Querying DNS servers for name resolution information can enable you to view more about the structure of an organization's network. Standard queries will simply use DNS servers to identify the IP address behind a particular domain or resource name. This IP address might be useful as an entry point into the network, or possibly as a vector for performing more reconnaissance.

Advanced queries can retrieve more information than just an IP address. You can identify the individual DNS records for a particular domain, like MX records, NS records, TXT records, and more. These records can reveal additional targets that you may not have enumerated using other OSINT methods. For example, you may be able to identify that the organization is using specific services, like VoIP, by enumerating an SRV record.

There are several tools that can help you perform DNS querying, including several web apps. One common command-line tool is nslookup, which you can use to query a domain and specify the record types that you're looking for. The tool dig has similar functionality and is more widely used on Linux systems, and can perform reverse lookups to match an IP address to a domain name.

Aside from identifying DNS records, you may also be able to use DNS querying to initiate a zone transfer. In a properly configured environment, a DNS server's information will be transferred to other DNS servers in the same domain for backup purposes. However, improperly configured servers may leak this information to hosts outside the domain, including yours. This information can not just reveal DNS records, but it can also enumerate which hosts are directly accessible from the Internet.