Knogin
[Developers]

Subdomain Domain

An investigator is tracking a threat actor's infrastructure. She knows the actor's primary domain but suspects it hosts dozens of subdomains used for phishing, command-and-control, and data exfiltration. The Subdomain do

Back to All Modules
Category: Api DomainsLast Updated: Feb 5, 2026
api-domainsgeospatial

Overview#

An investigator is tracking a threat actor's infrastructure. She knows the actor's primary domain but suspects it hosts dozens of subdomains used for phishing, command-and-control, and data exfiltration. The Subdomain domain has been cataloguing those subdomains over time: it recorded when each one first appeared, flagged three that disappeared in the last 30 days (a possible indicator of infrastructure teardown), and surfaced two new ones that appeared last week. Each subdomain is linked back to the parent domain record, so the full infrastructure map is only a few clicks away. This temporal tracking is what turns a list of hostnames into actionable threat intelligence.

Key Features#

  • Subdomain Discovery: Identify and catalogue subdomains associated with parent domains to map out the complete web infrastructure of entities under investigation.

  • Temporal Tracking: Record when each subdomain was first discovered and last observed, enabling change detection and infrastructure evolution analysis.

  • Parent Domain Linking: Associate each subdomain with its parent domain record for hierarchical infrastructure mapping and organised browsing.

  • Change Detection: Compare subdomain inventories over time to identify newly created or recently disappeared subdomains that may indicate infrastructure changes.

  • Infrastructure Mapping: Build a comprehensive picture of an entity's online presence by cataloguing all discovered subdomains under their parent domains.

Use Cases#

Subdomain discovery and temporal tracking are core tools in cyber investigations and threat intelligence operations. Relevant industries include cybersecurity and threat intelligence, law enforcement, and financial services fraud investigation.

  • Cyber Investigation: Map the complete web infrastructure of investigation targets to identify related services, staging servers, and command-and-control endpoints.

  • Threat Monitoring: Track subdomain changes over time to detect new infrastructure that may indicate evolving threat actor operations.

  • Digital Footprint Analysis: Catalogue an organisation's subdomain inventory to understand the scope of their online presence and identify potential exposure points.

  • Infrastructure Timeline: Use first-seen and last-seen timestamps to build a timeline of infrastructure changes for investigative analysis.

Integration#

The Subdomain domain supports cyber investigation workflows across the platform:

  • Domain Profiles: Subdomains link to parent domain profile records
  • Threat Intelligence: Subdomain changes can indicate threat actor activity
  • Investigation Management: Subdomain discoveries associate with active investigations
  • URL Profiles: Discovered subdomains may correspond to tracked URL profiles

Open Standards#

  • Certificate Transparency (RFC 6962 / RFC 9162): Subdomain discovery is driven by querying public Certificate Transparency logs via the crt.sh interface, which surfaces every DNS name embedded in publicly trusted TLS certificates as they are issued.

  • Domain Name System (RFC 1034 / RFC 1035): The domain and subdomain data model represents standard DNS record types (A, AAAA, CNAME, MX, NS, TXT, SOA, PTR, SRV, CAA) and uses DNS naming hierarchy to associate each subdomain with its parent zone.

  • DNS-over-HTTPS (RFC 8484): Active DNS resolution uses the DoH protocol against multiple public resolvers (Cloudflare 1.1.1.1, Google 8.8.8.8, Quad9, OpenDNS), returning JSON-formatted DNS responses over HTTPS.

  • WHOIS Protocol (RFC 3912): Domain registration metadata, registrar, nameservers, creation, update, and expiry dates, is retrieved via WHOIS lookups and stored against each parent domain profile.

  • X.509 Public Key Infrastructure (RFC 5280): TLS certificate details associated with domains, including issuer, subject distinguished name, validity period, and signature algorithm, are modelled and stored against domain profiles as standard X.509v3 certificate fields.

  • STIX 2.1 Cyber Observable Objects (OASIS): Domains and subdomains can be exported as STIX 2.1 domain-name Cyber Observable Objects, enabling interoperability with threat intelligence platforms and TAXII feeds.

  • GraphQL (June 2018 Specification): All subdomain and domain profile queries and mutations are exposed through a GraphQL API, supporting structured querying of infrastructure data by investigative tools.

Last Reviewed: 2026-02-05 Last Updated: 2026-04-14

Ready to Build?

Get started with our APIs or contact our integration team for support.