A security analyst wants to discover all DNS records associated with a domain without triggering a full zone transfer. Which tool is BEST suited for this task?
dnsrecon is a powerful DNS enumeration script that can query multiple record types and perform subdomain brute-forcing.
Why this answer
D (dnsrecon) is correct because it is a dedicated DNS enumeration tool that performs multiple types of DNS record queries (A, AAAA, CNAME, MX, NS, SOA, SRV, TXT, etc.) using techniques like brute‑forcing subdomains and performing SRV record enumeration, all without attempting a full zone transfer (AXFR). It is specifically designed for reconnaissance and can discover hidden or non‑obvious DNS records efficiently.
Exam trap
EC-Council often tests the misconception that nslookup or dig are sufficient for comprehensive DNS discovery, but the question specifically asks for a tool that discovers *all* DNS records without a zone transfer, which requires automated enumeration beyond single‑query tools.
How to eliminate wrong answers
Option A (theHarvester) is wrong because it is primarily an email, subdomain, and open‑source intelligence (OSINT) gathering tool that uses search engines and public sources, not direct DNS queries for all record types. Option B (dig) is wrong because while it can query individual DNS record types, it is a manual command‑line tool that requires separate queries for each record type and does not automate the discovery of all DNS records in a single pass. Option C (nslookup) is wrong because it is an older, interactive DNS lookup utility that also requires manual, per‑record queries and lacks the automated enumeration features of dnsrecon.