During a passive reconnaissance phase, you are tasked with identifying subdomains related to the target company's main domain to map out its external attack surface. Which method would most effectively yield a comprehensive list of subdomains without actively interacting with the target's systems?
Scan the target's IP address range for DNS services using a network scanner
Initiate a DNS zone transfer to get a list of all DNS records
Use advanced search operators on search engines to find indexed subdomains
Perform a whois lookup to directly reveal all associated subdomains