monline

I use this very rarely so I always forget it again and again. You can list all the subdomains of eg. a top level domain like this ...

1. host -t NS example.com
   Find a nameserver in the output of the DNS lookup.
2. host -t AXFR example.com <name_server>
   where <name_server> comes from the first step.

Of course most of the DNS servers deny such requests ... so don't be surprised if you get a "Host example.com not found: 5(REFUSED)" error in the second step (or optionally you do not get any response at all).