It is an interesting and entirely legal exercise to enumerate the CIA and other organizations' networks from the Internet by querying public records. As a recap, here is a list of public Internet-based querying techniques and their application:
Using Google to perform searches against established domain names and target networks to identify personnel, hostnames, domain names, and useful data residing on publicly accessible web servers.
Querying NIC databases such as ARIN, APNIC, and RIPE to retrieve network block, routing, and contact details related to the target networks and domain names. NIC querying gives useful information relating to the sizes of reserved network blocks (useful later when performing intrusive network scanning).
Querying publicly accessible DNS servers to enumerate hostnames and subdomains. Misconfigured DNS servers can also be abused to download DNS zone files that categorically list subdomains, hostnames, operating platforms of devices and internal network information in severe cases.
Sending email to nonexistent accounts at target domains to map internal network space by analyzing the responses from the SMTP system.