What if you have a wildcard cert for *.example.com?
Much better. But you still leave traces from dns queries.
Subfinder has a lot of sources to find subdomains, not only certs: https://github.com/projectdiscovery/subfinder
Much better. But you still leave traces from dns queries.
Subfinder has a lot of sources to find subdomains, not only certs: https://github.com/projectdiscovery/subfinder