DNS reconnaissance and route mapping

Once a tester has identified targets that have an online presence and are of interest, the next step is to identify the IP addresses and routes to the target.

DNS reconnaissance involves identifying who owns a particular domain or series of IP addresses (whois-type information), the DNS information defining the actual domain names and IP addresses assigned to the target, and the route between the penetration tester, or the attacker, and the final target.

This information gathering is semi-active – some of the information is available from freely available open sources, while other information is available from third parties such as DNS registrars. Although the registrar may collect IP addresses and data concerning requests made by the attacker, it is rarely provided to the end target. Information that could be directly monitored by the target, such as DNS server logs, is almost never reviewed or retained.

Because the information needed can be queried using a defined systematic and methodical approach, its collection can be automated.