DNS interrogation is a core passive and semi-active reconnaissance technique described in CEH v13 Reconnaissance Techniques. It allows ethical hackers to gather publicly available information about a target's domain infrastructure.
Through DNS queries, testers can retrieve:
Subdomains (via zone transfers, brute force, or DNS records)
Mail server IP addresses (via MX records)
Server IP addresses, which can then be mapped to approximate geographic locations However, DNS does not store authentication credentials such as usernames and passwords. That information resides in authentication systems like Active Directory, LDAP, or application databases, not DNS.
Therefore, Option A is the only choice that cannot be obtained via DNS interrogation. CEH v13 clearly distinguishes between naming infrastructure data and credential-based information, reinforcing why DNS enumeration cannot reveal user credentials.
Thus, Option A is correct.

The best choice is Caido because the scenario describes a web-focused interception proxy workflow:
intercepting HTTP traffic, logging requests, and performing advanced searches to identify session tokens. In CEH-aligned web application testing methodology, session hijacking simulations commonly rely on an intercepting proxy to observe and manipulate application-layer requests and responses, extract session identifiers from cookies or headers, and demonstrate how weak session management can lead to account compromise. A lightweight security research proxy that captures traffic and supports fast filtering and searching across requests fits this exact need. Caido is designed as a modern web security toolkit centered around an interception proxy, allowing testers to capture browser-to-server traffic, inspect headers and cookies, and quickly search through recorded traffic for patterns such as session IDs, authentication cookies, bearer tokens, or predictable parameters.
The other tools are less aligned with the described requirements. Wireshark is a powerful packet analyzer, but it operates primarily at the packet level and is not optimized for web-app testing workflows such as organized request history, token-focused searching, and convenient HTTP manipulation. Bettercap is primarily a network MITM and exploitation framework; while it can intercept traffic, it is not the typical choice for controlled web proxy testing and detailed HTTP request analysis in the way described. Hetty is an HTTP toolkit, but the question's emphasis on a lightweight, security-research proxy with strong captured-data searching and request logging aligns more closely with Caido's purpose-built approach for web application assessments and session token discovery.
'

CEH guidance for web server hardening prioritizes controls that reduce exploitable conditions across the broadest set of threats. While obscuring paths (for example, unusual directory names like "certrcx" or storing content under "/admin/web") may slightly slow down casual discovery, CEH emphasizes that security through obscurity is not a reliable control. If an attacker can identify the server root, document root, and virtual directory structure (through misconfigurations, directory listing, error leakage, backup exposure, or known-path enumeration), then the real risk becomes unpatched vulnerabilities in the web server, modules, libraries, and underlying OS.
Regularly updating and patching the server software is the most direct, high-impact countermeasure because it closes known vulnerabilities attackers routinely exploit (RCE, privilege escalation, auth bypass, path traversal, request smuggling, etc.). CEH materials also stress that virtual hosting expands the attack surface (multiple sites, shared services, shared misconfigurations), making systematic patching and configuration management even more important.
Option A (moving the document root to a different disk) may help with organization and, in some cases, recovery planning, but it does not inherently reduce vulnerabilities. Option C (changing IPs) is not a security control; it may complicate blocking lists but doesn't fix the underlying weakness. Option D (using LAMP) is an architectural choice, not a security measure by itself-an open-source stack can still be insecure if misconfigured or unpatched.
Therefore, CEH-aligned best practice is regular patching and updates.

This scenario best illustrates impersonation, which is a core social engineering technique emphasized in CEH under pretexting and physical security testing. Impersonation occurs when an attacker assumes a believable identity, such as an IT technician, vendor, maintenance worker, or delivery person, to gain trust and bypass access controls. In the prompt, the red team member adopts a third-party IT technician role and is granted entry because the receptionist assumes the visit is legitimate and does not verify credentials. That is the defining moment of impersonation: exploiting human trust and procedural gaps to obtain unauthorized physical access.
While the attacker later observes open terminals, unattended printouts, and sticky notes, those observations are opportunistic data collection that becomes possible only after successful impersonation. Shoulder surfing is specifically observing a user entering credentials or viewing a screen while standing nearby, typically during active use. Eavesdropping focuses on capturing spoken or transmitted information, such as listening to conversations or intercepting communications. Dumpster diving involves retrieving sensitive information from trash or discarded materials in waste bins, not simply seeing sticky notes left on desks.
CEH guidance highlights that impersonation often succeeds when organizations lack visitor verification, badge enforcement, escort policies, and security awareness training. Controls include validating work orders, requiring government-issued ID, issuing visitor badges, escorting visitors, enforcing clean desk practices, locking workstations, and secure printing to prevent exposure of credentials and sensitive data.

The correct answer is MX. CEH reconnaissance material explains that MX, or Mail Exchange, records identify the mail servers responsible for receiving email for a domain. When a tester wants to understand how an organization handles incoming email traffic, MX records are the most relevant DNS data source because they reveal the designated mail infrastructure and often the priority order of mail servers. In this scenario, the objective is to gather passive intelligence about communication infrastructure without performing active network probing, so querying DNS records is appropriate. SOA records provide domain authority and zone administration information, TXT records often contain verification or policy-related text such as SPF details, and NS records identify authoritative name servers. While those can all contribute to broader reconnaissance, they do not directly answer which systems are responsible for receiving mail. CEH emphasizes that MX records are commonly used during footprinting to identify email infrastructure, support phishing simulations, analyze third-party mail providers, or map communication dependencies. Because the question explicitly asks for the DNS record type that reveals mail server configuration, MX is the correct choice.