How can regular domain users obtain DNS records without DNS admin privileges?

Regular domain users can obtain DNS records using two main approaches: first, by querying LDAP for computer names and then resolving their IP addresses via DNS queries (tools like SharpAdidnsdump and adidnsdump implement this); second, by directly extracting DNS records from LDAP and decoding the binary data (as done by dns-dump and PowerView). These methods are covered in detail in the article Domain Penetration - Obtaining DNS Records with Regular User Privileges.