Subbrute – This is a DNS meta-query spider that pulls DNS records, and subdomains list.
DNScan – A DNS subdomain scanner. This is built on python and can be installed on server.
Sublist3r – An ultra fast domain and subdomain enumeration tool. Also based on python.
Knock – Also known as Knockpy as it is developed in python. Freely available on GitHub.
Recon-Ng – Complex tool with brute_hosts module that facilitates you to bruteforce on domains for subdomains.
DNSRecon – Originally available in Kali Linux.
Reverse DNS lookup
“whois lookup registered to” inurl:ip-address-lookup
“whois lookup registered to” inurl:domaintools
Now run fierce.pl -range on the IP ranges you find to lookup dns names
fierce -range 126.96.36.199-205 -dnsserver 188.8.131.52