Sign in Get a demo

Every subdomain we observe, in one snapshot.

Approximately 2B subdomains discovered through active scanning, passive DNS, certificate transparency, and web crawling. The same dataset that drives Deepinfo's own subdomain finder, exposed as a daily bulk feed.

Talk to us Browse API docs
WHAT'S IN THIS FEED

One row per observed subdomain, across the public internet.

The All Subdomains Feed is the foundation dataset for any workflow that needs to know what hostnames exist. Every subdomain Deepinfo has observed across passive DNS, active resolution, certificate transparency logs, and web crawling, in a single bulk file rebuilt every 24 hours.

Each record is a fully qualified domain. The feed merges signals across four discovery surfaces, deduplicates, and carries forward only entries with confirmed observation in the last refresh window. Sources include passive DNS partnerships, active scanning of registered apex domains, CT-log monitoring across all major operators, and Deepinfo's own crawlers.

The current snapshot reports approximately 2B rows; the exact number is in the line_count field. For richer per-subdomain context like resolved IPs, certificates, or banner data, use this feed as the seed and follow up with the lookup APIs.

HOW IT'S DELIVERED

Bulk download, refreshed daily.

A single API call returns the metadata for the latest snapshot, including a signed download URL. Authenticate with an API token scoped to the feed.

Delivery

Bulk download. The API call returns metadata plus a signed download_url pointing to the latest snapshot file. Download via HTTPS; existing customers can switch to S3 or SFTP delivery on request.

Format

JSON or CSV. Pass file_format=json or file_format=csv on the request.

Refresh cadence

Daily snapshot. Rebuilt every 24 hours, incorporating new discoveries from the previous day. Each snapshot is timestamped on file_update_time.

Authentication

API token in the request header. Tokens are scoped per feed; rotate from the dashboard. Full schema and integration examples at docs.deepinfo.com.

SAMPLE RECORD

What you actually get.

The API response, with the metadata for the current snapshot:

{
  "download_url": "https://feeds.deepinfo.com/all-subdomains/2026-05-02/all-subdomains.json.gz?...",
  "file_format": "json",
  "file_size": 41284773821,
  "file_update_time": "2026-05-02T03:14:27Z",
  "line_count": 2071483921
}

A few representative lines from the JSON-formatted file at download_url:

{"fqdn":"www.example.com"}
{"fqdn":"api.example.com"}
{"fqdn":"mail.deepinfo.com"}
{"fqdn":"login.contoso.io"}
{"fqdn":"staging.acme.dev"}
WHAT YOU CAN DO WITH IT

Workflows this feed powers directly.

Attack Surface Management

Cross-reference your apex domains against the global subdomain set to find subdomains you don't own but probably should monitor.

Read the use case

Domain Intelligence and Research

Pivot from any apex into the full subdomain footprint observed across passive DNS, CT logs, and active resolution.

Read the use case

Threat Hunting

Build hypotheses against the same indexed subdomain corpus that drives Deepinfo's own discovery pipeline.

Read the use case

“We compare incoming threat IOCs against the full subdomain corpus to catch infrastructure attribution that single-source data would miss. 2B subdomains in one snapshot replaced four overlapping subscriptions we used to maintain.”

— Principal Engineer, Threat Intelligence Platform
CONTINUE EXPLORING

Other bulk feeds.

DATA FEED

Every registered domain name, in one snapshot.

The complete list of all 400M+ registered domain names across every active TLD.

See feed
GET STARTED

Pull the dataset, or have us walk you through it.

Most teams start with a sample slice to validate schema and fit. We'll set up token access and walk through integration patterns for your stack.

Talk to us Browse API docs