DNSwalk is a perl script that will double check the target NS against zone transfers I tried it on a few .edu's and they all refused.
Originally Posted by HACK-IT
Long story short, I'd use Men and Mice web app and then brute force it with a python script and go for range based on the info i get from men and mice.
dns = DNS(rd=1,qd=DNSQR(qname=host))
response = sr1(IP(dst='192.168.1.1')/UDP()/dns);
answer = response.getlayer(DNS).an