Subdomain enumeration looks easy. There's a wordlist. There are CT logs. There's a DNS resolver. Plug them together, return a list. Maybe sort it. Then you run it on 50 different domains for the first time and notice that the results are wildly inconsistent. Sometimes you get 3 subdomains. Sometimes you get 30,000. Sometimes you get an empty array on a domain that should have an obvious hit. The tool isn't broken — it's quietly failing in five different ways, depending on the input. Here's what each one looks like in production, and how to build a tool that actually returns useful results across arbitrary inputs. 1. CT log sources go down silently The most common single source is crt.sh. It has fantastic coverage, it's free, and its uptime is... not consistent. A naive implementation hits crt.sh, gets a non-200 or an empty array, and treats the result as "no subdomains found." Which is technically what crt.sh returned. But it's wrong.…