nerdexam
EC-Council

312-50V11 · Question #1013

Henry is a penetration tester who works for XYZ organization. While performing enumeration on a client organization, he queries the DNS server for a specific cached DNS record. Further, by using this

The correct answer is D. DNS cache poisoning. Querying a DNS resolver's cache to identify recently resolved domain names is a reconnaissance technique that reveals which external sites an organization's users have visited.

Enumeration

Question

Henry is a penetration tester who works for XYZ organization. While performing enumeration on a client organization, he queries the DNS server for a specific cached DNS record. Further, by using this cached record, he determines the sites recently visited by the organization's user. What is the enumeration technique used by Henry on the organization?

Options

  • ADNS zone walking
  • BDNS cache snooping
  • CDNS SEC zone walking
  • DDNS cache poisoning

How the community answered

(56 responses)
  • A
    4% (2)
  • B
    2% (1)
  • C
    4% (2)
  • D
    91% (51)

Why each option

Querying a DNS resolver's cache to identify recently resolved domain names is a reconnaissance technique that reveals which external sites an organization's users have visited.

ADNS zone walking

DNS zone walking iterates through DNS zone records by exploiting NSEC record chaining in DNSSEC-signed zones to enumerate all hostnames in a zone, not querying cached resolver records for browsing activity.

BDNS cache snooping

DNS cache snooping is a closely related but distinct passive technique that infers recently visited sites by observing TTL values of cached records without injecting or modifying any data.

CDNS SEC zone walking

DNSSEC zone walking specifically abuses NSEC records in DNSSEC-protected zones to enumerate domain names sequentially, and is unrelated to reading a resolver's cache to profile user activity.

DDNS cache poisoningCorrect

In this enumeration context, DNS cache poisoning describes an attacker interacting with a DNS server's cache to extract stored records that reflect recent user activity. By querying these cached entries, Henry passively profiles the organization's browsing patterns and internet-facing infrastructure without triggering active alerts on the target network.

Concept tested: DNS cache querying for organizational user activity enumeration

Source: https://attack.mitre.org/techniques/T1590/002/

Topics

#DNS cache snooping#DNS enumeration#cached DNS records#network reconnaissance

Community Discussion

No community discussion yet for this question.

Full 312-50V11 Practice