T1596.001: DNS/Passive DNS
Adversaries may search DNS data for information about victims that can be used during targeting. DNS information may include a variety of details, including registered name servers as well as records that outline addressing for a target’s subdomains, mail servers, and other hosts.
Adversaries may search DNS data to gather actionable information. Threat actors can query nameservers for a target organization directly, or search through centralized repositories of logged DNS query responses (known as passive DNS).[1][2] Adversaries may also seek and target DNS misconfigurations/leaks that reveal information about internal networks. Information from these sources may reveal opportunities for other forms of reconnaissance (ex: Search Victim-Owned Websites or Search Open Websites/Domains), establishing operational resources (ex: Acquire Infrastructure or Compromise Infrastructure), and/or initial access (ex: External Remote Services or Trusted Relationship).
Analyst context for executives and security teams
DNS/Passive DNS matters because it shows what an adversary can learn before touching the environment. Public DNS records and passive DNS repositories can expose subdomains, mail servers, name servers, hostnames, addressing patterns, and possible misconfigurations that help targeting decisions.
Executive priority
Treat this as an attack-surface and resilience issue, not only a SOC alerting problem. Leaders should ask whether public DNS exposure is inventoried, owned, reviewed, and evidenced for audit or risk decisions. The business risk is that stale or overly revealing DNS data can guide follow-on reconnaissance, infrastructure preparation, or attempts against external remote services and trusted relationships.
Technical view
This is a PRE-platform reconnaissance sub-technique under Search Open Technical Databases. MITRE provides no official detection text, but a related detection strategy, DET0877, is linked. SOC, IR, and detection teams should validate what authoritative DNS data, passive DNS history, and external technical database findings reveal about the organization, then compare that exposure to approved asset inventories and known external services.
Likely telemetry
- Authoritative DNS records and configuration exports for organizational domains
- DNS provider logs, where available, for direct nameserver queries
- Passive DNS results from external repositories or commercial/open sources
- External attack-surface inventory showing subdomains, mail servers, name servers, and exposed hosts
- Records of DNS misconfigurations or leaks that reveal internal network information
Detection direction
- Do not assume strong alerting coverage: the official ATT&CK object has no detection text, and much of this activity occurs in public or third-party data sources.
- Use DET0877 as a prompt to validate a detection strategy, but require local evidence of what DNS telemetry and passive DNS sources are actually available.
- Compare public and passive DNS findings against approved asset inventory to identify unknown, stale, or overly revealing records.
- Treat direct nameserver query patterns as weak signals; legitimate scanners, researchers, and normal internet activity can create false positives.
- Correlate exposed DNS findings with related reconnaissance and access-risk areas named by ATT&CK, including victim-owned websites, open websites/domains, external remote services, and trusted relationships.
Mitigation priorities
- Apply the related M1056 Pre-compromise mitigation by reducing information exposure before adversaries use it for targeting.
- Maintain ownership and review processes for public DNS records, subdomains, name servers, mail records, and externally visible hosts.
- Remove stale or unnecessary DNS entries and investigate records that reveal internal network details.
- Use external exposure reviews to prioritize remediation of DNS findings that point to reachable services or sensitive business relationships.
- Preserve evidence of DNS review and remediation for compliance readiness and incident response context.
Analyst notes and limits
The supplied ATT&CK object frames this as reconnaissance using DNS data and passive DNS repositories such as DNS Dumpster and CIRCL Passive DNS. The main defensive value is disciplined external exposure management and validation of whether public DNS data aligns with intended business services.
No official ATT&CK detection guidance is provided for this sub-technique. The relationship to DET0877 indicates a detection strategy exists, but no strategy details were supplied. Local DNS provider capabilities, passive DNS access, and asset inventory quality will determine practical coverage.
DNS/Passive DNS
Adversaries may search DNS data for information about victims that can be used during targeting. DNS information may include a variety of details, including registered name servers as well as records that outline addressing for a target’s subdomains, mail servers, and other hosts.
Adversaries may search DNS data to gather actionable information. Threat actors can query nameservers for a target organization directly, or search through centralized repositories of logged DNS query responses (known as passive DNS).[1][2] Adversaries may also seek and target DNS misconfigurations/leaks that reveal information about internal networks. Information from these sources may reveal opportunities for other forms of reconnaissance (ex: Search Victim-Owned Websites or Search Open Websites/Domains), establishing operational resources (ex: Acquire Infrastructure or Compromise Infrastructure), and/or initial access (ex: External Remote Services or Trusted Relationship).
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Related techniques
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1596 | Search Open Technical Databases | This object subtechnique of Search Open Technical Databases. |
All related ATT&CK context
Mitigation direction
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 4d754999e2c4… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
DNS Dumpster
Hacker Target. (n.d.). DNS Dumpster. Retrieved October 20, 2020.
Open source URL -
[2]
Circl Passive DNS
CIRCL Computer Incident Response Center. (n.d.). Passive DNS. Retrieved October 20, 2020.
Open source URL -
[3]
mitre-attack T1596.001Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.