DNS recon tool should be able to do it. If you look around for DNS online tool couple dozens of Google subdmains will be revealed. With Certificate Transparency this kind of information is not as secret as it used to be. Last year there was a vulnerability I forgot which it was quite big has something to do with a legacy software and it led me to look at what domains are using my company's cert. Qualy's made a tool out of this.
