PLEASE DO NOT USE TOOLS LISTED HERE FOR ANY ILLEGAL OPERATION!
An option that DNSenum offers is the Google Scraping which it queries google search pages to discover various domain names of the target domain. This feature is very useful when zone transfer is disabled in target. What it does is trying to get results from google by using following command, where www is omitted:
allinurl: -www site:example.com
dnsenum -p 7 -s 9 example.com
p -> number of google search pages to process when scraping names
s -> maximum number of subdomains that will be scraped from Google
If below message is displayed as a result of dnsenum google scraping options, paste google dork mentioned above in google search page to receive results.
DNSenum without any option will get us host addresses, name servers and mail servers.
After getting above information dnsenum will attempt zone transfer as shown below, from the nameservers identified. It could yield additional information like sub-domains.
Attempting to connect manually on the sub-domains identified via zone transfer could yield more information about target domain.