Finding all domains registered in a nameserver

Solution 1:

There are two ways that a domain name => DNS server map can be constructed:

1. Zone file access: some registries grant access to their zone files to their registrars and other entities. This makes it pretty easy to determine which domains in those zones are delegated to a given DNS server. This is how DomainTools.com provides their Name Server Spy product. This is the most reliable method, but is obviously limited to the zone files that they have access to.
2. Passive DNS. This involves examining traffic through recursive DNS servers at ISPs and reconstructing zone data based on what's seen. This method lets you discover information from the entire DNS space, but is less reliable as changes take longer to appear in your database, and won't recover information about domains that get little or no queries.

Solution 2:

As far as I know they're just building a database of domain names and the associated authoritative name servers. You're just searching that database with their web interface and seeing a list of results that, through "normal" DNS channels would be rather difficult to get (w/o generating a lot of queries). It's a little bit like a telephone "reverse directory"-- it's the same information that DNS gives out to normal SOA lookups, but given to you in a bit of a "backward" manner to facilitate types of searches that would normally be difficult.