- Tutorials
- Courses
- Tracks
Cyber Quiz Day 30
Question 1
What is the primary goal of DNS enumeration during external reconnaissance?
To obtain source code from a web server
To discover DNS records and map domain/subdomain structure for attack surface analysis
To brute-force SSH credentials of hosts listed in DNS
To brute-force SSH credentials of hosts listed in DNS
Question 2
Which DNS record type is most useful for discovering mail servers used by a domain?
A
CNAME
TXT
MX
Question 3
During DNS enumeration, a tool attempts an AXFR for the target domain and receives a full zone transfer. What does this mean?
The domain uses DNSSEC and is secure
The authoritative server allowed a zone transfer and exposed the entire DNS zone (all records) — a critical information leak
The authoritative server returned only SOA and NS records (normal)
The server refused the transfer due to rate limiting
Question 4
Which technique is least likely to find hidden subdomains?
Brute-force a wordlist of probable subdomains (e.g., www, dev, api)
Query Certificate Transparency logs for issued certificates
Query historical DNS/archived DNS datasets (passive DNS)
Scanning only for open TCP port 22 on random IP addresses without referencing DNS records
Question 5
You run dig @ns1.example.com AXFR example.com and get a “transfer refused” response. Which explanation is most accurate?
The domain has no DNS records at all
The server is down and cannot serve the zone
Your DNS client doesn’t support AXFR
The authoritative server denies AXFR to your IP (expected secure configuration)
Question 6
In subdomain enumeration, what problem can a wildcard DNS record (e.g., *.example.com → 203.0.113.10) cause for tools like Dnssearch?
It speeds up finding real subdomains
It prevents any DNS queries from succeeding
It causes false positives because every queried name resolves to the wildcard IP, hiding which subdomains are real
It forces AXFR to succeed
Question 7
Which combination best represents passive DNS enumeration techniques (no direct queries to target authoritative servers)?
Certificate Transparency logs + public WHOIS + passive DNS databases
AXFR + zone transfer testing
TCP SYN scan + banner grabbing
Direct
digqueries to authoritative NS records + brute-force subdomains
Question 8
What is a realistic defensive step to reduce DNS reconnaissance exposure?
Make all DNS records public (no change)
Move your authoritative nameservers to unregistered IPs
Disable DNSSEC and use plain UDP only
Restrict AXFR to authorized secondary hosts, minimize unnecessary subdomains, and avoid placing sensitive data in public DNS/TXT records
Question 9
While using Dnssearch, you notice many CNAME chains pointing to external CDN domains (e.g., app.example.com → something.cdn.net). How can this information be useful in an engagement?
It is only decorative and irrelevant.
It reveals third-party services, potential configuration dependencies, and paths for finding related assets or subdomains hosted on the CDN provider.
It always indicates vulnerability to SQL injection.
It proves the target uses insecure HTTP only.
Question 10
During an assessment, you want to enumerate subdomains without alerting target detection systems. Which approach balances thoroughness and stealth?
Use passive sources (CT logs, passive DNS), limited-rate queries to resolvers, and targeted brute-force only against likely names with randomized timing and the operator’s consent
Run a massive, multi-threaded brute-force against the authoritative server from many distributed IPs (no risk)
Use continuous AXFR attempts until it succeeds
Use DNS amplification queries to elicit responses faster
There are 10 questions to complete.