Subdomains Check V2 | Experimental Subdomain & DNS Records Discovery Tool

image.png

The platform available at https://dash.niamonx.io/subdomains_v2 β€” known as Subdomains Check V2 β€” is an experimental domain intelligence tool within the NiamonX platform. It searches for subdomains and related DNS records for a specified domain name, including A records, CNAME records, MX records, NS records, TXT records, resolved IP addresses, and basic network/provider information.

This tool is designed for fast domain reconnaissance, DNS inventory, infrastructure mapping, attack surface review, OSINT analysis, SOC workflows, incident response, and technical asset discovery.

Because the module is experimental, the speed, coverage, and completeness of results may depend on crawler performance, available sources, DNS response behavior, and tariff limits.


Overview of the Service

Subdomains Check V2 helps users discover subdomains and associated DNS records for a target domain. The tool accepts a domain name, performs discovery and DNS resolution, then organizes the results into clear sections.

The module can return:

Subdomains Check V2 is useful when users need to quickly understand which public DNS records and subdomains are associated with a domain.

The tool is especially helpful for:


πŸ” How the Tool Works

When a user enters a domain name, Subdomains Check V2 searches for subdomains and related DNS records. The tool then resolves available records and presents the results in grouped sections.

Example input:

Domain: niamonx.io

Example result summary:

niamonx.io
A: 1
Subdomains: 1
IPs: 2
MX: 3
NS: 2
TXT: 2
22:51:28

Example resolved A / subdomain result:

niamonx.io
104.21.12.231
CLOUDFLARENET
Cloudflare

172.67.153.184
CLOUDFLARENET
Cloudflare

Example DNS records:

MX:
20 mx2.zoho.eu
50 mx3.zoho.eu
10 mx.zoho.eu

NS:
abdullah.ns.cloudflare.com
ashley.ns.cloudflare.com

TXT:
"google-site-verification=MQNH6Yoh9hKD1hgzeQtEb9VN5_ikdspHYQxlxGS6Y-4"
"v=spf1 include:zohomail.eu -all"

The tool provides a practical overview of both discovered subdomains and domain-level DNS configuration.


🧩 Supported Input

Subdomains Check V2 accepts only a domain name.

Correct input examples:

niamonx.io
example.com
sub.example.com
company.org

Incorrect input examples:

https://niamonx.io
http://example.com
https://example.com/page
example.com/path
*.example.com
user@example.com
192.168.1.1
localhost

The interface guidance is:

Only the domain, without http(s):// and without the path.

Users should enter the domain only, without protocol, path, query parameters, fragments, wildcard prefixes, or URL formatting.

domain.tld

βš™οΈ Main Function: Search by Domain

The main search field starts the domain discovery and DNS record collection process.

Example:

Search by Domain
Domain: niamonx.io

After the query is processed, the tool displays a result summary and grouped DNS sections.

The tool may collect and display:

Because this version is experimental, results may vary depending on crawler performance and available data sources.


πŸ§ͺ Experimental Status

Subdomains Check V2 is marked as experimental.

Interface note:

This tool is experimental: speed and completeness depend on the crawler's performance.

This means:

The tool should be treated as a fast discovery and enrichment layer, not as a guaranteed complete DNS inventory.

For critical security work, results should be validated with additional tools and repeated over time.


πŸ“Š Results Summary

The Results section provides a compact overview of the discovered records.

Example:

niamonx.io
A: 1
Subdomains: 1
IPs: 2
MX: 3
NS: 2
TXT: 2
22:51:28

Typical fields include:

Field Description
Domain The domain that was searched
A Number of A-record hostnames or A-record groups found
Subdomains Number of discovered subdomain entries
IPs Number of resolved IP addresses
MX Number of mail exchanger records
NS Number of name server records
TXT Number of text records
Time Query time or result timestamp

The summary is useful for quick triage and comparison between multiple domain checks.


🌐 A Records and Subdomains Section

The A / Subdomains section shows hostnames and their resolved IPv4 addresses.

Example:

A / Subdomains

niamonx.io
104.21.12.231
CLOUDFLARENET
Cloudflare

172.67.153.184
CLOUDFLARENET
Cloudflare

A records are used to map hostnames to IPv4 addresses.

This section helps users identify:

A single hostname may resolve to multiple IP addresses because of:


🏒 Network and Provider Information

Subdomains Check V2 may show basic provider or network hints next to resolved IP addresses.

Example:

CLOUDFLARENET - Cl
Cloudflare

This helps users quickly identify whether a hostname appears to be associated with:

Provider information is useful for triage, but it should not be treated as final attribution. For accurate infrastructure ownership analysis, users should also check IP WHOIS, ASN data, BGP routes, passive DNS, HTTP headers, and TLS certificates.


πŸ”Ž Filtering by Subdomains

The tool provides filtering by subdomain substring.

Example:

Filter by subdomains (substring)

Filtering is useful when working with large result sets.

Users can search for terms such as:

api
admin
dev
stage
support
mail

This helps analysts quickly locate interesting, risky, or business-relevant hostnames.


πŸ” CNAME Records

The CNAME section displays canonical name records.

Example:

CNAME
No Records

A CNAME record points one hostname to another canonical hostname.

Example:

app.example.com β†’ example.hosting-provider.com

CNAME records are useful for identifying:

If the tool shows:

No Records

it means no CNAME records were returned for the current result set.

Important security note: CNAME records pointing to third-party services should be reviewed carefully. Abandoned or misconfigured CNAME records may indicate potential subdomain takeover risk, but this must be validated responsibly.


πŸ“¬ MX Records

The MX section shows mail exchanger records for the domain.

Example:

MX
20 mx2.zoho.eu
50 mx3.zoho.eu
10 mx.zoho.eu

MX records define where e-mail for the domain should be delivered.

The number before the mail server is the MX priority.

Example:

10 mx.zoho.eu

Lower priority numbers are preferred first.

In the example above:

10 mx.zoho.eu
20 mx2.zoho.eu
50 mx3.zoho.eu

the mail server with priority 10 is preferred before 20 and 50.

MX records are useful for:


🌍 MX IP Resolution

Subdomains Check V2 may also resolve MX hostnames to IP addresses.

Example:

20 mx2.zoho.eu
89.36.170.166

50 mx3.zoho.eu
185.230.212.166

10 mx.zoho.eu
185.20.209.166

This helps users understand not only which mail servers are configured, but also which IP addresses they resolve to.

MX IP resolution is useful for:


🧭 NS Records

The NS section shows authoritative name servers for the domain.

Example:

NS
abdullah.ns.cloudflare.com
162.159.44.203

ashley.ns.cloudflare.com
172.64.32.71

NS records indicate which name servers are responsible for the domain’s DNS zone.

Name server data helps identify:

The tool may also resolve name server hostnames to IP addresses.

Example:

abdullah.ns.cloudflare.com β†’ 162.159.44.203
ashley.ns.cloudflare.com β†’ 172.64.32.71

NS records are important during security audits because DNS provider compromise or misconfiguration can affect the entire domain.


🧾 TXT Records

The TXT section displays text records associated with the domain.

Example:

TXT
"google-site-verification=MQNH6Yoh9hKD1hgzeQtEb9VN5_ikdspHYQxlxGS6Y-4"
"v=spf1 include:zohomail.eu -all"

TXT records may contain:

TXT records are useful for identifying how a domain is connected to external services and how e-mail authentication is configured.


πŸ“§ SPF Records

TXT records may include SPF configuration.

Example:

v=spf1 include:zohomail.eu -all

SPF defines which mail servers are allowed to send e-mail on behalf of the domain.

In this example:

include:zohomail.eu

allows Zoho Mail infrastructure to send mail for the domain.

The ending:

-all

means mail from unauthorized senders should fail SPF validation.

SPF records are important for:


πŸ” Domain Verification Records

TXT records may also include verification tokens.

Example:

google-site-verification=MQNH6Yoh9hKD1hgzeQtEb9VN5_ikdspHYQxlxGS6Y-4

Verification records are commonly used by services such as:

These records prove domain ownership to third-party services.

Security teams should review TXT records to identify outdated, unused, or unexpected third-party integrations.


πŸ•“ Local Request History

Subdomains Check V2 stores a local request history in the browser.

Example interface note:

Request history (local)
Filter...
We keep the domain and a brief summary (up to 200 entries).

Example history item:

niamonx.io
A:1
Subs:1
IPs:2
17.06.2026, 22:51:28

Other examples:

itstep.org
A:50
Subs:50
IPs:2
16.05.2026, 22:37:48
haveibeenpwned.com
A:13
Subs:13
IPs:3
10.12.2025, 00:46:07

The local history helps users:

Because history is stored locally in the browser, it may be removed when browser data is cleared or when the user changes browser profiles, devices, or private browsing sessions.

On shared or untrusted devices, users should clear local history after checking sensitive domains, client assets, or incident-related infrastructure.


🚦 Tariff Limits

Subdomains Check V2 respects user tariff limits.

Interface note:

Tariff limits are taken into account. If exceeded, we will display a message and will not clear the previous results.

Important points:

This behavior helps prevent users from losing their last successful result when a new query cannot be completed.


πŸ“€ Copying and Exporting Results

Subdomains Check V2 supports copying and exporting data.

Available actions may include:

Export features are useful for:


πŸ“„ CSV Export

CSV export allows users to work with results in spreadsheet tools or reporting systems.

CSV data may include:

Example CSV-style structure:

Domain,Record Type,Hostname,Value,IP,Provider
niamonx.io,A,niamonx.io,104.21.12.231,104.21.12.231,Cloudflare
niamonx.io,A,niamonx.io,172.67.153.184,172.67.153.184,Cloudflare
niamonx.io,MX,niamonx.io,10 mx.zoho.eu,185.20.209.166,Zoho
niamonx.io,NS,niamonx.io,abdullah.ns.cloudflare.com,162.159.44.203,Cloudflare
niamonx.io,TXT,niamonx.io,"v=spf1 include:zohomail.eu -all",,

CSV export is useful when results need to be shared with technical teams, compliance departments, management, or auditors.


🧬 JSON Export

JSON export provides structured machine-readable output.

JSON data may include:

JSON is useful for:


πŸ” Why This Tool Matters

Subdomains and DNS records are a major part of an organization’s public attack surface. A domain may appear simple from the outside, but DNS records can reveal mail providers, name servers, cloud services, CDN usage, verification tokens, third-party dependencies, and public application endpoints.

Subdomains Check V2 helps users identify:

This information supports both defensive security and operational infrastructure management.


πŸ”Ž Common Use Cases

DNS Inventory

Create a structured overview of DNS records associated with a domain.

Subdomain Discovery

Find discovered subdomains and review how they resolve.

Attack Surface Mapping

Identify public hostnames, IP addresses, DNS providers, and mail systems.

SOC Triage

Enrich alerts involving domains, hostnames, or suspicious DNS records.

Incident Response

Check whether a suspicious domain or subdomain is related to known infrastructure.

Phishing Investigation

Review DNS records, mail configuration, and provider information for suspicious domains.

Brand Protection

Inspect domains and subdomains related to impersonation, fraud, or unauthorized brand usage.

Mail Security Review

Review MX and TXT records, including SPF-related configuration.

DNS Provider Review

Check NS records and identify authoritative DNS providers.

Cloud and CDN Mapping

Identify whether hostnames resolve to CDN or cloud provider infrastructure.

Compliance Documentation

Document DNS records and public exposure for audits, reports, and risk reviews.

Asset Inventory

Add discovered hostnames, IPs, and records to an asset management workflow.


A practical Subdomains Check V2 workflow should follow these steps.

1. Enter the Domain

Use only the domain name.

Example:

niamonx.io

Do not include:

https://
http://
/path
?query=value
#fragment
*

Start the query and wait for the result.

Example:

Search by Domain

3. Review the Summary

Check the high-level result counts.

Example:

A: 1
Subdomains: 1
IPs: 2
MX: 3
NS: 2
TXT: 2

This gives a quick overview of how much data was found.


4. Review A / Subdomains

Inspect discovered hostnames and IP addresses.

Example:

niamonx.io
104.21.12.231
172.67.153.184

Follow up with IP WHOIS, ASN lookup, HTTP checks, TLS inspection, or screenshot capture when needed.


5. Check CNAME Records

Review whether the domain or subdomains point to external services.

Example:

CNAME: No Records

If CNAME records exist, validate whether the targets are expected and still active.


6. Review MX Records

Check mail routing and provider configuration.

Example:

10 mx.zoho.eu
20 mx2.zoho.eu
50 mx3.zoho.eu

Confirm that the mail provider is expected and that MX priorities are correct.


7. Review NS Records

Check authoritative name servers.

Example:

abdullah.ns.cloudflare.com
ashley.ns.cloudflare.com

Verify that the DNS provider is expected and properly managed.


8. Review TXT Records

Inspect TXT records for SPF, verification tokens, and third-party integrations.

Example:

v=spf1 include:zohomail.eu -all

Check for outdated, unexpected, or overly permissive records.


9. Filter Subdomains

Use substring filtering to locate interesting names.

Examples:

api
admin
dev
stage
mail
support

Filtering is useful for large domains with many discovered subdomains.


10. Export Results

Use CSV or JSON export for reporting and follow-up analysis.

CSV
JSON

11. Validate With Additional Tools

Because the tool is experimental, validate important findings with additional sources.


🚨 Security Review Checklist

When reviewing results, pay special attention to the following areas.

Unexpected IP Addresses

Check whether resolved IPs belong to expected providers.

Questions:


Third-Party Dependencies

Review CNAME, NS, MX, and TXT records for third-party services.

Potential dependencies:


Mail Security

Review MX and TXT records.

Important checks:


Name Server Control

Review NS records.

Questions:


Subdomain Exposure

Review discovered subdomains and search for sensitive patterns.

Examples:

admin
dev
test
stage
staging
internal
portal
dashboard
api
backup
old
legacy

These names may indicate systems that need closer review.


TXT Record Hygiene

TXT records can expose operational information.

Review for:


⚠️ Limitations and Important Notes

Subdomains Check V2 should be interpreted carefully.

Important limitations:

Interface note:

The tool is experimental; not all sources provide a complete list of subdomains.

For high-confidence analysis, combine results with multiple discovery and DNS validation methods.


πŸ“Š Interpreting Results Correctly

Subdomains Check V2 provides point-in-time DNS and subdomain intelligence.

Important interpretation notes:

The tool should be used as part of a broader investigation workflow.


When documenting results, use a consistent format.

Example:

Domain: niamonx.io
Query time: 17.06.2026, 22:51:28

Summary:
A records: 1
Subdomains: 1
Resolved IPs: 2
MX records: 3
NS records: 2
TXT records: 2

A / Subdomains:
niamonx.io
- 104.21.12.231
- 172.67.153.184

MX:
- 10 mx.zoho.eu β†’ 185.20.209.166
- 20 mx2.zoho.eu β†’ 89.36.170.166
- 50 mx3.zoho.eu β†’ 185.230.212.166

NS:
- abdullah.ns.cloudflare.com β†’ 162.159.44.203
- ashley.ns.cloudflare.com β†’ 172.64.32.71

TXT:
- "google-site-verification=MQNH6Yoh9hKD1hgzeQtEb9VN5_ikdspHYQxlxGS6Y-4"
- "v=spf1 include:zohomail.eu -all"

For security reports, add analyst notes:

Observation:
The domain resolves through Cloudflare infrastructure and uses Zoho mail exchangers. TXT records include Google site verification and SPF authorization for Zoho Mail.

Recommended next step:
Validate DMARC and DKIM configuration, confirm that the listed providers are expected, review DNS provider account security, and enrich resolved IPs with WHOIS / ASN data.

πŸ›‘οΈ Security, Privacy & Responsible Use

Subdomains Check V2 is intended for lawful DNS analysis, OSINT research, security review, compliance, infrastructure mapping, and defensive cybersecurity workflows.

Acceptable use cases include:

Users should follow responsible use principles:

Subdomain and DNS discovery is a legitimate defensive and OSINT technique, but it should be used responsibly and legally.


βš™οΈ Technical Highlights


πŸ“Œ Usage Hints


πŸ“¬ Contact Information

support@niamonx.io β€” Technical Support
other@niamonx.io β€” General Inquiries
takedown@niamonx.io β€” Privacy or Data Removal Requests
legal@niamonx.io β€” Legal and Compliance Matters

Alternative contact channel:

πŸ”— Helpdesk: https://support.niamonx.io/


Summary

NiamonX Subdomains Check V2 is an experimental subdomain and DNS records discovery tool for domain-based reconnaissance. It searches for subdomains and related DNS records, including A, CNAME, MX, NS, and TXT records, resolves IP addresses, shows basic provider information, supports substring filtering, provides CSV and JSON export, and stores local request history with brief summaries.

The tool is designed for OSINT research, DNS inventory, SOC workflows, incident response, attack surface mapping, mail security review, provider dependency analysis, brand protection, compliance documentation, and authorized security assessments. Because it is experimental, results should be treated as point-in-time discovery intelligence and validated with additional DNS, WHOIS, ASN, HTTP, TLS, screenshot, passive DNS, and asset inventory sources before drawing final conclusions.


Revision #1
Created 17 June 2026 20:52:21 by NiamonX Team
Updated 17 June 2026 20:55:47 by NiamonX Team