Question

A security consultant is performing a penetration test on and wants to discover the DNS administrator's email address to use in a later social engineering attack. The information listed with the DNS registrar is private.

Which of the following commands will also disclose the email address?

A. dig -h
B. whois -f
C. nslookup -type=SOA
D. dnsrecon -i -t hostmaster

Answer 1

To find the DNS administrator's email address, the nslookup -type=SOA command should be used, which queries the SOA record in the domain's DNS information. The correct option is C.

Step-by-step explanation:

The correct command to discover the DNS administrator's email address, given that the information listed with the DNS registrar is private, would be to use an SOA (Start of Authority) record lookup. An SOA record includes administrative information about a domain, including the email address of the domain administrator.

The command that would disclose the DNS administrator's email address through the SOA record is:

nslookup -type=SOA

This command queries the Domain Name System (DNS) to get the SOA record for the specified domain. The result will include the email address of the DNS administrator with the '.' replaced by an excluding the last '.' which signifies the root.