A penetration tester is performing reconnaissance to map a target's subdomains. Which of the following techniques relies on gathering information from publicly available, aggregated data sources without directly querying the target's name servers?
Consulting a passive DNS aggregator that collects and stores historical DNS records
Sending a wildcard query to identify all possible subdomains
Performing a DNS brute-force attack using a common subdomain wordlist
Attempting a zone transfer (AXFR) from the domain's authoritative name server
Consulting a passive DNS aggregator is the correct method as these tools collect and store historical DNS data from public sources, allowing for subdomain discovery without direct interaction with the target. An AXFR zone transfer is an active attempt to get all DNS records directly from a name server and is often blocked. DNS brute-forcing is also an active technique that involves sending a large number of queries to the target's name servers. Using a wildcard query does not enumerate specific, known hosts but rather resolves any non-existent subdomain to a default address, which can hinder enumeration.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is DNS and how does it help in subdomain mapping?
Open an interactive chat with Bash
What is a web-based aggregator, and why is it useful for subdomain mapping?
Open an interactive chat with Bash
Why is a DNS zone transfer typically blocked, and what are the implications for reconnaissance?