DNS is great. Who wants to remember numbers when you can remember something easier?
http://it.thelibrarie.com or http://208.113.245.198? Well technically that’s a bad example as this site is running as an apache virtual host (the header file tells the server which site you’re actually look for). But you get the idea.

So, how many sites are actually on this same IP address? As of this writing: 71. Now that includes www.*.tld and *.tld, so it’s slightly inflated.
How do we know? I use a tool called YouGetSignal (http://www.yougetsignal.com/tools/web-sites-on-web-server/) to look it up. Pretty nice interface.

How about if you just want to see sub domains of a system? I found a decent way (although it doesn’t find all of them) to check:
Download DNSMap (http://code.google.com/p/dnsmap/downloads/list)
wget http://dnsmap.googlecode.com/files/dnsmap-0.30.tar.gz
tar zxvf dnsmap-0.30.tar.gz
cd dnsmap-0.30
make
cp ./dnsmap /usr/local/bin/dnsmap
dnsmap domain.tld -r /var/log/dnsmap_domain.tld_log.txt

localadmin@external:~/dnsmap-0.30$ dnsmap thelibrarie.com
dnsmap 0.30 – DNS Network Mapper by pagvac (gnucitizen.org)

[+] searching (sub)domains for thelibrarie.com using built-in wordlist
[+] using maximum random delay of 10 millisecond(s) between requests

ftp.thelibrarie.com
IP address #1: 208.113.246.229

it.thelibrarie.com
IP address #1: 208.113.245.198

kj.thelibrarie.com
IP address #1: 208.113.246.229

mail.thelibrarie.com
IP address #1: 208.97.132.24

media.thelibrarie.com
IP address #1: 208.113.228.62

news.thelibrarie.com
IP address #1: 208.113.232.193

webmail.thelibrarie.com
IP address #1: 208.97.187.139

www.thelibrarie.com
IP address #1: 208.113.246.229

[+] 11 (sub)domains and 11 IP address(es) found
[+] completion time: 164 second(s)

I cut out a couple even though you can easily see which ones. Just to make it slightly more difficult for bots…