Rob Dixon [ @304geek ] from AccuvantLABS published small but simple tool writen in bash called Scrape-DNS which can be used for quering cached DNS entries in search for malware and other "bad" sites. Short exerpt from 304geeks blog post:
"Back at my old job, we used cache snooping techniques (Scraping) to check for evidence of client systems that were attempting to resolve known malware sites.
We would use the list at Mayhemiclabs.com and compare it to our cached DNS entries.
So, why don't we do something badass like that, but to support the penetration test or red team mission?
Using standard cache snooping techniques you can determine what anti-virus vendors might be in use on a clients network.
HOW? Simple. By making non-recursive queries to the client's DNS servers for known AV update site domains.
Yes, it is that simple.