According to the Certified Ethical Hacker (CEH) Reconnaissance and Footprinting module, DNS cache snooping is a passive information-gathering technique used to determine whether a specific DNS record exists in a server’s cache. Attackers commonly use the dig +norecurse option to prevent the DNS server from querying other DNS servers, thereby revealing only cached results.
When a DNS server responds with NOERROR but does not return an answer, it indicates that the domain name itself is valid, but the requested record is not present in the DNS cache. CEH documentation explains that this situation usually occurs when no internal client has recently queried that domain, so the DNS server has no cached entry for it.
Option A is incorrect because a cached record would return a valid answer section.
Option B is incorrect because NOERROR explicitly means the DNS query was processed successfully.
Option D is incorrect because an expired or non-existent domain would typically return NXDOMAIN, not NOERROR.
CEH materials highlight that attackers use DNS cache snooping to infer user behavior, internal browsing habits, and potential target systems within an organization—making option C the correct conclusion.
