Subfinder Tutorial for Beginners: Passive Subdomain Enumeration Like a Pro

bugbounty #subfinder #cybersecurity In this **Subfinder tutorial for beginners**, you'll learn **passive subdomain discovery** like a pro. Whether you're into **bug bounty recon** or just getting started, this **Subfinder full guide** covers everything from installation to advanced flags. By the end of this video, you'll master **subdomain enumeration** using one of the most powerful **dns recon tools** from **project discovery subfinder**. --- ## 🔍 What You'll Learn: ✅ What is passive subdomain discovery and why it matters ✅ Subfinder active vs passive mode – key differences explained ✅ How to find subdomains passively without touching the target ✅ Subfinder flags explained – all 19 essential flags ✅ Subfinder recursive enumeration for deep subdomain discovery ✅ Subdomain discovery for beginners – step by step ✅ Subfinder vs Amass – which one should you use? ✅ Subfinder API key setup for premium sources ✅ Real-world bug bounty tools 2026 workflow --- ## 🛠️ Commands Used in This Video: ```bash # Basic passive scan subfinder -d example.com # Save output to file subfinder -d example.com -o subdomains.txt # Multiple domains at once subfinder -dL targets.txt -o all_subs.txt # Use specific sources only subfinder -d example.com -s crtsh,github,shodan # Exclude problematic sources subfinder -d example.com -es zoomeyeapi,alienvault # Active DNS resolution mode subfinder -d example.com -active -r 8.8.8.8,1.1.1.1 # JSON output with source collection subfinder -d example.com -oJ -cs -o output.json # Recursive enumeration subfinder -d example.com -recursive # Custom resolvers subfinder -d example.com -active -rL resolvers.txt # Filter results subfinder -d example.com -match api.,admin. -filter test. # Rate limiting subfinder -d example.com -rls github=30/m,shodan=1/s # Production-ready command subfinder -d target.com -s crtsh,github,securitytrails -active -rL dns.txt -oJ -cs -filter test. -o final_output.json In this complete walkthrough, I explain ALL 19 essential Subfinder flags – from passive enumeration to active DNS resolution, source control, rate limiting, JSON output, recursive mode, and real-world workflows. 📌 **Timestamps:** 0:00 – What is Subfinder? 1:20 – Passive vs Active (Why It Matters) 3:45 – Basic Syntax & First Command 5:30 – Multiple Domains (Batch Mode) 7:10 – Controlling Sources (-sources) 8:50 – Excluding Sources (-exclude-sources) 10:15 – Rate Limiting (-rls) 12:00 – Active Mode & DNS Resolution (-active) 14:20 – JSON Output (-oJ) & Collecting Sources (-cs) 16:00 – Custom Resolvers (-rL) 17:30 – Filtering Results (-match / -filter) 19:00 – Recursive Enumeration (-recursive) 20:15 – Provider Config (API Keys) 22:00 – Stats & Debugging (-stats / -v) 23:30 – Timeout & Max-Time Control 25:00 – Real-World Production Command 📂 **Useful Links:** - Subfinder GitHub: https://github.com/projectdiscovery/subfinder 💬 Questions? Drop a comment below. I reply to every single one. Which subdomain discovery tool do you prefer – Subfinder or Amass? 🔔 Subscribe for More: More bug bounty recon tutorials, dns recon tool deep dives, and bug bounty tools 2026 updates coming every week. 🔔 **Subscribe for more bug bounty & recon deep dives.** #subfinder #bugbounty #subdomainenumeration #recon #cybersecurity #bugbounty #subfinder #cybersecurity #recon #ethicalhacking #infosec #subdomainenumeration #pentesting #projectdiscovery #dnsrecon