// dns · subdomains

dot.gov Subdomain Discovery

Discover subdomains of dot.gov by searching Certificate Transparency (CT) logs. This passive reconnaissance technique finds subdomains that have had SSL/TLS certificates issued for them.

//01

dot.gov Subdomains from CT Logs

Certificate Transparency logs are public, append-only databases of all SSL/TLS certificates issued by participating Certificate Authorities. By searching these logs for dot.gov, we can discover subdomains that have had certificates issued for them.

This approach is passive — it doesn't send any traffic to dot.gov's servers. It only queries the public crt.sh database, making it safe and non-intrusive.

//02

How Subdomain Discovery Works for dot.gov

When a Certificate Authority issues an SSL/TLS certificate for any subdomain of dot.gov, the certificate details are recorded in Certificate Transparency logs. These logs are publicly searchable.

By querying crt.sh for %.dot.gov, we find all certificates ever issued for dot.gov and its subdomains. The name_value fields from these certificates reveal subdomain names that may not be discoverable through other means.

//03

Using dot.gov's Subdomain Data

Discovered subdomains of dot.gov can help identify forgotten services, development environments, or unauthorized infrastructure. Domain administrators should regularly audit their subdomain footprint.

Note that CT log discovery only finds subdomains that have had SSL/TLS certificates issued. Subdomains using only HTTP or internal DNS records without certificates will not appear in these results.

More tools for dot.gov

A Record Lookup

IPv4 addresses

NS Lookup

DNS hosting & delegation

MX Lookup

Mail servers & email delivery

TXT Record Lookup

SPF, verification & more

IP Lookup

IPv4 & IPv6 addresses

DNS Lookup

Complete DNS record lookup

Email Security Checker

Full email security analysis