T1590.002: DNS
Adversaries may gather information about the victim's DNS that can be used during targeting. DNS information may include a variety of details, including registered name servers as well as records that outline addressing for a target’s subdomains, mail servers, and other hosts. DNS MX, TXT, and SPF records may also reveal the use of third party cloud and SaaS providers, such as Office 365, G Suite, Salesforce, or Zendesk.[1]
Adversaries may gather this information in various ways, such as querying or otherwise collecting details via DNS/Passive DNS. DNS information may also be exposed to adversaries via online or other accessible data sets (ex: Search Open Technical Databases).[2][3] Gathering this information may reveal opportunities for other forms of reconnaissance (ex: Search Open Technical Databases, Search Open Websites/Domains, or Active Scanning), establishing operational resources (ex: Acquire Infrastructure or Compromise Infrastructure), and/or initial access (ex: External Remote Services).
Adversaries may also use DNS zone transfer (DNS query type AXFR) to collect all records from a misconfigured DNS server.[4][5][6]
Analyst context for executives and security teams
DNS reconnaissance matters because an organization’s public DNS can reveal its external attack surface before any intrusion occurs. Name servers, subdomains, mail records, TXT/SPF records, and exposed zone data can help an adversary understand hosted services, cloud/SaaS dependencies, and potential paths to later reconnaissance or initial access.
Executive priority
Treat this as an exposure-management and resilience issue, not only a SOC alerting problem. Leaders should ask whether public DNS records match intended business exposure, whether DNS configuration is reviewed as part of change management, and whether evidence exists for audits showing zone-transfer restrictions and security-focused DNS configuration. The main business value is reducing unnecessary disclosure that can aid targeting of remote services, cloud services, and third-party platforms.
Technical view
This is a PRE-platform reconnaissance sub-technique under Gather Victim Network Information. ATT&CK does not provide official detection text, but the relationship to DET0843 indicates a detection strategy exists. SOC and IR teams should validate visibility into authoritative DNS activity where available, especially AXFR/zone-transfer attempts and DNS configuration changes. Detection should also include exposure review: what MX, TXT, SPF, name server, and subdomain records disclose, and whether those records align with approved architecture.
Likely telemetry
- Authoritative DNS server query logs, especially zone-transfer query types such as AXFR
- DNS server configuration and change-management records
- Managed DNS provider audit logs, if DNS is externally hosted
- Public DNS record inventories for NS, MX, TXT, SPF, subdomains, and host records
- External exposure assessment results using public DNS and passive DNS sources
Detection direction
- Use the DET0843 relationship as a prompt to validate a DNS reconnaissance detection strategy, but do not assume coverage because ATT&CK provides no official detection text here.
- Alert or review unexpected AXFR activity against authoritative DNS servers; tune for legitimate secondary DNS servers, managed DNS providers, administrators, and approved scanners.
- Compare public DNS records against the approved service inventory to identify unnecessary disclosure of cloud, SaaS, mail, or remote-service dependencies.
- Recognize the blind spot: adversaries can gather much of this information from passive DNS and open technical databases, which may not generate telemetry in the victim environment.
- Correlate DNS exposure findings with other reconnaissance and initial-access risk areas, including external remote services and publicly discoverable infrastructure.
Mitigation priorities
- Prioritize Software Configuration (M1054): review authoritative DNS and managed DNS settings against security-focused configuration guidance.
- Restrict DNS zone transfers to authorized secondary servers only and verify that unauthorized AXFR requests do not return full zone data.
- Review public DNS records for unnecessary details while preserving required business, mail, and SaaS functionality.
- Include DNS record changes in change control, periodic exposure reviews, and compliance evidence collection.
- Use DNS exposure findings to inform vulnerability management and external attack-surface prioritization.
Analyst notes and limits
The object is focused on reconnaissance and public information gathering. It links DNS collection to passive DNS, open technical databases, broader reconnaissance, operational resource setup, and possible initial-access planning. The most useful defender action is usually not a single alert, but disciplined DNS configuration review, public-record hygiene, and validation of whether authoritative DNS logs and provider audit trails are actually available.
ATT&CK provides no official detection guidance for this object, and much DNS reconnaissance may occur through third-party passive DNS or public datasets outside the defender’s telemetry. Local DNS architecture, hosting model, and business requirements are required to judge what exposure is acceptable.
DNS
Adversaries may gather information about the victim's DNS that can be used during targeting. DNS information may include a variety of details, including registered name servers as well as records that outline addressing for a target’s subdomains, mail servers, and other hosts. DNS MX, TXT, and SPF records may also reveal the use of third party cloud and SaaS providers, such as Office 365, G Suite, Salesforce, or Zendesk.[1]
Adversaries may gather this information in various ways, such as querying or otherwise collecting details via DNS/Passive DNS. DNS information may also be exposed to adversaries via online or other accessible data sets (ex: Search Open Technical Databases).[2][3] Gathering this information may reveal opportunities for other forms of reconnaissance (ex: Search Open Technical Databases, Search Open Websites/Domains, or Active Scanning), establishing operational resources (ex: Acquire Infrastructure or Compromise Infrastructure), and/or initial access (ex: External Remote Services).
Adversaries may also use DNS zone transfer (DNS query type AXFR) to collect all records from a misconfigured DNS server.[4][5][6]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Related techniques
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1590 | Gather Victim Network Information | This object subtechnique of Gather Victim Network Information. |
All related ATT&CK context
Mitigation direction
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.2 | Current bundle | 61ad1c75ace4… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Sean Metcalf Twitter DNS Records
Sean Metcalf. (2019, May 9). Sean Metcalf Twitter. Retrieved September 12, 2024.
Open source URL -
[2]
DNS Dumpster
Hacker Target. (n.d.). DNS Dumpster. Retrieved October 20, 2020.
Open source URL -
[3]
Circl Passive DNS
CIRCL Computer Incident Response Center. (n.d.). Passive DNS. Retrieved October 20, 2020.
Open source URL -
[4]
Trails-DNS
SecurityTrails. (2018, March 14). Wrong Bind Configuration Exposes the Complete List of Russian TLD's to the Internet. Retrieved June 5, 2024.
Open source URL -
[5]
DNS-CISA
CISA. (2016, September 29). DNS Zone Transfer AXFR Requests May Leak Domain Information. Retrieved June 5, 2024.
Open source URL -
[6]
Alexa-dns
Scanning Alexa's Top 1M for AXFR. (2015, March 29). Retrieved June 5, 2024.
Open source URL -
[7]
mitre-attack T1590.002Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.