Active Directory DNS is not just name resolution. AD-integrated DNS stores DNS records inside Active Directory, usually under DomainDnsZones and ForestDnsZones, and domain controllers answer those records for the domain. That makes DNS both an enumeration source and an attack surface.
We care about five practical paths: dumping internal records, abusing dynamic updates, writing ADIDNS records, creating names such as wpad, and abusing DnsAdmins privileges. A single DNS record can become relay infrastructure, credential capture infrastructure, lateral movement support, or persistence.
Tools used in this section include adidnsdump, krbrelayx, Responder, Inveigh, NetExec, Impacket, and PowerView.