Find subdomains of any domain using Certificate Transparency logs (crt.sh).
The Subdomain Finder on 101IP discovers subdomains of any domain by querying the public Certificate Transparency log database via crt.sh. No active scanning — all data comes from publicly issued SSL certificates.
Certificate Transparency (CT) is an open standard requiring all trusted Certificate Authorities to publish every issued SSL/TLS certificate in public append-only logs. This allows discovering subdomains that have ever had a certificate issued for them.
This tool only shows subdomains that have had a public SSL certificate issued. Subdomains without HTTPS or with self-signed certificates are not recorded in CT logs. For comprehensive enumeration, combine CT logs with DNS brute-forcing and other OSINT techniques.
Simply enter the domain you are interested in at https://101ip.ru/en/subdomains/ and click "Find". The service automatically queries Certificate Transparency logs covering the past several years and displays all discovered subdomains. No account, paid subscription, or software installation is required — it is completely free and works in one click.
The tool only finds subdomains for which an SSL certificate was ever issued and recorded in public Certificate Transparency logs. If a subdomain runs exclusively over HTTP (without HTTPS) or uses a self-signed certificate, it will not appear in the results. That said, more than 90% of modern websites use HTTPS, so the method remains highly effective.
Yes, that is one of the primary use cases. By finding all subdomains, you can check whether any forgotten test sections (test.example.com, dev.example.com) that could be compromised are still active. After getting the list, it is recommended to verify each subdomain through the SSL checker and DNS records tools to confirm correct certificate configuration and the absence of dangling A records.