Is it possible to find all subdomains for a certain domain?
No, there's no way other than bruteforcing.
And if you try that, you'll likely find yourself blacklisted.
Try this brute force script in Linux: It uses reverse DNS lookup (one name per IP), so it can't find virtual hosts (when at one IP more then one name).
vi /tmp/dnsscan.sh
Type i and paste this:
#!/bin/bash
IPPFX=$1
for i in `seq 1 255` ; do LIST="$LIST ${IPPFX}.$i" ; done
for i in $LIST ; do
ENTRY="`host $i`"
[ $? -ne 0 ] && continue
ENTRY=`echo "$ENTRY" l sed -e 's/.* //' -e 's/\.$//'`
echo -e "$i\t$ENTRY"
done
Then type [Esc]:wq and run
chmod 777 /tmp/dnsscan.sh
Then:
/tmp/dnsscan.sh your.ipv4.address
Replace your.ipv4.address with IPv4 without last octet!
For example http://www.wikipedia.org have next IP address: 208.80.152.201, so you need execute this:
/tmp/dnsscan.sh 208.80.152
Result will be:
208.80.152.1 vrrp-gw-100.wikimedia.org
208.80.152.2 rr.pmtpa.wikimedia.org
208.80.152.3 upload.pmtpa.wikimedia.org
208.80.152.5 m.pmtpa.wikimedia.org
208.80.152.6 owa.wikimedia.org
208.80.152.7 payments.wikimedia.org
208.80.152.10 lvs-svc-test.wikimedia.org
... so on
If you need to find virtual hosts try Bing.com with real IP:
Example: http://www.bing.com/search?q=**IP:208.80.152.201
Your client should have access and in some way control on the nameservers, that are authoritative for his domains.
Why not asking the DNS admin for a zone download/export?