title: DNS (T1590.002)
id: df00tech-t1590-002
status: experimental
description: "Adversaries may gather information about the victim's DNS infrastructure to support targeting. DNS reconnaissance reveals registered name servers, subdomains, mail servers, and host addressing. DNS record types including MX, TXT, SPF, DMARC, and DKIM records expose third-party cloud and SaaS provider usage (Office 365, Google Workspace, Salesforce, Zendesk). Adversaries may perform full DNS zone transfers (AXFR queries) against misconfigured authoritative servers, query passive DNS databases (Circl, SecurityTrails, Shodan), or run OSINT tools such as dnsrecon, subfinder, amass, and fierce. The collected intelligence maps the organization's external attack surface and informs infrastructure acquisition, phishing infrastructure setup, and initial access planning."
references:
  - https://attack.mitre.org/techniques/T1590/002/
  - https://df00tech.com/detections/T1590.002
author: df00tech
date: 2026/04/13
tags:
  - attack.t1590.002
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - Authorized DNS zone transfers between primary and secondary name servers — legitimate AXFR from secondary NS IP addresses configured for zone replication
  - "Internal IT and security teams running DNS enumeration tools during authorized penetration tests, asset discovery, or DNS hygiene audits"
  - "Monitoring and asset management platforms (Qualys, Tenable, Rapid7) that perform DNS enumeration as part of scheduled scans against owned infrastructure"
  - "Developers and DevOps engineers using dig or nslookup with ANY/MX/TXT flags to troubleshoot mail delivery, SPF validation, or SSL certificate issues"
level: low