Attack Surface & Asset Discovery

Find every subdomain, every IP, every forgotten dev environment your organization has exposed in DNS.

Most breaches start with an asset the security team didn't know existed.

Get Continuous Monitoring

Why Attack Surface Discovery Matters

You can't protect what you don't know you own.

Modern engineering teams spin up subdomains constantly: staging.app.example.com, old-api.example.com, vendor-test.example.com. Some get shut down. Some don't. Most security inventories miss the ones that don't.

DNSArchive sees every domain that resolves — including the ones your own engineers register on personal credit cards and forget about. With 509+ million domains archived and historical DNS records going back years, you can map your full external footprint in seconds:

  • Every subdomain ever observed under your apex
  • Every IP your domains have ever pointed at
  • Every other domain hosted on those same IPs (good for finding shared infra you didn't know about)
  • Historical changes — when did this hostname start resolving? When did it move IPs?

What You Can Find

Concrete examples of attack-surface discovery using DNSArchive.

Forgotten Dev Environments

staging-, test-, demo-, old- subdomains that your team thought were retired but are still resolving.

Shadow IT

SaaS subdomains under your apex that no one in security registered — provisioning trails from departed employees, marketing-led tools, etc.

Vendor Footprint

Which third parties are operating subdomains under your DNS. Vendor management isn't always up-to-date with the actual DNS reality.

Historical Infrastructure

What IPs has app.example.com resolved to over the past three years? Useful for incident response and confirming infrastructure migrations are complete.

Shared Hosting Risks

Reverse-IP lookup shows what other domains live on your servers. A breach there could pivot to you.

Continuous Monitoring

Add your apex domains as “brands” to get alerted whenever a new subdomain appears or any infrastructure changes.

Free to start. Continuous when you need it.

Search the database for free. Subscribe for monitoring.

The full 509M+ domain database is free to search at /search — no signup required. Try a search for your own apex domain right now and see what shows up.

When you're ready for continuous monitoring, our paid plans add: alerts when new subdomains appear, infrastructure-change detection, the JSON API for programmatic access, and pre-grouped per-brand dashboards.

View Plans Try a search

External attack surface, observed from the outside

DNSArchive is a passive-DNS dataset. We see what the public internet sees: domains that resolve, IPs they point at, and the records published in their zones. No agents, no integrations on your end — which is also exactly what an attacker doing reconnaissance would see. The fastest way to get on your own attacker's blind side is to look at your own external surface from their angle.

Pair this with our Brand Protection feature for a full picture: your own assets on one side, every domain trying to look like you on the other.

Map your surface today

Free to search. $20/month for continuous monitoring.

View Plans