The correct answer is DNS interrogation. CEH reconnaissance guidance explains that active footprinting involves direct interaction with the target environment, which can generate logs or alerts. DNS interrogation is an active technique used to query name servers for information about domain structure, hostnames, mail servers, subdomains, and other records that reveal how public-facing systems are logically arranged. The question specifically says Justin is retrieving structural details about the organization’s public-facing systems and that his activity is logged by the target, which is consistent with active DNS queries. Network or port scanning is also active, but it focuses on discovering open ports and reachable services rather than the logical naming and organizational structure of public systems. Social engineering is human-focused, and user and service enumeration typically aims at accounts or system services rather than domain structure. CEH materials repeatedly emphasize DNS as a rich reconnaissance source because records such as A, MX, NS, TXT, and SOA can reveal infrastructure relationships and naming conventions. Since the goal is to understand how the organization’s internet-facing systems are organized and represented, DNS interrogation is the best fit.