MITRE ATT&CK Technique
Description
Adversaries may gather information about the victim's DNS that can be used during targeting. DNS information may include a variety of details, including registered name servers as well as records that outline addressing for a target’s subdomains, mail servers, and other hosts. DNS MX, TXT, and SPF records may also reveal the use of third party cloud and SaaS providers, such as Office 365, G Suite, Salesforce, or Zendesk.(Citation: Sean Metcalf Twitter DNS Records) Adversaries may gather this information in various ways, such as querying or otherwise collecting details via [DNS/Passive DNS](https://attack.mitre.org/techniques/T1596/001). DNS information may also be exposed to adversaries via online or other accessible data sets (ex: [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596)).(Citation: DNS Dumpster)(Citation: Circl Passive DNS) Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596), [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593), or [Active Scanning](https://attack.mitre.org/techniques/T1595)), establishing operational resources (ex: [Acquire Infrastructure](https://attack.mitre.org/techniques/T1583) or [Compromise Infrastructure](https://attack.mitre.org/techniques/T1584)), and/or initial access (ex: [External Remote Services](https://attack.mitre.org/techniques/T1133)). Adversaries may also use DNS zone transfer (DNS query type AXFR) to collect all records from a misconfigured DNS server.(Citation: Trails-DNS)(Citation: DNS-CISA)(Citation: Alexa-dns)
Supported Platforms
Created
April 29, 2026
Last Updated
April 29, 2026
STIX Data
{'created': '2020-10-02T15:47:10.102Z',
'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'description': "Adversaries may gather information about the victim's DNS "
'that can be used during targeting. DNS information may '
'include a variety of details, including registered name '
'servers as well as records that outline addressing for a '
'target’s subdomains, mail servers, and other hosts. DNS MX, '
'TXT, and SPF records may also reveal the use of third party '
'cloud and SaaS providers, such as Office 365, G Suite, '
'Salesforce, or Zendesk.(Citation: Sean Metcalf Twitter DNS '
'Records)\n'
'\n'
'Adversaries may gather this information in various ways, such '
'as querying or otherwise collecting details via [DNS/Passive '
'DNS](https://attack.mitre.org/techniques/T1596/001). DNS '
'information may also be exposed to adversaries via online or '
'other accessible data sets (ex: [Search Open Technical '
'Databases](https://attack.mitre.org/techniques/T1596)).(Citation: '
'DNS Dumpster)(Citation: Circl Passive DNS) Gathering this '
'information may reveal opportunities for other forms of '
'reconnaissance (ex: [Search Open Technical '
'Databases](https://attack.mitre.org/techniques/T1596), '
'[Search Open '
'Websites/Domains](https://attack.mitre.org/techniques/T1593), '
'or [Active '
'Scanning](https://attack.mitre.org/techniques/T1595)), '
'establishing operational resources (ex: [Acquire '
'Infrastructure](https://attack.mitre.org/techniques/T1583) or '
'[Compromise '
'Infrastructure](https://attack.mitre.org/techniques/T1584)), '
'and/or initial access (ex: [External Remote '
'Services](https://attack.mitre.org/techniques/T1133)).\n'
'\n'
'Adversaries may also use DNS zone transfer (DNS query type '
'AXFR) to collect all records from a misconfigured DNS '
'server.(Citation: Trails-DNS)(Citation: DNS-CISA)(Citation: '
'Alexa-dns)',
'external_references': [{'external_id': 'T1590.002',
'source_name': 'mitre-attack',
'url': 'https://attack.mitre.org/techniques/T1590/002'},
{'description': 'CIRCL Computer Incident Response '
'Center. (n.d.). Passive DNS. '
'Retrieved October 20, 2020.',
'source_name': 'Circl Passive DNS',
'url': 'https://www.circl.lu/services/passive-dns/'},
{'description': 'CISA. (2016, September 29). DNS Zone '
'Transfer AXFR Requests May Leak '
'Domain Information. Retrieved June '
'5, 2024.',
'source_name': 'DNS-CISA',
'url': 'https://www.cisa.gov/news-events/alerts/2015/04/13/dns-zone-transfer-axfr-requests-may-leak-domain-information'},
{'description': 'Hacker Target. (n.d.). DNS Dumpster. '
'Retrieved October 20, 2020.',
'source_name': 'DNS Dumpster',
'url': 'https://dnsdumpster.com/'},
{'description': "Scanning Alexa's Top 1M for AXFR. "
'(2015, March 29). Retrieved June 5, '
'2024.',
'source_name': 'Alexa-dns',
'url': 'https://en.internetwache.org/scanning-alexas-top-1m-for-axfr-29-03-2015/'},
{'description': 'Sean Metcalf. (2019, May 9). Sean '
'Metcalf Twitter. Retrieved September '
'12, 2024.',
'source_name': 'Sean Metcalf Twitter DNS Records',
'url': 'https://x.com/PyroTek3/status/1126487227712921600'},
{'description': 'SecurityTrails. (2018, March 14). '
'Wrong Bind Configuration Exposes the '
"Complete List of Russian TLD's to "
'the Internet. Retrieved June 5, '
'2024.',
'source_name': 'Trails-DNS',
'url': 'https://web.archive.org/web/20180615055527/https://securitytrails.com/blog/russian-tlds'}],
'id': 'attack-pattern--0ff59227-8aa8-4c09-bf1f-925605bd07ea',
'kill_chain_phases': [{'kill_chain_name': 'mitre-attack',
'phase_name': 'reconnaissance'}],
'modified': '2025-10-24T17:48:24.404Z',
'name': 'DNS',
'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],
'revoked': False,
'spec_version': '2.1',
'type': 'attack-pattern',
'x_mitre_attack_spec_version': '3.2.0',
'x_mitre_contributors': ['Jannie Li, Microsoft Threat Intelligence\u202f'
'Center\u202f(MSTIC)'],
'x_mitre_deprecated': False,
'x_mitre_detection': '',
'x_mitre_domains': ['enterprise-attack'],
'x_mitre_is_subtechnique': True,
'x_mitre_modified_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'x_mitre_platforms': ['PRE'],
'x_mitre_version': '1.2'}