A penetration tester is performing passive reconnaissance on a target organization and wants to gather information about various subdomains without directly interacting with the organization's name server. Which of the following methods would be the BEST to accomplish this task?
Deploy an outdated version of a DNS analysis tool in hopes it may bypass notice
Perform speculative execution of domain names to reveal subdomains
Use a third-party service to obtain DNS records
Analyze web traffic between the organization and public web services to find DNS-related data