Subdomain enumeration

Usage

We know many security researchers want to keep their current workflow and just use Profundis as a subdomain enumeration tool. We tried to make the usage of this feature as simple as possible.

You can perform a subdomain enumeration

Directly from the web UI and get a CSV, JSON or TXT file ;
Using a curl request (see below).

warning

The subdomains enumeration API endpoint returns all the subdomains for a given domain. Enumeration costs 1 credit per 100 subdomains returned (rounded up), and free accounts are capped at 300 subdomains per enumeration — see Credits. To avoid spending credits on a larger result set than you expected, use the estimate mode (≈1 credit) to preview the count first, or cap the response with the limit parameter.

You can use the following curl command. Replace example.com by the domain of your choice. The domain parameter accepts domain names (e.g. example.com), not wildcard values (e.g. *.example.com). Note that you can also specify subdomains like api.domain.com if you expect to see other subdomains behind this value like sub.api.domain.com.

See how to generate an API key here.

API_KEY=xxx

curl "https://api.profundis.io/api/v2/common/data/subdomains" \
  -H "X-API-KEY: $API_KEY" \
  -H "Accept: text/event-stream" \
  -N \
  -X POST \
  -d '{
    "domain": "example.com"
  }'

Controlling cost: `limit` and `estimate`

Because the cost depends on how many subdomains come back (ceil(returned / 100) credits), the endpoint accepts a limit parameter so you only pay for what you ask for. Set limit to a number to cap the response, or limit=max to pull everything. Billing is post-hoc on the rows actually returned, and the response is capped so you can never spend more credits than your balance.

curl "https://api.profundis.io/api/v2/common/data/subdomains" \
  -H "X-API-KEY: $API_KEY" \
  -H "content-type: application/json" \
  -X POST \
  -d '{
    "domain": "example.com",
    "limit": 200
  }'

To preview how many subdomains a domain has before pulling them, add "estimate": true. The estimate costs about 1 credit and returns the count without streaming the results.

curl "https://api.profundis.io/api/v2/common/data/subdomains" \
  -H "X-API-KEY: $API_KEY" \
  -H "content-type: application/json" \
  -X POST \
  -d '{
    "domain": "example.com",
    "estimate": true
  }'

Frequent questions

The API returned less results than what I see in the UI

The DNS search UI page shows all DNS records and their historical resolutions (all IP addresses or hostnames for CNAMEs). However, when you use the subdomain enumeration API endpoint, we perform deduplication on the host value to provide clean output without duplicates.

What happens when I run out of credits?

The request is rejected with an HTTP 402 status and nothing is charged. The body is JSON formatted as below so you can easily detect it in your automated workflow. Buy a credit pack or wait for your next monthly reset to continue.

{"code":"Q2014","message":"You are out of credits."}

Usage​

Controlling cost: limit and estimate​

Frequent questions​

The API returned less results than what I see in the UI​

What happens when I run out of credits?​

Usage

Controlling cost: `limit` and `estimate`

Frequent questions

The API returned less results than what I see in the UI

What happens when I run out of credits?