docs/md_v2/core/domain-mapping.md
Domain mapping goes beyond URL seeding. Instead of checking a single sitemap or index, DomainMapper combines 8 discovery sources to find every URL under a domain — including subdomains you didn't know existed.
| Aspect | AsyncUrlSeeder | DomainMapper |
|---|---|---|
| Scope | Single host, listed URLs only | Entire domain + all subdomains |
| Sources | Sitemap + Common Crawl | 8 sources (sitemap, CC, Wayback, crt.sh, probe, robots.txt, feeds, homepage) |
| Subdomain discovery | No | Yes (Certificate Transparency, DNS, Wayback) |
| Soft-404 detection | No | Yes (fingerprints SPA sites) |
| Best for | Known domains with good sitemaps | Full domain reconnaissance |
Real-world example: For superdesign.dev, AsyncUrlSeeder found 4 URLs. DomainMapper found 171 URLs across 11 hosts — including docs, API servers, staging environments, and analytics dashboards that no sitemap listed.
import asyncio
from crawl4ai import DomainMapper, DomainMapperConfig
async def main():
async with DomainMapper() as mapper:
results = await mapper.scan("example.com")
print(f"Found {len(results)} URLs")
for r in results[:10]:
print(f" [{r['source']}] {r['url']}")
if r.get("head_data", {}).get("title"):
print(f" Title: {r['head_data']['title']}")
asyncio.run(main())
Or via AsyncWebCrawler:
from crawl4ai import AsyncWebCrawler, DomainMapperConfig
async with AsyncWebCrawler() as crawler:
results = await crawler.amap_domain("example.com")
DomainMapper combines these sources, each catching URLs the others miss:
sitemap — Sitemap DiscoveryChecks /sitemap.xml, /sitemap_index.xml, and robots.txt Sitemap: directives on every discovered host — not just the root domain.
config = DomainMapperConfig(source="sitemap")
cc — Common CrawlQueries the Common Crawl CDX API for *.domain.tld/*, catching URLs and subdomains the web's largest public crawl has indexed.
config = DomainMapperConfig(source="cc")
wayback — Wayback MachineQueries the Internet Archive's CDX API. Often has different coverage than Common Crawl — including historical pages that have since been removed.
config = DomainMapperConfig(source="wayback")
crt — Certificate TransparencyQueries crt.sh for SSL certificates issued to *.domain.tld. This is the single most effective subdomain discovery technique — it found 14 subdomains for superdesign.dev that no other source knew about.
config = DomainMapperConfig(source="crt")
probe — Common Path ProbingTries ~25 well-known paths on each discovered host (/docs, /api, /login, /dashboard, /openapi.json, etc.). Combined with soft-404 detection to avoid false positives.
config = DomainMapperConfig(source="probe")
# Add custom paths to probe
config = DomainMapperConfig(
source="probe",
probe_paths=["/custom-api", "/internal/status"]
)
robots — robots.txt Path MiningParses Disallow: and Allow: lines from robots.txt. These are confirmed real paths the site acknowledges exist — often revealing admin panels, APIs, and internal tools that aren't linked anywhere.
config = DomainMapperConfig(source="robots")
feed — RSS/Atom Feed ParsingDiscovers and parses RSS/Atom feeds at common paths (/feed, /rss, /atom.xml, etc.). Feeds are curated lists of content URLs maintained by the site.
config = DomainMapperConfig(source="feed")
homepage — Homepage Link ExtractionFetches each host's homepage via HTTP and extracts all internal links using quick_extract_links(). Also mines <link rel="alternate|preload|prefetch"> tags from the <head> for additional URLs. No browser needed.
config = DomainMapperConfig(source="homepage")
Sources are combined with +:
# Default: most useful combination
config = DomainMapperConfig(source="sitemap+cc+crt+probe")
# Maximum coverage: all 8 sources
config = DomainMapperConfig(
source="sitemap+cc+wayback+crt+probe+robots+feed+homepage"
)
# Lightweight: just sitemap + probing
config = DomainMapperConfig(source="sitemap+probe")
DomainMapper first discovers all subdomains under your domain:
superdesign.dev
├── crt.sh → docs, app, cloud, insights, staging-api, ui2web, ...
├── Wayback CDX → api, app, docs, www, ...
├── Common Crawl → app, www, ...
└── DNS guessing → www, app, api, docs, blog, admin, cloud, ...
Result: 13 validated hosts
Each discovered host is validated with an HTTP HEAD request. Hosts that don't respond are dropped.
For each validated host, DomainMapper runs all enabled sources in parallel:
docs.superdesign.dev
├── Soft-404 fingerprint → (404 returns proper error — no SPA issue)
├── robots.txt → 1 sitemap URL, 1 disallow path
├── Sitemap parsing → 19 URLs
├── Path probing → 2 valid (/docs, /)
├── Feed discovery → (no feeds found)
└── Homepage extraction → 26 internal links
All discovered URLs go through:
normalize_url() to canonicalize<head> fetching for metadata (optional)Many modern SPAs return HTTP 200 for every URL — even pages that don't exist. DomainMapper detects this:
/c4ai-probe-a1b2c3d4) on each hostFor superdesign.dev, this correctly:
app.superdesign.dev (SPA that returns 200 for everything)app.superdesign.dev (all rendering the same shell)docs.superdesign.dev# Soft-404 detection is on by default
config = DomainMapperConfig(soft_404_detection=True)
# Disable if you want raw results
config = DomainMapperConfig(soft_404_detection=False)
| Parameter | Type | Default | Description |
|---|---|---|---|
source | str | "sitemap+cc+crt+probe" | Discovery sources joined by + |
max_urls | int | -1 | Maximum URLs to return (-1 = unlimited) |
concurrency | int | 50 | Max concurrent requests across all hosts |
hits_per_sec | int | 10 | Rate limit in requests/second |
force | bool | False | Bypass all caches |
extract_head | bool | True | Fetch and parse <head> metadata |
filter_nonsense_urls | bool | True | Filter static assets and utility URLs |
soft_404_detection | bool | True | Fingerprint and filter soft-404 pages |
query | str | None | BM25 relevance query (requires extract_head=True) |
score_threshold | float | None | Minimum relevance score (0.0-1.0) |
scoring_method | str | "bm25" | Scoring algorithm |
probe_paths | List[str] | None | Extra paths to probe on each host |
common_subdomains | List[str] | None | Extra subdomain prefixes to guess |
use_browser_for_homepage | bool | False | Use Playwright for JS-rendered homepages |
verbose | bool | None | Override logger verbose setting |
cache_ttl_hours | int | 24 | Hours before cached results expire |
dns_timeout | float | 3.0 | Timeout for DNS resolution (seconds) |
http_timeout | float | 10.0 | Timeout for HTTP requests (seconds) |
Each result is a dict:
{
"url": "https://docs.superdesign.dev/quickstart",
"host": "docs.superdesign.dev",
"source": "homepage+sitemap", # which source(s) found it
"status": "valid", # valid | not_valid | soft_404
"head_data": { # if extract_head=True
"title": "Quickstart",
"meta": {"description": "..."},
"link": {...},
"jsonld": [...]
},
"relevance_score": 0.85, # if query provided
}
import asyncio
from crawl4ai import AsyncWebCrawler, DomainMapperConfig, CrawlerRunConfig
async def crawl_all_docs():
async with AsyncWebCrawler() as crawler:
# Step 1: Discover all URLs
pages = await crawler.amap_domain("example.com", DomainMapperConfig(
source="sitemap+crt+probe+homepage",
extract_head=True,
query="documentation tutorial guide",
))
# Step 2: Filter for docs
doc_urls = [
p["url"] for p in pages
if p.get("relevance_score", 0) > 0.3
]
print(f"Found {len(doc_urls)} documentation pages")
# Step 3: Crawl them
results = await crawler.arun_many(
doc_urls[:50],
config=CrawlerRunConfig(only_text=True)
)
for r in results:
if r.success:
print(f" Crawled: {r.url}")
asyncio.run(crawl_all_docs())
async def audit_domain():
async with DomainMapper() as mapper:
results = await mapper.scan("company.com", DomainMapperConfig(
source="crt+probe+robots",
extract_head=True,
probe_paths=[
"/openapi.json", "/swagger.json", "/api-docs",
"/graphql", "/.env", "/debug", "/admin",
"/phpinfo.php", "/server-status",
],
))
# Flag exposed services
for r in results:
title = r.get("head_data", {}).get("title", "")
if any(x in title.lower() for x in ["swagger", "api", "admin", "debug"]):
print(f" EXPOSED: {r['url']} — {title}")
async def map_infrastructure():
async with DomainMapper() as mapper:
results = await mapper.scan("company.com", DomainMapperConfig(
source="crt+probe",
extract_head=False,
))
# Group by host
from collections import defaultdict
by_host = defaultdict(list)
for r in results:
by_host[r["host"]].append(r)
print(f"Discovered {len(by_host)} hosts:")
for host, urls in sorted(by_host.items()):
print(f" {host}: {len(urls)} URLs")
Start with the default sources (sitemap+cc+crt+probe). Add wayback, robots, feed, and homepage if you need maximum coverage.
Use extract_head=False for speed when you just need URL lists. Head extraction makes ~1 HTTP request per URL.
The query parameter is powerful for finding specific content across a large domain without crawling anything.
probe_paths is your extensibility hook — add domain-specific paths you suspect exist.
Rate limiting matters — hits_per_sec=10 is respectful. Lower it for smaller sites, raise it for your own infrastructure.
Soft-404 detection is critical for SPAs — without it, single-page apps flood your results with hundreds of identical shell pages.