For finding subdomains in "holes" in the wordlist, the NSEC extension to DNSSEC might be useful to look at. This can also be used to skip over words which should not be necessary to resolve, as they should be "cryptographically provably non-existent".
For finding subdomains in "holes" in the wordlist, the NSEC extension to DNSSEC might be useful to look at. This can also be used to skip over words which should not be necessary to resolve, as they should be "cryptographically provably non-existent".
See more information on Wikipedia, the nsec3 walker for alternate technologies, and of course other sources.