Subdominator: CLI tool for detecting subdomain takeovers


Meet Subdominator, your new favorite CLI tool for detecting subdomain takeovers. It’s designed to be fast, accurate, and dependable, offering a significant improvement over other available tools.

Benchmark 📊

A benchmark was run across ~100,000 subdomains to compare performance with other popular tools

Tool Threads Time Taken
Subdominator 50 19 minutes, 8 seconds
Subjack 50 2 hours, 30 minutes, 2 seconds
Subdover 50 2 hours, 33 minutes, 27 seconds

Key Features 🔥

  • Advanced DNS Matching: Supports DNS matching for CNAME, A, and AAAA records.
  • Recursive DNS Queries: Performs in-depth queries to enhance accuracy and reduce false positives.
  • Intelligent Domain Matching: Uses a custom public_suffix_list.dat for more effective domain matching.
  • Domain Registration Detection: Checks for unregistered domains, with a more reliable method compared to other tools.
  • High-Speed Performance: Achieves faster results through intelligent DNS record matching.
  • Vetted Ruleset: Includes a thoroughly reviewed and updated ruleset.
  • Comprehensive Detection: Capable of identifying takeovers missed by other tools.
  • Validation: Dynamic takeover validation modules to check beyond fingerprints.

Feature Comparison 🥊

Feature Subdominator Subjack Subdover
Advanced DNS Matching
Recursive DNS Queries
Intelligent Domain Matching
Domain Registration Detection
High-Speed Performance
Vetted and Updated Ruleset
Comprehensive Detection
Custom Fingerprint Support
Fingerprints 97 35 80


The fingerprints and services are dynamically pulled from the CanITakeOverXYZ repo as a source of truth. To fill in the gaps and correct incorrect fingerprints, this tool also has its own custom fingerprints list which is used in conjunction.

Below is the current list of services supported, to ignore edge cases use the -eu flag.

Service Status
Acquia Edge case
ActiveCampaign Vulnerable
Aftership Vulnerable
Agile CRM Vulnerable
Aha Vulnerable Vulnerable
Amazon Cognito Vulnerable
Anima Vulnerable
Announcekit Vulnerable
Apigee Vulnerable Vulnerable
AWS/Elastic Beanstalk Vulnerable
AWS/S3 Vulnerable
Better Uptime Vulnerable
BigCartel Vulnerable
Bitbucket Vulnerable Vulnerable
Brandpad Vulnerable
Brightcove Vulnerable Vulnerable
Campaign Monitor Vulnerable
Canny Vulnerable
Cargo Collective Vulnerable
ConvertKit Vulnerable Vulnerable
Digital Ocean Vulnerable
Discourse Vulnerable
EasyRedir Vulnerable
Fastly Edge case
Flexbe Edge Case
Flywheel Vulnerable
Frontify Edge case
Gemfury Vulnerable
GetCloudApp Vulnerable
Getresponse Vulnerable
Ghost Vulnerable
Gitbook Vulnerable
Github Edge case
HatenaBlog Vulnerable
Help Juice Vulnerable
Help Scout Vulnerable
Helprace Vulnerable
Heroku Edge case
Instapage Edge case
Intercom Edge case
JazzHR Edge Case
JetBrains Vulnerable
Kajabi Vulnerable
Landingi Edge case
LaunchRock Vulnerable Vulnerable
Mashery Edge case
Meteor Cloud (Galaxy) Vulnerable
Microsoft Azure Vulnerable
Netlify Edge case
Ngrok Vulnerable
Pagewiz Vulnerable
Pantheon Vulnerable
Pingdom Vulnerable
Proposify Vulnerable Vulnerable
Readthedocs Vulnerable
Refined Vulnerable
Shopify Edge case Vulnerable
SimpleBooklet Vulnerable
SmartJobBoard Vulnerable
Smartling Edge case
Smugsmug Vulnerable
Softr Vulnerable
Sprintful Vulnerable
Strikingly Vulnerable Vulnerable
Surveygizmo Vulnerable
SurveySparrow Vulnerable
Tave Vulnerable
Teamwork Vulnerable
Thinkific Vulnerable
Tictail Vulnerable
Tilda Edge case
Tribe Vulnerable
Tumblr Edge case
Uberflip Vulnerable
Unbounce Edge case
Uptimerobot Vulnerable
UseResponse Vulnerable
UserVoice Edge case
Vend Vulnerable
Vercel Edge case
Webflow Edge case
Wishpond Vulnerable
Wix Edge case
WordPress Vulnerable
Worksites Vulnerable
Wufoo Vulnerable
Zendesk Edge case
Zoho Forms Vulnerable
Zoho Forms India Vulnerable

Install & Use