Live Active security incident? Get immediate response
MITRE ATT&CK® Detection Strategy

DET0843: Detection of DNS

DET0843 is a detection strategy entry for DNS-related reconnaissance, tied to ATT&CK technique T1590.002. The business value is understanding whether the o...

EnterpriseDET0843Detection StrategyObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

DET0843 is a detection strategy entry for DNS-related reconnaissance, tied to ATT&CK technique T1590.002. The business value is understanding whether the organization can see when its public DNS footprint is being investigated and whether exposed DNS records reveal sensitive operational dependencies such as subdomains, mail routing, name servers, and third-party cloud or SaaS providers.

Executive priority

Prioritize this as external attack-surface and readiness evidence rather than as a guaranteed alerting use case. Leaders should ask whether DNS records are intentionally exposed, reviewed for business necessity, and monitored where feasible. This supports cloud/SaaS risk management, incident scoping, audit evidence for external exposure governance, and pre-incident decisions about what information an adversary can gather before targeting the organization.

Technical view

The supplied ATT&CK object has no official detection text, platforms, or tactics of its own, but it detects T1590.002 DNS under reconnaissance with platform PRE. SOC, threat intelligence, and attack-surface teams should validate visibility around public DNS records and DNS-provider activity, especially records that identify name servers, subdomains, mail services, TXT/SPF data, and third-party SaaS or cloud dependencies. Treat this as an external reconnaissance coverage question: what can be observed directly, what must be inferred from provider logs or passive DNS sources, and what is simply public information that cannot be prevented from being queried.

Likely telemetry

  • Authoritative DNS provider query or analytics logs, where available
  • DNS hosting and registrar change logs for zone, record, and name-server modifications
  • External attack-surface inventory of public DNS records including NS, MX, TXT, SPF, subdomain, and host records
  • Passive DNS or threat intelligence observations, if used by the organization
  • Cloud and SaaS dependency inventory derived from DNS records

Detection direction

  • Validate whether DNS reconnaissance against organization-controlled domains can be observed at all; many lookups of public records may not be visible without authoritative DNS provider telemetry or external intelligence sources.
  • Tune for unusual patterns against authoritative DNS data when available, such as broad enumeration of subdomains or repeated querying of records that expose infrastructure and SaaS dependencies, while accounting for legitimate scanners, search engines, partners, and security testing.
  • Correlate DNS exposure findings with asset inventory and cloud/SaaS ownership so detections do not become unactionable noise.
  • Use the relationship to T1590.002 to frame alerts as reconnaissance context, not proof of compromise or active intrusion.
  • Document blind spots explicitly when DNS is hosted by third parties that do not provide sufficient query visibility.

Mitigation priorities

  • Maintain an authoritative inventory of public DNS records and assign business owners for exposed domains, subdomains, mail records, and TXT/SPF entries.
  • Remove stale or unnecessary DNS records and review whether records disclose avoidable details about internal structure or third-party dependencies.
  • Ensure DNS hosting, registrar access, and change management are governed with strong administrative controls and auditable logging.
  • Where available, enable DNS-provider analytics or logging and integrate relevant evidence into SOC or threat-intelligence workflows.
  • Use periodic external exposure reviews as compliance and resilience evidence, especially where DNS records identify critical SaaS, cloud, or mail services.
Analyst notes and limits

This take is based on ATT&CK detection strategy DET0843 and its relationship to T1590.002 DNS. The underlying technique describes adversaries gathering victim DNS information such as name servers, subdomains, mail servers, other hosts, and MX/TXT/SPF records that may reveal cloud or SaaS providers. Because the detection strategy itself provides no official detection narrative, the recommendations are framed as validation and governance directions rather than prescribed analytics.

The supplied DET0843 object has no official description, detection text, platforms, or tactics. Any local detection feasibility depends on DNS hosting architecture, provider logging, passive DNS access, asset inventory quality, and the organization’s tolerance for alerting on public reconnaissance signals. This does not establish active exploitation, attribution, customer exposure, or guaranteed detection coverage.

Official MITRE ATT&CK definition

Detection of DNS

No official description is available in the imported ATT&CK source object.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

1 rows
Domain ID Name Relationship / procedure
Enterprise T1590.002 DNS Sub-technique This object detects DNS.
Relationship explorer

All related ATT&CK context

detects · Technique T1590.002: DNS Enterprise
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
2521be79d7683881...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 2521be79d768…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack DET0843
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use