How to Scan Common Subdomains on a Domain (API, Staging, Mail, and WWW)
You think you know a domain because the marketing site loads. Then someone on your team asks whether staging.brand.com is public, whether mail.brand.com still points at an old provider, or whether api.brand.com leaks a beta stack.
Full subdomain brute force is a different discipline. This guide covers the lite scan founders and operators actually need: a curated prefix list, public DNS A lookups, and honest limits.
BenOpt’s subdomain explorer runs that pass in one click.
Quick answer
Paste an apex like example.com. BenOpt probes a fixed list of common prefixes (www, api, staging, mail, and others) via Cloudflare DNS-over-HTTPS.
Answers found means IPv4 A records returned. Quiet response means no A answers in that probe, not proof the host will never exist.
Why a curated list beats a giant dictionary here
Attackers use huge wordlists. Product teams use a short mental model:
wwwfor marketingapporportalfor logged-in experiencesapifor JSON trafficstaging,stage,dev,testfor pre-productionmail,smtp,imapfor email plumbingcdn,static,assetsfor delivery
If any of those answer on the public internet when you expected a single landing page, you have a process problem worth fixing.
The explorer intentionally caps count and concurrency so resolvers stay friendly.
Step-by-step workflow
- Open subdomain explorer.
- Enter the apex without a path.
- Click Scan prefixes.
- Sort mentally by Answers found first.
- For each active row, note the sample A values.
- Follow with DNS record lookup on interesting hosts for MX/TXT detail.
How to read the table
Prefix host
The leftmost label (api, not the full name).
Fully qualified probe
What BenOpt queried (api.example.com).
Signal
- Green tone: at least one A record
- Muted tone: no A in this probe
- Warning tone: resolver error or odd status
Sample A
Up to three IPv4 strings. Use them to see if traffic points at your CDN, a parking IP, or a cloud provider you recognize.
Quiet rows are not failures. Many companies simply never published those prefixes.
What this scan is not
- Not a certificate transparency inventory
- Not a security audit
- Not permission to hammer arbitrary wordlists against third parties
If you need compliance-grade attack surface management, export BenOpt results as a starting note and move to dedicated ASM tools.
Pairing with RDAP and ownership
Subdomains live in DNS zones controlled by whoever runs DNS for the apex. RDAP on the apex tells you who owns the registration, not every delegated child zone.
Still, if api.brand.com answers and you do not recognize the IP, check RDAP lookup on the apex and verify DNS control with your team.
Common situations
Marketing says we only use the root domain, but www answers
Decide whether to redirect www to apex or serve both. Document TLS certificates for both hosts.
staging answers on a production brand
That is a release-process red flag. Firewall it or authenticate it.
Mail hosts answer after you thought email moved
Update MX elsewhere or decommission stale A records.
Prefix list philosophy
BenOpt ships a fixed list so results stay comparable week to week. You always probe the same nouns, which makes diffs obvious when something new answers.
Typical categories in the list:
| Category | Examples | Why it matters |
|---|---|---|
| Web entry | www, web | Customer-facing routes |
| Product | app, portal, dashboard | Logged-in surfaces |
| API | api | JSON and mobile backends |
| Pre-prod | staging, stage, dev, test | Release risk |
mail, smtp, imap | Email infrastructure | |
| Assets | cdn, static, assets | Delivery |
If you need custom words, export the workflow and run your own DNS scripts. The explorer is a baseline, not the ceiling.
Before acquisition: scanning a target you do not own
Founders sometimes scan a competitor or a marketplace listing to understand exposure. Stay ethical: public DNS only, no authentication attempts, no port scanning beyond what this tool does.
You are answering “what is already visible,” not “how can I break in.”
Document findings as facts (“staging host resolves”) rather than accusations.
After migration: proving you cleaned up
Run the explorer after DNS migrations. Old mail or ftp hosts love to linger. Quiet rows after migration are good news. New active rows you did not create are tickets for your DNS admin.
IPv6 and dual-stack notes
This explorer focuses on IPv4 A records for a fast first signal. A host can be IPv6-only and appear quiet here while still being live on AAAA. If you suspect modern infra, follow with DNS lookup for AAAA on any prefix that matters to your security review.
FAQ
Why only A records?
Speed and clarity for a first pass. Follow with the DNS tool for other types.
Will you add AAAA?
Maybe later. IPv4 still answers the “is anything published?” question for many teams.
Can I scan someone else’s domain?
You are reading public DNS. Stay ethical: scan assets you own or have permission to assess.
Checklist after a scan
- Unexpected active prefixes documented
- IPs mapped to owners (CDN account, legacy VPS)
- Staging hosts authenticated or blocked
- Registrar and DNS panel access confirmed for the apex
What to do next
Run subdomain explorer on your production apex today. For registration context, add RDAP lookup.
BenOpt surfaces public resolver data. Operational security still belongs in your runbooks.
Scan common subdomains
Probe polite infrastructure prefixes on your apex and see which hosts answer in public DNS.
Open subdomain explorer