A penetration tester is performing reconnaissance to map a target's subdomains. Which of the following techniques relies on gathering information from publicly available, aggregated data sources without directly querying the target's name servers?
Sending a wildcard query to identify all possible subdomains
Performing a DNS brute-force attack using a common subdomain wordlist
Consulting a passive DNS aggregator that collects and stores historical DNS records
Attempting a zone transfer (AXFR) from the domain's authoritative name server
Consulting a passive DNS aggregator is the correct method as these tools collect and store historical DNS data from public sources, allowing for subdomain discovery without direct interaction with the target. An AXFR zone transfer is an active attempt to get all DNS records directly from a name server and is often blocked. DNS brute-forcing is also an active technique that involves sending a large number of queries to the target's name servers. Using a wildcard query does not enumerate specific, known hosts but rather resolves any non-existent subdomain to a default address, which can hinder enumeration.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is a passive DNS aggregator?
Open an interactive chat with Bash
How does a passive DNS aggregator differ from active DNS techniques like brute-forcing?
Open an interactive chat with Bash
Why is zone transfer (AXFR) considered an active rather than passive technique?