Introduction

A subdomain lookup returns every known subdomain of a root domain, hostnames such as blog.whoisfreaks.com or api.whoisfreaks.com, along with when each was first seen and last seen. It is not a WHOIS query. WHOIS, the protocol defined in RFC 3912, returns registration data for a registered domain. Subdomains are not registered on their own, so they have no WHOIS record. They are discovered through enumeration instead.

This guide covers what a subdomain lookup returns, three ways to run one with WhoisFreaks, how to read active versus inactive results, and why subdomain WHOIS is a misconception worth clearing up before you start.

In this guide you will learn:

Why subdomain WHOIS works differently from domain WHOIS
How to look up subdomains for any domain using the WhoisFreaks tool, API, or database
What subdomain lookup data returns, field by field
How active and inactive subdomains differ, and why the difference matters for security

What Is Subdomain WHOIS and How Is It Different from Domain WHOIS?

Subdomain WHOIS is a common misconception. Subdomains do not have their own WHOIS records.

When you register a domain such as whoisfreaks.com, its registrant, registrar, contact details, and expiry are stored in a WHOIS database. That record belongs to the root domain. Subdomains are added later through DNS records (A, CNAME, and others), not through registration, so no registry holds a separate WHOIS entry for them.

In the DNS hierarchy defined in RFC 1034, a subdomain is simply a domain contained within a larger one. blog.example.com sits under example.com, which sits under the .com top-level domain.

Domain Structure

TLD (top-level domain): .com, .org, .net
Root domain: example.com
Subdomain: blog.example.com, api.example.com

What People Mean by "Subdomain WHOIS"

The request usually points to one of two things:

Root domain WHOIS data: the registration record for the main domain, which you get by running a WHOIS lookup on the root domain, not the subdomain.
Subdomain enumeration data: the list of a domain's subdomains and their activity status, which comes from enumeration, not WHOIS.

Because subdomains leave traces across the public internet, enumeration pulls them from several sources at once: DNS records, Certificate Transparency logs, passive DNS, SSL/TLS certificates, and zone file analysis. No single source sees everything, so combining them gives the widest view.

Diagram showing the relationship between a root domain WHOIS record and its subdomains, clarifying that subdomains inherit root domain registration but have their own DNS entries

How to Look Up Subdomains for Any Domain: Step-by-Step Guide

There are 3 ways to perform a subdomain lookup with WhoisFreaks:

Free Web Tool - A quick subdomain checker for basic reconnaissance and security assessments.
Subdomains API - Enables automated subdomain scans and integration into security workflows and applications.
Subdomains Database - Provides enterprise-scale access for large-scale analysis and threat intelligence.

Using automated subdomain scanning helps streamline discovery and improves how security teams collect, integrate, and analyze subdomain data.

Method 1: Using the WhoisFreaks Subdomain Lookup Tool (Free)

The fastest way to enumerate subdomains for any domain is through the WhoisFreaks free web tool, which serves as a cloud-based subdomain checker and supports comprehensive subdomain search for security assessments, reconnaissance, and penetration testing.

Step 1 - Navigate to the Tool

Navigate to the WhoisFreaks Subdomain Lookup tool.

Step 2 - Enter the Root Domain

Type the root domain you want to enumerate into the search field. Always use the root domain, not a subdomain, as your input:

whoisfreaks.com

Step 3 - Apply Filters (Optional)

Before or after running the search, use the status filter to narrow results:

Active - shows only currently live subdomains
Inactive - shows only decommissioned or expired subdomains
All - returns the complete list regardless of status

Step 4 - Click Search

Click Search to run the lookup. The tool returns all known subdomains for the root domain from the WhoisFreaks subdomains dataset of 6.2B+ hostnames.

Step 5 - Review Your Results

Results are displayed in a structured list showing each subdomain, its active or inactive status, and its first-seen and last-seen timestamps.

Step 6 - Export Results

In addition to JSON and Formatted responses, users can also download the data as a CSV file from the Subdomain Lookup tool.

Screenshot of the WhoisFreaks Subdomain Lookup tool showing a sample domain with results list, status filters, and first-seen/last-seen timestamps visible.

Method 2: Using the WhoisFreaks Subdomains API (Programmatic)

For automation, security platform integration, or processing subdomains at scale, the Subdomains API is the right approach. This API allows you to automate subdomain scans, making it easy to integrate subdomain enumeration into your security workflows or website management processes.

Use the Subdomains Lookup API to retrieve each subdomain with its complete details such as first seen, last seen, and status. You can also retrieve sub-subdomains.

API Endpoint:

https://api.whoisfreaks.com/v1.0/subdomains?domain=whoisfreaks.com&before=2026-03-31&origin=whoisfreaks.com&after=2000-01-01&status=active&page=1&apiKey=YOUR_API_KEY

Key Parameters:

Parameter	Description	Example
domainName	The root domain to enumerate	whoisfreaks.com
apiKey	Your WhoisFreaks API key	YOUR_API_KEY
status	Filter by active or inactive	active
page	Page number for paginated results	1
before	Return records created before this date (YYYY-MM-DD)	2026-03-31
after	Return records created after this date (YYYY-MM-DD)	2000-01-01

Step 1: Create a Free Account

Create a free account now to get started. New accounts receive 500 free API credits with no credit card required.

Step 2: Access Your API Key

After signing in, navigate to API Solutions under PRODUCTS and then to the API Keys section. Your unique/primary API key will be displayed there. Copy it and store it securely.

WhoisFreaks billing dashboard showing the API Keys section where you copy your primary API key

For further details on account creation and getting the API key, you can follow tutorial: Getting Started with WhoisFreaks.

Step 3: Add Your API Key to Requests

Append your API key to every request as a query parameter:

?apiKey=YOUR_API_KEY

Base API URL:

https://api.whoisfreaks.com/

All endpoints are built on top of this base URL.Sample Response:

{
  "domain": "whoisfreaks.com",
  "status": true,
  "query_time": "2026-05-18T10:44:27.675881648",
  "current_page": 1,
  "total_pages": 1,
  "total_records": 38,
  "subdomains": [
    {
      "subdomain": "ghost.whoisfreaks.com",
      "first_seen": "2025-02-02",
      "last_seen": "2026-04-30"
    },
    {
      "subdomain": "dev.whoisfreaks.com",
      "first_seen": "2026-02-22",
      "last_seen": "2026-02-24"
    },
    {
      "subdomain": "website-test-1.whoisfreaks.com",
      "first_seen": "2026-02-07",
      "last_seen": "2026-02-28"
    },
    {
      "subdomain": "wfweb.whoisfreaks.com",
      "first_seen": "2026-02-07",
      "last_seen": "2026-02-19"
    },
    {
      "subdomain": "links.care.whoisfreaks.com",
      "first_seen": "2025-07-28",
      "last_seen": "2026-03-29"
    },
    {
      "subdomain": "blogs-cf-worker.whoisfreaks.com",
      "first_seen": "2025-02-13",
      "last_seen": "2026-02-20"
    },
    {
      "subdomain": "blogs.whoisfreaks.com",
      "first_seen": "2023-07-31",
      "last_seen": "2026-04-08"
    },
    {
      "subdomain": "staging.whoisfreaks.com",
      "first_seen": "2025-02-11",
      "last_seen": "2026-03-22"
    },
    {
      "subdomain": "status.file.whoisfreaks.com",
      "first_seen": "2026-03-25",
      "last_seen": "2026-03-28"
    },
    {
      "subdomain": "files.whoisfreaks.com",
      "first_seen": "2021-01-15",
      "last_seen": "2026-04-28"
    },
    {
      "subdomain": "www.whoisfreaks.com",
      "first_seen": "2023-10-13",
      "last_seen": "2026-05-17"
    },
    {
      "subdomain": "status.ssl.whoisfreaks.com",
      "first_seen": "2026-03-25",
      "last_seen": "2026-03-28"
    },
    {
      "subdomain": "status.email.whoisfreaks.com",
      "first_seen": "2026-03-25",
      "last_seen": "2026-03-28"
    },
    {
      "subdomain": "status.dns.whoisfreaks.com",
      "first_seen": "2026-03-25",
      "last_seen": "2026-03-28"
    }
  ]
}

Results are paginated, so for domains with many subdomains, iterate through all pages to retrieve the complete dataset. Every field in this response is defined in the data table below. To pull subdomains together with their DNS records, use the Subdomains API for fuller attack surface visibility.

Method 3: Using the WhoisFreaks Subdomains Database (Enterprise Scale)

The WhoisFreaks Subdomains Database provides bulk access to a comprehensive subdomain dataset for enterprise-scale subdomain enumeration, subdomain discovery, and attack surface mapping. It supports both passive and active subdomain scanning, enabling security teams to efficiently identify exposed assets and misconfigurations.

Use advanced subdomain finder tools and automated scans across multiple domains to improve coverage, speed, and accuracy in reconnaissance and security assessment.

Update Frequency Options

Daily Updates - Ideal for fraud detection, threat intelligence, and real-time security monitoring
Weekly Updates - Best for security audits, compliance checks, and research analysis
Monthly Updates - Suitable for long-term trend analysis and data enrichment

Download daily, weekly, and monthly CSV updates (last 3 months available), plus a sample dataset for quick evaluation.

Use Cases

Attack surface management platforms
Threat intelligence enrichment
SOC teams and incident response
Red team infrastructure mapping
Security analysts and threat hunters

Get full subdomain database access to strengthen security posture, improve visibility, and detect risks before attackers do.

What Does Subdomain Lookup Data Return?

Every subdomain lookup returns the same set of fields, whether you run it through the tool, the API, or the database. The table below defines each field and what it tells you during asset discovery and security work:

Field	Description	Why It Matters
domain	The root domain queried for subdomain enumeration	Defines the target domain for the lookup
status	Indicates whether the API request was successful	Helps validate the response status
query_time	Timestamp when the query was processed	Useful for tracking freshness of the dataset
current_page	Current page number of the paginated response	Supports navigation through large result sets
total_pages	Total number of available pages	Shows the complete pagination scope
total_records	Total number of discovered subdomains	Provides an overview of the domain’s attack surface
subdomain	The discovered hostname (e.g., blogs.whoisfreaks.com)	Identifies individual assets and services
first_seen	Date when the subdomain was first observed	Helps determine subdomain age and historical presence
last_seen	Date when the subdomain was last observed	Indicates recent activity or whether it may still be active

First-seen and last-seen dates let you track how long each subdomain has existed and whether it is still in use, which is the basis for spotting stale or forgotten hosts.

Active vs. Inactive Subdomains: What Is the Difference and Why It Matters

The Subdomain Lookup API and tool let you filter results by active or inactive status. That distinction matters for attack surface management, threat detection, reconnaissance, and subdomain takeover prevention.

Status	What It Means	Why It Matters
Active	The subdomain currently resolves in DNS and appears live	Important for attack surface monitoring, exposed service discovery, vulnerability assessment, and live threat detection
Inactive	The subdomain was previously observed but no longer resolves	Useful for identifying abandoned infrastructure and detecting potential subdomain takeover risks

Inactive subdomains should not be ignored during security audits. A subdomain can stop resolving while its DNS record still exists, which opens the door to a subdomain takeover if the external resource it points to has been decommissioned. WhoisFreaks tracks historical subdomain data and DNS resolution changes so security teams can find outdated assets, cut external attack surface exposure, and keep infrastructure clean.

What Is a Subdomain Takeover?

A subdomain takeover happens when a subdomain's DNS record still points to an external service, such as a cloud host, CDN, or static-site platform, that the organization no longer controls. An attacker who registers or claims that unused service can then serve their own content from the subdomain. Old staging, dev, and legacy hosts are the usual targets, which is why tracking inactive subdomains during an audit matter as much as listing the live ones.

Conclusion

Subdomains are where an organization's real attack surface lives. Whether you are auditing your own infrastructure for shadow IT and takeover risk, hunting threat-actor phishing infrastructure, mapping a target during a penetration test, or building an attack surface management platform, finding the subdomains is the first step.

WhoisFreaks gives you that view at three scales: a free tool for a quick check, an API for automation, and a downloadable database for enterprise coverage, all drawing on a dataset of 6.2B+ hostnames built from continuous DNS crawls, Certificate Transparency logs, passive DNS, and zone files. Start with a single lookup and scale up when you need to.

Ready to look up subdomains for any domain?

Try the free Subdomain Lookup tool

Explore the Subdomains API documentation

Frequently Asked Questions

Explore frequently asked questions to better understand our features, functionality, and usage.

Can You Perform a WHOIS Lookup on a Subdomain?

Subdomains do not have separate WHOIS records because they are not individually registered. To get WHOIS data for a subdomain like api.example.com, perform a WHOIS lookup on the root domain example.com.

What Is a Subdomain Lookup Tool?

A subdomain lookup tool discovers known subdomains associated with a root domain using DNS data, SSL certificates, passive DNS, and zone file analysis.

How Do You Find All Subdomains of a Domain?

Use the WhoisFreaks Subdomain Lookup tool or API to discover active and inactive subdomains, including first-seen and last-seen timestamps.

What Is the Difference Between Active and Inactive Subdomains?

Active subdomains currently resolve in DNS, while inactive subdomains were previously observed but no longer resolve. Both are important for attack surface monitoring and takeover detection.

What Is a Subdomain Takeover Attack?

A subdomain takeover occurs when a DNS record points to an unclaimed external service, allowing attackers to take control of the subdomain.

How Does WhoisFreaks Discover Subdomains?

WhoisFreaks collects subdomain data from DNS crawls, certificate transparency logs, passive DNS intelligence, and zone file analysis.

Does WhoisFreaks Offer a Subdomains API?

Yes. The WhoisFreaks Subdomains API provides JSON results with subdomain status, timestamps, pagination, and filtering support.

Is the WhoisFreaks Subdomain Lookup Tool Free?

Yes. Basic subdomain lookups are free, and new API accounts receive free credits for testing the API.

Can You Download the Full Subdomains Database?

Yes. WhoisFreaks provides downloadable subdomain datasets with daily, weekly, and monthly updates for enterprise-scale security and threat intelligence use cases.

How to Access, Download, and Regenerate Your WhoisFreaks Invoices

Step-by-step guide to finding your billing invoices in the WhoisFreaks dashboard, downloading branded PDF receipts, and regenerating them with updated billing details like tax ID or organization name.

How to Use the WhoisFreaks API for Domain Lookups

Learn how to use the WhoisFreaks API for domain lookups step by step. From WHOIS and DNS to reverse lookups and threat intelligence - discover how to integrate domain data into your applications, security tools, and workflows using the WhoisFreaks REST API.

How to Find Subdomains of a Domain