If you are trying to find all available sub-domains for a domain, you have a few options available:

1. axfr - Most likely won't work, as the DNS server probably isn't configured to transfer zones to any host.
2. Brute Force - There are tools, such as dnsmap, that will use wordlists to guess sub-domains. Here is a tutorial on dnsmap: http://itswapshop.com/tutorial/dnsmap-30-find-subdomains-brute-forcing
3. Google - Since Google indexes everything, naturally they would have indexed the public facing web servers of the sub-domains you are trying to find.

Using Google is the first thing you want to try, as brute forcing is a questionable technique, and you probably won't be able to perform a zone transfer. Using Google to find sub-domains is also the only passive method for searching sub-domains. The other two methods involve directly querying DNS servers. Using custom Google queries related to the domain name and then filtering through the search results looking for sub-domains is effective, but can become quite a pain. This is where gxfr.py comes in. It automates the entire process. Here is a link to the google code page:

http://code.google.com/p/gxfr/

To download and install, run these commands:

wget http://ptscripts.googlecode.com/svn/trunk/gxfr.py
chmod +x gxfr.py
sudo mv ./gxfr.py /usr/local/bin

In the script's most simple form, you will get results like this:

gxfr.py yahoo.com
[-] domain: yahoo.com
[-] user-agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; FDM; .NET CLR 2.0.50727; InfoPath.2; .NET CLR 1.1.4322)
[-] querying search engine, please wait...
[-] all available subdomains found...
[-] successful queries made: 16

[subdomains] - 83
co.yahoo.com
ve.yahoo.com
cl.yahoo.com
nz.yahoo.com
se.yahoo.com
pe.yahoo.com

While not all listed here, the script found 83 sub-domains for yahoo.com in about 1 minute. Much more time efficient than brute forcing. The script includes much more advanced features, such as:

• Using encrypted queries
• DNS lookup for sub-domains
• Proxies
• Shunning prevention

Run gxfr.py --help to see a list of all available options:

gxfr.py --help
  Syntax: ./gxfr.py domain [options]
 
  -h, --help               this screen
  -v                       enable verbose mode
  -t [num of seconds]      set number of seconds to wait between queries (default=15)
  -q [max num of queries]  restrict to maximum number of queries (default=0, indefinite)
  --dns-lookup             enable dns lookups of all subdomains
  --proxy [file|ip:port|-] use a proxy or list of open proxies to send queries (@random w/list)
                             - [file] must consist of 1 or more ip:port pairs
                             - replace filename with '-' (dash) to accept stdin
  --user-agent ['string']  set custom user-agent string
  --timeout [seconds]      set socket timeout (default=system default)
 
  Examples:
  $ ./gxfr.py foxnews.com --dns-lookup -v
  $ ./gxfr.py foxnews.com --dns-lookup --proxy open_proxies.txt --timeout 10
  $ ./gxfr.py foxnews.com --dns-lookup -t 5 -q 5 -v --proxy 127.0.0.1:8080
  $ curl http://rmccurdy.com/scripts/proxy/good.txt | ./gxfrpy foxnews.com -v --proxy -

gxfr.py is currently at version 1.5 and is written in Python 2.7.