Networking Fundamentals · beginner · ~12 min
Trace a DNS resolution and name the record types that matter in recon.
DNS resolves names to IPs via a hierarchy: root → TLD → authoritative, with caching by TTL. Key records: A/AAAA, CNAME, MX, NS, TXT, PTR.
Subdomain enumeration and DNS record gathering are core passive recon — they map a target's attack surface (mail, name servers, hosts, tech hints) often without touching the target directly. The record types tell you what services exist.
Hierarchy. root → TLD → authoritative server. TTL. How long an answer may be cached. Record types. A/AAAA (address), CNAME (alias), MX (mail), NS (name servers), TXT (verification/SPF), PTR (reverse). Tools. dig, nslookup, host.
DNS (Domain Name System) translates names like example.com into IP addresses. It's a distributed, hierarchical database.
.com?"example.com's authoritative server."A record (the IP).
Answers are cached along the way with a TTL.| Type | Holds |
|---|---|
| A / AAAA | IPv4 / IPv6 address |
| CNAME | Alias to another name |
| MX | Mail server |
| NS | Authoritative name servers |
| TXT | Free text (SPF, domain verification) |
| PTR | Reverse: IP → name |
DNS is a goldmine for passive reconnaissance: enumerating subdomains, finding mail and name servers, reading TXT records for tech hints. Tools: dig, nslookup, host. Certificate Transparency logs and dig any reveal a target's attack surface — all without sending a single packet to the target's own servers.
DNS is the distributed name→IP database resolved through a root/TLD/authoritative chain. Its records expose a target's structure, making DNS one of the richest passive-recon sources.