If a nameserver has not been secured to restrict zone transfers you can request one to see all the records in a particular domain zone by using Dig –
So to find a nameserver for a particular domain:
dig domain.com ns
Then to find if you can get all the records use the namesever of that particular domain to search the domain:
dig @nameserver.com domain.com axfr
So lets look at bbc.com
dig bbc.com ns
And you get 3 nameservers:
;; ANSWER SECTION: bbc.com. 900 IN NS ns1.tcams.bbc.co.uk. bbc.com. 900 IN NS ns1.thdow.bbc.co.uk. bbc.com. 900 IN NS ns1.rbsov.bbc.co.uk.
Then query one of the nameservers with the domain followed by axfr
dig @ns1.tcams.bbc.co.uk bbc.com axfr
You are either returned the full list of A records if the nameserver is unsecured or it will fail with the following:
; <<>> DiG 9.8.3-P1 <<>> @ns1.tcams.bbc.co.uk bbc.com axfr ; (1 server found) ;; global options: +cmd ; Transfer failed.