During an external engagement, a penetration tester maps the client's public DNS information. Several hosts are found listening on TCP ports 25 and 587, but the tester still needs to learn which fully qualified domain name the organization advertises as its official inbound email gateway. Which DNS query will most reliably identify that host?
Request a full AXFR zone transfer from the authoritative server
Query the domain's MX record
Send ICMP echo requests to the entire /24 subnet
Perform a port scan to list hosts listening on SMTP ports
Querying the MX (mail-exchanger) record returns the hostname(s) a domain designates to accept inbound SMTP. A port scan may reveal systems running an SMTP service, but it does not confirm which one the organization intends to receive mail. ICMP sweeps only show which IPs respond, and attempting an AXFR zone transfer usually fails and, even if successful, still requires parsing many records to locate the mail handler.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What type of record specifies the inbound mail handler in DNS?
Open an interactive chat with Bash
How do you query DNS to find the MX record of a domain?
Open an interactive chat with Bash
Why is it important for a tester to identify the designated mail handler instead of scanning for email services?