First we need to know what nameserver takes care for given domain. Then we send AXFR query ( http://en.wikipedia.org/wiki/DNS_zone_transfer ) to that nameserver.
# let's dig the server dig example.com # from the DNS answer we are interested in the authority section #;; AUTHORITY SECTION: #example.com. 79275 IN NS a.iana-servers.net. #example.com. 79275 IN NS b.iana-servers.net. # now we find out all subdomains dig @a.iana-servers.net example.com axfr # in this example we get "Transfer failed." but some NS could return something like #dev.example.com. 1800 IN A 22.214.171.124 #dev2.example.com. 1800 IN A 126.96.36.199
Note that some DNS servers don't answer to AXFR queris and return "; Transfer failed".