Subfinder is a subdomain discovery tool made by Project Discovery, the following cheat sheet provides and overview of the command flags for Subfinder and common commamnd examples for real world usage.

Install Subfinder

go install -v[email protected]
Configure API Keys

Subfinder works straight after install, however with API keys (even a free key) will improve passive subdomain results.

Subfinder Flags & Syntax

root:~# subfinder -h

Flag Description

-d, -domain string[]

domains to find subdomains for

-dL, -list string

file containing list of domains for subdomain discovery

-s, -sources string[]

specific sources to use for discovery (-s crtsh,github). Use -ls to display all available sources.


use only sources that can handle subdomains recursively (e.g. subdomain.domain.tld vs domain.tld)


use all sources for enumeration (slow)

-es, -exclude-sources string[]

sources to exclude from enumeration (-es alienvault,zoomeye)

-m, -match string[]

subdomain or list of subdomain to match (file or comma separated)

-f, -filter string[]

subdomain or list of subdomain to filter (file or comma separated)

-rl, -rate-limit int

maximum number of http requests to send per second

-t int

number of concurrent goroutines for resolving (-active only) (default 10)

-o, -output string

file to write output to

-oJ, -json

write output in JSONL(ines) format

-oD, -output-dir string

directory to write output (-dL only)

-cs, -collect-sources

include all sources in the output (-json only)

-oI, -ip

include host IP in output (-active only)

-config string

flag config file (default "$HOME/.config/subfinder/config.yaml")

-pc, -provider-config string

provider config file (default "$HOME/.config/subfinder/provider-config.yaml")

-r string[]

comma separated list of resolvers to use

-rL, -rlist string

file containing list of resolvers to use

-nW, -active

display active subdomains only

-proxy string

http proxy to use with subfinder

-ei, -exclude-ip

exclude IPs from the list of domains


show only subdomains in output


show version of subfinder


show verbose output

-nc, -no-color

disable color in output

-ls, -list-sources

list all available sources

-timeout int

seconds to wait before timing out (default 30)

-max-time int

minutes to wait for enumeration results (default 10)

Example Subfinder Commands

Find Subdomains Single Domain

Find subdomains for a single domain with subfinder:

subfinder -d

               __    _____           __
   _______  __/ /_  / __(_)___  ____/ /__  _____
  / ___/ / / / __ \/ /_/ / __ \/ __  / _ \/ ___/
 (__  ) /_/ / /_/ / __/ / / / / /_/ /  __/ /
/____/\__,_/_.___/_/ /_/_/ /_/\__,_/\___/_/ v2.5.1

Use with caution. You are responsible for your actions
Developers assume no liability and are not responsible for any misuse or damage.
By using subfinder, you also agree to the terms of the APIs used.

[INF] Enumerating subdomains for
[INF] Found 27 subdomains for in 30 seconds 33 milliseconds

Verify Subfinder Results With HTTPX

Chain up other tools within your workflow, such as verifying targets have web servers using HTTPX:

echo | subfinder -silent | httpx -silent

Subfinder + Naabu Portscan

echo | subfinder -silent | naabu -silent