DNS is the most information-rich protocol on the internet for passive reconnaissance. Every DNS record is a piece of a puzzle: where the web servers are, who handles the email, what cloud providers are in use, which security measures are deployed, and how the entire infrastructure is connected. All of this information is publicly available by design -- DNS must be public to function.
For security professionals, DNS reconnaissance is the first phase of any investigation. For organizations, understanding what their DNS records reveal is essential to managing their exposure. The information is always there; the question is whether you or your adversary examines it first.
DNS Record Types and What They Reveal
| Record | Purpose | Reveals |
|---|---|---|
A | Maps domain to IPv4 address | Web server location, hosting provider, CDN use |
AAAA | Maps domain to IPv6 address | IPv6 adoption, dual-stack configuration |
MX | Mail exchange servers | Email provider (Google, Microsoft, Proton, self-hosted) |
TXT | Arbitrary text data | SPF, DKIM, DMARC, domain verification, site ownership |
NS | Authoritative name servers | DNS hosting provider, delegation structure |
SOA | Start of authority | Primary DNS server, admin email, zone serial number |
CNAME | Canonical name alias | Third-party services, CDNs, SaaS integrations |
SRV | Service location | Specific services (LDAP, SIP, XMPP), internal protocols |
A and AAAA Records
The A record is the most fundamental -- it maps a domain name to an IP address. From that IP address, you can determine the hosting provider (AWS, GCP, Azure, DigitalOcean, on-premises), the geographic location of the server, the autonomous system number (ASN), and what other domains share the same IP.
# Query A records
dig +short example.com A
93.184.216.34
# Reverse DNS lookup
dig -x 93.184.216.34 +short
server-93-184-216-34.provider.com.
# ASN lookup
whois -h whois.cymru.com " -v 93.184.216.34"Multiple A records indicate load balancing. A CNAME to a CDN provider (like example.com.cdn.cloudflare.net) reveals that the actual origin server is hidden behind a CDN -- which is both a security measure and a clue about architecture.
MX Records
MX records reveal the email infrastructure. The mail server names immediately identify the email provider:
aspmx.l.google.com-- Google Workspace*.mail.protection.outlook.com-- Microsoft 365*.pphosted.com-- Proofpoint email security gateway*.mimecast.com-- Mimecast email securitymail.example.com-- self-hosted email (potential target)
Self-hosted email servers are particularly interesting in reconnaissance because they are directly managed by the target organization and may be running outdated or misconfigured software. The MX priority values (10, 20, 30) reveal backup mail servers -- organizations often forget to secure their backup MX with the same rigor as the primary.
TXT Records
TXT records are the most information-dense DNS record type. Organizations store SPF policies, DKIM keys, DMARC policies, domain verification tokens for third-party services, and sometimes even internal notes in TXT records.
# Query all TXT records
dig +short example.com TXT
# Common findings:
"v=spf1 include:_spf.google.com ~all" # Uses Google for email
"google-site-verification=abc123..." # Verified with Google
"MS=ms12345678" # Verified with Microsoft
"atlassian-domain-verification=xyz..." # Uses Atlassian (Jira/Confluence)
"stripe-verification=..." # Uses Stripe for payments
"facebook-domain-verification=..." # Verified with MetaEach domain verification token tells you exactly which SaaS services the organization uses. This is valuable intelligence for social engineering, supply chain analysis, and understanding the technology landscape.
Email Authentication: SPF, DKIM, DMARC
SPF (Sender Policy Framework)
SPF (RFC 7208) is a TXT record that specifies which mail servers are authorized to send email on behalf of a domain. When SPF is missing or misconfigured, anyone can send email that appears to come from that domain -- perfect for phishing.
The SPF record also reveals all the services authorized to send email: marketing platforms (Mailchimp, SendGrid), CRM systems (Salesforce, HubSpot), ticketing systems (Zendesk, Freshdesk), and internal mail servers.
DKIM (DomainKeys Identified Mail)
DKIM (RFC 6376) adds a cryptographic signature to outgoing emails, allowing recipients to verify the message was not altered in transit. DKIM keys are stored as TXT records at selector._domainkey.example.com.
The selector names often reveal the email service: google._domainkey for Google Workspace, selector1._domainkey for Microsoft 365, and custom selectors for other providers. Missing DKIM means outgoing emails from the domain cannot be verified as authentic.
DMARC (Domain-based Message Authentication, Reporting, and Conformance)
DMARC (RFC 7489) ties SPF and DKIM together and tells receiving mail servers what to do when authentication fails: nothing (p=none), quarantine (p=quarantine), or reject (p=reject).
# Check DMARC policy
dig +short _dmarc.example.com TXT
# Best practice (reject unauthenticated email):
"v=DMARC1; p=reject; rua=mailto:dmarc@example.com"
# Weak policy (monitor only, no enforcement):
"v=DMARC1; p=none; rua=mailto:dmarc@example.com"
# Missing DMARC: domain is fully spoofableA domain with p=none or no DMARC record at all is telling the world: "anyone can impersonate us via email, and we will not notice." This is a critical finding in any domain intelligence assessment.
DNSSEC
DNSSEC (Domain Name System Security Extensions) adds cryptographic authentication to DNS responses, preventing DNS spoofing and cache poisoning attacks. When DNSSEC is enabled, DNS responses include digital signatures that clients can verify against the domain's public keys.
# Check DNSSEC status
dig +dnssec example.com A
# Look for RRSIG records in the response
# If present → DNSSEC is enabled
# If absent → DNS responses can be forgedMost domains do not implement DNSSEC. The adoption rate remains below 30% globally. While DNSSEC does not prevent passive DNS reconnaissance, its absence means the domain's DNS responses are not authenticated -- an attacker could potentially poison DNS caches to redirect traffic.
Real-World DNS Misconfigurations
DNS misconfiguration is one of the most common security gaps found during reconnaissance:
- Dangling CNAME records: A CNAME pointing to a decommissioned cloud service (e.g.,
app.example.com CNAME example.azurewebsites.netwhen the Azure app no longer exists) enables subdomain takeover. An attacker claims the Azure resource and now controls content served under the victim's domain. - Overly permissive SPF: An SPF record with
+allinstead of-allor~allauthorizes the entire internet to send email as the domain. - Missing DMARC with strict SPF: Even with perfect SPF, the lack of DMARC means mail servers are free to deliver spoofed email without consequence.
- Zone transfer enabled: Some DNS servers still allow zone transfers (AXFR) to any requester, dumping the entire DNS zone -- every record, every subdomain, every internal service -- in a single query.
- Internal hostnames in PTR records: Reverse DNS records sometimes contain internal naming conventions (
web-prod-01.internal.example.com) that reveal infrastructure details.
How Attackers Use DNS Reconnaissance
DNS reconnaissance is classified under MITRE ATT&CK T1596.001 -- Search Open Technical Databases: DNS/Passive DNS. It is a standard first step in targeted attacks because:
- It is completely passive. Standard DNS queries are indistinguishable from normal internet traffic. There are no logs to trigger alerts, no anomalous behavior to detect.
- It maps the entire infrastructure. From a single domain, DNS enumeration reveals web servers, mail servers, VPNs, APIs, development environments, and third-party integrations.
- It identifies weak points. Misconfigured email authentication, dangling CNAMEs, self-hosted services, and outdated DNS records all represent potential entry points.
- It enables targeted attacks. Knowing that the target uses Google Workspace, Salesforce, and a self-hosted Jenkins server allows an attacker to craft highly specific phishing emails and prioritize their efforts on the weakest link.
If you have not audited your DNS records recently, an attacker may know more about your infrastructure than you do. Regular DNS audits, combined with subdomain enumeration and security header checks, form the foundation of external attack surface visibility.
RFC 7208 -- Sender Policy Framework (SPF). RFC 6376 -- DomainKeys Identified Mail (DKIM). RFC 7489 -- DMARC. MITRE ATT&CK T1596.001 -- Search Open Technical Databases: DNS/Passive DNS.