DNS zone transfer

DNS is my favorite protocol because it's a treasure trove of information. If you can request a zone transfer, the tester can get all the DNS records for a particular zone. This will identify the hostname-to-IP-address relationship of all hosts in the network. If the attacker has any knowledge of the network scheme, this can be the fastest method to discover all hosts on a network. DNS can also give rise to services that are running on the network, such as mail servers.