.), with a trend line noting 824 PADNS hits.

  • Hover the entry for notes: Description flags wildcard's role in masking 15 shadow subs, potentially vulnerable to enumeration TTPs.

Overview of test.com domain with subdomains and basic raw data options highlighted.

Fields

  • First Seen: The initial discovery date for the subdomain (e.g., 2025-08-26 16:09:00), which serves as a baseline for anchoring timelines for change detection.

  • Last Seen: The most recent observation (e.g., 2025-08-26 16:09:00), highlighting active vs. dormant subs, gaps might signal deprovisioning risks.

  • Query: The subdomain string (e.g., *.test.com), with wildcards expandable to show resolved variants via PADNS.

Subdomains view

The table view logs all entries with sortable attributes for triage. For sparse domains like example.io, it may return under 10 results.

It includes subnames (e.g., mail.test.com), resolution types, and PADNS ties.

  • Expand for raw: Wildcard queries in blue, invalid resolutions in red.

  • Hover rows for expanded information: Resolution paths, TTL diffs, and pivot links to Whois or Web Search.

Use case

Map wildcards to PADNS to detect takeover attempts, such as *.test.com resolving to attacker-controlled IPs.

Subdomains results

  • The tab supports bulk actions via Select All (e.g., Download CSV for audits), Basic Raw Data toggles for unfiltered IPs/TTTLs, and Clear Filters resets.

  • Enable Monitor for real-time alerts on additions, or Save To feeds/drafts for tracking wildcard evolutions. Integrate with SIEM for subdomain bloom spikes.