I also love PTR record numeration using broadcast mDNS/Bonjour. Instead of relying on a central server, you send out the same sort of DNS query but as a broadcast packet:

    dig -x 192.168.1.1 @224.0.0.251 -p 5353

This gets you the .local address of a device. Of course, fewer things support mDNS. But it will often come up with interesting details. On Apple devices, you can also retrieve the model number via mDNS.