# local\_zone\_enumeration

**Explanation**

The local\_zone\_enumeration NDM detects a pattern of DNS activity that is consistent with an attempt to enumerate valid hostnames within an internal domain. As part of their reconnaissance efforts, attackers may wish to enumerate all of the valid hostnames on internal domains in order to discover systems and services to target. If DNS zone transfers are prohibited, attackers may attempt to guess valid names by brute force, which would trigger this NDM.

**What to Look For**

Examine hosts that are the source of this activity for indicators of compromise.

**Related MITRE ATT\&CK Categories**

[Reconnaissance: Gather Victim Network Information, Technique T1590 - Enterprise](https://attack.mitre.org/techniques/T1590)


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.fusion.vectra.ai/detection-models/library/reconnaissance/local_zone_enumeration.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.