How to Look Up WHOIS Subdomain Information

Introduction

When most people think about WHOIS lookup, they think about finding out who registered a domain name. Enter a domain, get back the registrant's name, email, registrar, and expiry date. Simple, familiar, and widely understood.

Subdomains cannot be queried via traditional WHOIS because they are not independently registered. WHOIS only covers registered domains and IP allocations, not subdomain records like ghost.whoisfreaks.com or old.whoisfreaks.com. Instead, subdomain visibility comes from subdomain enumeration tools, not WHOIS. These tools use multiple data sources, including:

DNS records
Certificate Transparency (CT) logs
Passive DNS data
SSL/TLS certificates
Zone file analysis

A subdomain lookup reveals all known subdomains of a domain, often including metadata like first seen, last seen, and active/inactive status.

In short:

WHOIS > domain ownership & IP allocation
Subdomain lookup > infrastructure discovery & asset enumeration

In this guide you will learn:

What subdomain WHOIS means and why it works differently from domain WHOIS
How to look up subdomains for any domain using the WhoisFreaks tool, API or Database
What subdomain lookup data actually returns
Active vs. Inactive Subdomains: What Is the Difference and Why It Matters

When users perform a subdomain lookup, they are usually trying to find all subdomains associated with a main domain (also called the root domain), which is the primary part of a website address, as well as understand its relationship to the top-level domain (TLD) such as .com, .net, or .org. Subdomains are subdivisions of the main domain, and tools focus on mapping these to provide a comprehensive view of the domain structure.

What Is Subdomain WHOIS and How Is It Different from Domain WHOIS?

Subdomain WHOIS is a common misconception. Subdomains do not have separate WHOIS records.

When you register a domain (e.g., whoisfreaks.com), its ownership details - registrant, registrar, contact info, and expiry, are stored in a WHOIS database. This applies only to the root domain, not subdomains.

Domain Structure

TLD (Top-Level Domain): .com, .org, etc.
Domain (Root Domain): example.com
Subdomain: blog.example.com, api.example.com

Key Difference

Domain WHOIS: Shows ownership and registration data for the registered domain
Subdomains: Not separately registered, created via DNS records (A, CNAME, etc.), so they have no WHOIS record

What Users Mean by "Subdomain WHOIS"

They usually want one of two things:

Root domain WHOIS data
Ownership info for the main domain (not the subdomain)
Subdomain enumeration data
Discovery of subdomains, DNS records, and activity status.

Diagram showing the relationship between a root domain WHOIS record and its subdomains, clarifying that subdomains inherit root domain registration but have their own DNS entries

How to Look Up Subdomains for Any Domain: Step-by-Step Guide

There are 3 ways to perform a subdomain lookup with WhoisFreaks:

Free Web Tool - A quick subdomain checker for basic reconnaissance and security assessments.
Subdomains API - Enables automated subdomain scans and integration into security workflows and applications.
Subdomains Database - Provides enterprise-scale access for large-scale analysis and threat intelligence.

Using automated subdomain scanning helps streamline discovery and improves how security teams collect, integrate, and analyze subdomain data.

Method 1: Using the WhoisFreaks Subdomain Lookup Tool (Free)

The fastest way to enumerate subdomains for any domain is through the WhoisFreaks free web tool, which serves as a cloud-based subdomain checker and supports comprehensive subdomain search for security assessments, reconnaissance, and penetration testing.

Step 1 - Navigate to the Tool

Go to https://whoisfreaks.com/tools/subdomains/lookup

Step 2 - Enter the Root Domain

Type the root domain you want to enumerate into the search field. Always use the root domain, not a subdomain, as your input:

whoisfreaks.com

Step 3 - Apply Filters (Optional)

Before or after running the search, use the status filter to narrow results:

Active - shows only currently live subdomains
Inactive - shows only decommissioned or expired subdomains
All - returns the complete list regardless of status

Step 4 - Click Search

Click Search to run the lookup. The tool queries WhoisFreaks' database of 5+ billion hostnames and returns all known subdomains for the root domain.

Step 5 - Review Your Results

Results are displayed in a structured list showing each subdomain, its active or inactive status, and its first-seen and last-seen timestamps. The total record count at the top gives you an instant overview of the domain’s subdomain footprint.

Step 6 - Export Results

In addition to JSON and Formatted responses, users can also download the data as a CSV file from the Subdomain Lookup tool.

Screenshot of the WhoisFreaks Subdomain Lookup tool showing a sample domain with results list, status filters, and first-seen/last-seen timestamps visible.

Method 2: Using the WhoisFreaks Subdomains API (Programmatic)

For automation, security platform integration, or processing subdomains at scale, the Subdomains API is the right approach. This API allows you to automate subdomain scans, making it easy to integrate subdomain enumeration into your security workflows or website management processes.

Use the Subdomains Lookup API to retrieve each subdomain with its complete details such as first seen, last seen, and status. You can also retrieve sub-subdomains.

API Endpoint:

https://api.whoisfreaks.com/v1.0/subdomains?domain=whoisfreaks.com&before=2026-03-31&origin=whoisfreaks.com&after=2000-01-01&status=active&page=1&apiKey=YOUR_API_KEY

Key Parameters:

Parameter	Description	Example
domainName	The root domain to enumerate	whoisfreaks.com
apiKey	Your WhoisFreaks API key	YOUR_API_KEY
status	Filter by active or inactive	active
page	Page number for paginated results	1
before	Return records created before this date (YYYY-MM-DD)	2026-03-31
after	Return records created after this date (YYYY-MM-DD)	2000-01-01

Step 1: Create a Free Account

Visit https://billing.whoisfreaks.com/signup and sign up for a free account. New accounts receive 500 free API credits with no credit card required.

Step 2: Access Your API Key

After signing in, navigate to API Solutions under PRODUCTS and then to the API Keys section. Your unique/primary API key will be displayed there. Copy it and store it securely.

For further details on account creation and getting the API key, you can follow tutorial: Getting Started with WhoisFreaks.

Step 3: Add Your API Key to Requests

Append your API key to every request as a query parameter:

?apiKey=YOUR_API_KEY

Base API URL:

https://api.whoisfreaks.com/

All endpoints are built on top of this base URL.Sample Response:

{
  "domain": "whoisfreaks.com",
  "status": true,
  "query_time": "2026-05-18T10:44:27.675881648",
  "current_page": 1,
  "total_pages": 1,
  "total_records": 38,
  "subdomains": [
    {
      "subdomain": "ghost.whoisfreaks.com",
      "first_seen": "2025-02-02",
      "last_seen": "2026-04-30"
    },
    {
      "subdomain": "dev.whoisfreaks.com",
      "first_seen": "2026-02-22",
      "last_seen": "2026-02-24"
    },
    {
      "subdomain": "website-test-1.whoisfreaks.com",
      "first_seen": "2026-02-07",
      "last_seen": "2026-02-28"
    },
    {
      "subdomain": "wfweb.whoisfreaks.com",
      "first_seen": "2026-02-07",
      "last_seen": "2026-02-19"
    },
    {
      "subdomain": "links.care.whoisfreaks.com",
      "first_seen": "2025-07-28",
      "last_seen": "2026-03-29"
    },
    {
      "subdomain": "blogs-cf-worker.whoisfreaks.com",
      "first_seen": "2025-02-13",
      "last_seen": "2026-02-20"
    },
    {
      "subdomain": "blogs.whoisfreaks.com",
      "first_seen": "2023-07-31",
      "last_seen": "2026-04-08"
    },
    {
      "subdomain": "staging.whoisfreaks.com",
      "first_seen": "2025-02-11",
      "last_seen": "2026-03-22"
    },
    {
      "subdomain": "status.file.whoisfreaks.com",
      "first_seen": "2026-03-25",
      "last_seen": "2026-03-28"
    },
    {
      "subdomain": "files.whoisfreaks.com",
      "first_seen": "2021-01-15",
      "last_seen": "2026-04-28"
    },
    {
      "subdomain": "www.whoisfreaks.com",
      "first_seen": "2023-10-13",
      "last_seen": "2026-05-17"
    },
    {
      "subdomain": "status.ssl.whoisfreaks.com",
      "first_seen": "2026-03-25",
      "last_seen": "2026-03-28"
    },
    {
      "subdomain": "status.email.whoisfreaks.com",
      "first_seen": "2026-03-25",
      "last_seen": "2026-03-28"
    },
    {
      "subdomain": "status.dns.whoisfreaks.com",
      "first_seen": "2026-03-25",
      "last_seen": "2026-03-28"
    }
  ]
}

The response includes the total_records field, giving an instant overview of the domain's subdomain footprint. Results are paginated, so for domains with large numbers of subdomains, iterate through all pages to retrieve the complete dataset.

If you need subdomains along with their DNS records, use the Subdomains API to strengthen your attack surface visibility and security insights.

Method 3: Using the WhoisFreaks Subdomains Database (Enterprise Scale)

The WhoisFreaks Subdomains Database provides bulk access to a comprehensive subdomain dataset for enterprise-scale subdomain enumeration, subdomain discovery, and attack surface mapping. It supports both passive and active subdomain scanning, enabling security teams to efficiently identify exposed assets and misconfigurations.

Use advanced subdomain finder tools and automated scans across multiple domains to improve coverage, speed, and accuracy in reconnaissance and security assessment.

Update Frequency Options

Daily Updates - Ideal for fraud detection, threat intelligence, and real-time security monitoring
Weekly Updates - Best for security audits, compliance checks, and research analysis
Monthly Updates - Suitable for long-term trend analysis and data enrichment

Download daily, weekly, and monthly CSV updates (last 3 months available), plus a sample dataset for quick evaluation.

Use Cases

Attack surface management platforms
Threat intelligence enrichment
SOC teams and incident response
Red team infrastructure mapping
Security analysts and threat hunters

Get full subdomain database access to strengthen security posture, improve visibility, and detect risks before attackers do.

What Does Subdomain Lookup Data Return?

When you perform a subdomain lookup through WhoisFreaks, the Subdomains Lookup API retrieves each subdomain with its complete details including first seen, last seen, and status. Subdomain discovery is a key feature of modern recon tools and subdomain finder tools, which help users discover all the subdomains associated with a domain. You can also retrieve sub-subdomains.

Here is a full breakdown of the highly accurate data fields returned for each discovered subdomain, which can be used to gain insights into the structure of the domain:

Field	Description	Why It Matters
domain	The root domain queried for subdomain enumeration	Defines the target domain for the lookup
status	Indicates whether the API request was successful	Helps validate the response status
query_time	Timestamp when the query was processed	Useful for tracking freshness of the dataset
current_page	Current page number of the paginated response	Supports navigation through large result sets
total_pages	Total number of available pages	Shows the complete pagination scope
total_records	Total number of discovered subdomains	Provides an overview of the domain’s attack surface
subdomain	The discovered hostname (e.g., blogs.whoisfreaks.com)	Identifies individual assets and services
first_seen	Date when the subdomain was first observed	Helps determine subdomain age and historical presence
last_seen	Date when the subdomain was last observed	Indicates recent activity or whether it may still be active

The subdomain details allow you to track when each was first seen and, in some cases, when it was last observed, providing a comprehensive overview of the domain’s subdomain activity over time. Using a subdomain finder tool helps reveal hidden assets and expand visibility into an organization's digital infrastructure.

Active vs. Inactive Subdomains: What Is the Difference and Why It Matters

One of the most valuable features of the WhoisFreaks Subdomain Lookup API is the ability to filter results by active or inactive status. Understanding this distinction is essential for attack surface management, threat detection, reconnaissance, and subdomain takeover prevention.

Status	What It Means	Why It Matters
Active	The subdomain currently resolves in DNS and appears live	Important for attack surface monitoring, exposed service discovery, vulnerability assessment, and live threat detection
Inactive	The subdomain was previously observed but no longer resolves	Useful for identifying abandoned infrastructure and detecting potential subdomain takeover risks

Inactive subdomains should not be ignored during security audits. A subdomain may stop resolving while stale DNS records still exist, creating opportunities for subdomain takeover attacks if linked cloud resources have been decommissioned.
WhoisFreaks continuously tracks historical subdomain data and DNS resolution changes to help security teams identify outdated assets, reduce external attack surface exposure, and improve infrastructure hygiene.
Subdomains typically inherit the same WHOIS record as their root domain, but they can still be discovered and monitored using subdomain enumeration, passive DNS intelligence, and DNS reconnaissance techniques.

Conclusion

Subdomain lookup is a powerful tool for discovering digital assets and securing your organization's web presence. The Subdomain Finder provides the visibility needed to assess risk and secure assets you or your security team didn't know existed, making it essential for effective cybersecurity and online asset management.

Subdomains represent the full attack surface of an organization’s web presence. Whether you are auditing your own infrastructure for shadow IT and takeover risks, hunting for threat actor phishing infrastructure, mapping a competitor’s product roadmap through new subdomain patterns, or building an enterprise attack surface management platform, a subdomain finder is where that work begins.

With WhoisFreaks maintaining a database of more than 5 billion hostnames built from DNS crawls, certificate transparency logs, passive DNS collection, and zone file analysis, and with data accessible through a free web tool, a developer API, and a full downloadable database with daily updates, you have one of the broadest subdomain intelligence resources available at every scale from a single query to billions of records.

Ready to look up subdomains for any domain?

Try the free Subdomain Lookup tool

Explore the Subdomains API documentation

Frequently Asked Questions

Explore frequently asked questions to better understand our features, functionality, and usage.

Can You Perform a WHOIS Lookup on a Subdomain?

Subdomains do not have separate WHOIS records because they are not individually registered. To get WHOIS data for a subdomain like api.example.com, perform a WHOIS lookup on the root domain example.com.

What Is a Subdomain Lookup Tool?

A subdomain lookup tool discovers known subdomains associated with a root domain using DNS data, SSL certificates, passive DNS, and zone file analysis.

How Do You Find All Subdomains of a Domain?

Use the WhoisFreaks Subdomain Lookup tool or API to discover active and inactive subdomains, including first-seen and last-seen timestamps.

What Is the Difference Between Active and Inactive Subdomains?

Active subdomains currently resolve in DNS, while inactive subdomains were previously observed but no longer resolve. Both are important for attack surface monitoring and takeover detection.

What Is a Subdomain Takeover Attack?

A subdomain takeover occurs when a DNS record points to an unclaimed external service, allowing attackers to take control of the subdomain.

How Does WhoisFreaks Discover Subdomains?

WhoisFreaks collects subdomain data from DNS crawls, certificate transparency logs, passive DNS intelligence, and zone file analysis.

Does WhoisFreaks Offer a Subdomains API?

Yes. The WhoisFreaks Subdomains API provides JSON results with subdomain status, timestamps, pagination, and filtering support.

Is the WhoisFreaks Subdomain Lookup Tool Free?

Yes. Basic subdomain lookups are free, and new API accounts receive free credits for testing the API.

Can You Download the Full Subdomains Database?

Yes. WhoisFreaks provides downloadable subdomain datasets with daily, weekly, and monthly updates for enterprise-scale security and threat intelligence use cases.

How to Perform a WHOIS IP Lookup

Learn how to perform an IP WHOIS lookup for any IPv4 or IPv6 address. Discover what IP WHOIS data reveals about ownership, ISP, ASN, network blocks, and abuse contacts and how to use the WhoisFreaks IP WHOIS tool and API to look up any IP address instantly.

WHOIS Database Access: 5 Methods to Get Data at Scale

Five ways to access WHOIS data at scale: full downloads, daily update files, REST API, filtered subsets, and historical records. Pick the right method.