Skip to main content
MuonPartners
Services
Architecture

Solution design and technology roadmapping

Solution AssessmentTechnology RoadmapsIntegration DesignSolution ArchitectureTechnical Design
Cyber Security

Security assessments, IAM, and compliance

AssessmentsIAMComplianceSecurity BaselineCyber Innovation
Network and Platform

Network architecture and cloud platforms

Network DesignCloud StrategyModernisation
Enterprise Architecture

Business-technology alignment

Business AlignmentPortfolio AnalysisGovernance
View all services
ProjectsCase StudiesInsightsToolsAbout
Contact Us

Services

Architecture
Solution AssessmentTechnology RoadmapsIntegration DesignSolution ArchitectureTechnical Design
Cyber Security
AssessmentsIAMComplianceSecurity BaselineCyber Innovation
Network and Platform
Network DesignCloud StrategyModernisation
Enterprise Architecture
Business AlignmentPortfolio AnalysisGovernance
ProjectsCase StudiesInsightsToolsAboutContact
Get in Touch
MuonPartners

Strategic technology consulting for Australian organisations navigating complexity.

Services

  • Architecture
  • Cyber Security
  • Network and Platform
  • Enterprise Architecture

Company

  • About
  • Products
  • Frameworks
  • Cross-Framework Mapping
  • Projects
  • Case Studies
  • Insights
  • Contact

Contact

  • [email protected]
  • Australia
  • LinkedIn

© 2026 Muon Partners. All rights reserved.

ABN 50 669 022 315 · A Muon Group company.

Privacy PolicyTerms of Service
  1. Frameworks
  2. >ATTACK
  3. >Reconnaissance
  4. >ATTACK-T1590.002
ATTACK-T1590.002Active

DNS

Statement

Adversaries may gather information about the victim's DNS that can be used during targeting. DNS information may include a variety of details, including registered name servers as well as records that outline addressing for a target’s subdomains, mail servers, and other hosts. DNS MX, TXT, and SPF records may also reveal the use of third party cloud and SaaS providers, such as Office 365, G Suite, Salesforce, or Zendesk.(Citation: Sean Metcalf Twitter DNS Records)

Adversaries may gather this information in various ways, such as querying or otherwise collecting details via DNS/Passive DNS. DNS information may also be exposed to adversaries via online or other accessible data sets (ex: Search Open Technical Databases).(Citation: DNS Dumpster)(Citation: Circl Passive DNS) Gathering this information may reveal opportunities for other forms of reconnaissance (ex: Search Open Technical Databases, Search Open Websites/Domains, or Active Scanning), establishing operational resources (ex: Acquire Infrastructure or Compromise Infrastructure), and/or initial access (ex: External Remote Services).

Adversaries may also use DNS zone transfer (DNS query type AXFR) to collect all records from a misconfigured DNS server.(Citation: Trails-DNS)(Citation: DNS-CISA)(Citation: Alexa-dns)

Location

Tactic
Reconnaissance

Technique Details

Identifier
ATTACK-T1590.002
Parent Technique
ATTACK-T1590
ATT&CK Page
View on MITRE

Tactics

Reconnaissance

Platforms

PRE

Detection

Detection of DNS

Mitigations

Software Configuration: Software configuration refers to making security-focused adjustments to the settings of applications, middleware, databases, or other software to mitigate potential threats. These changes help reduce the attack surface, enforce best practices, and protect sensitive data. This mitigation can be implemented through the following measures:

Conduct a Security Review of Application Settings:

  • Review the software documentation to identify recommended security configurations.
  • Compare default settings against organizational policies and compliance requirements.

Implement Access Controls and Permissions:

  • Restrict access to sensitive features or data within the software.
  • Enforce least privilege principles for all roles and accounts interacting with the software.

Enable Logging and Monitoring:

  • Configure detailed logging for key application events such as authentication failures, configuration changes, or unusual activity.
  • Integrate logs with a centralized monitoring solution, such as a SIEM.

Update and Patch Software Regularly:

  • Ensure the software is kept up-to-date with the latest security patches to address known vulnerabilities.
  • Use automated patch management tools to streamline the update process.

Disable Unnecessary Features or Services:

  • Turn off unused functionality or components that could introduce vulnerabilities, such as debugging interfaces or deprecated APIs.

Test Configuration Changes:

  • Perform configuration changes in a staging environment before applying them in production.
  • Conduct regular audits to ensure that settings remain aligned with security policies.

Tools for Implementation

Configuration Management Tools:

  • Ansible: Automates configuration changes across multiple applications and environments.
  • Chef: Ensures consistent application settings through code-based configuration management.
  • Puppet: Automates software configurations and audits changes for compliance.

Security Benchmarking Tools:

  • CIS-CAT: Provides benchmarks and audits for secure software configurations.
  • Aqua Security Trivy: Scans containerized applications for configuration issues.

Vulnerability Management Solutions:

  • Nessus: Identifies misconfigurations and suggests corrective actions.

Logging and Monitoring Tools:

  • Splunk: Aggregates and analyzes application logs to detect suspicious activity.

No cross-framework mappings available

← Back to Reconnaissance
Reconnaissance45 controls
ATTACK-T1589Gather Victim Identity InformationATTACK-T1589.001CredentialsATTACK-T1589.002Email AddressesATTACK-T1589.003Employee NamesATTACK-T1590Gather Victim Network InformationATTACK-T1590.001Domain PropertiesATTACK-T1590.002DNSATTACK-T1590.003Network Trust DependenciesATTACK-T1590.004Network TopologyATTACK-T1590.005IP AddressesATTACK-T1590.006Network Security AppliancesATTACK-T1591Gather Victim Org InformationATTACK-T1591.001Determine Physical LocationsATTACK-T1591.002Business RelationshipsATTACK-T1591.003Identify Business TempoATTACK-T1591.004Identify RolesATTACK-T1592Gather Victim Host InformationATTACK-T1592.001HardwareATTACK-T1592.002SoftwareATTACK-T1592.003FirmwareATTACK-T1592.004Client ConfigurationsATTACK-T1593Search Open Websites/DomainsATTACK-T1593.001Social MediaATTACK-T1593.002Search EnginesATTACK-T1593.003Code RepositoriesATTACK-T1594Search Victim-Owned WebsitesATTACK-T1595Active ScanningATTACK-T1595.001Scanning IP BlocksATTACK-T1595.002Vulnerability ScanningATTACK-T1595.003Wordlist ScanningATTACK-T1596Search Open Technical DatabasesATTACK-T1596.001DNS/Passive DNSATTACK-T1596.002WHOISATTACK-T1596.003Digital CertificatesATTACK-T1596.004CDNsATTACK-T1596.005Scan DatabasesATTACK-T1597Search Closed SourcesATTACK-T1597.001Threat Intel VendorsATTACK-T1597.002Purchase Technical DataATTACK-T1598Phishing for InformationATTACK-T1598.001Spearphishing ServiceATTACK-T1598.002Spearphishing AttachmentATTACK-T1598.003Spearphishing LinkATTACK-T1598.004Spearphishing VoiceATTACK-T1681Search Threat Vendor Data