nuclei icon indicating copy to clipboard operation
nuclei copied to clipboard
verified publisher icon projectdiscovery

[BUG] nuclei DNS resolving issues

Open blockisec opened this issue 1 year ago • 11 comments

Is there an existing issue for this?

  • [X] I have searched the existing issues.

Current Behavior

nuclei stopped working scanning hostnames. DNS on the system works fine outside of nuclei.

Could not execute request for
[...SNIP...]
errKind=network-permanent-error no address found for host

Expected Behavior

resolve hosts correctly

Steps To Reproduce

  1. run nuclei with -debug flag to see error

Relevant log output

No response

Environment

- OS: Qubes-OS (Blackarch Template)
- Nuclei: v3.3.1
- Go: 1.23.0

Anything else?

it should be noted, that it works only sometimes to add -system-resolvers flag, but not always. as a workaround that seems to work always until now is proxy everything through burp.

blockisec avatar Sep 11 '24 15:09 blockisec

I have the same problem: wireshark shows Nuclei uses 1.0.0.1 as its default DNS and cannot resolve LAN names. Could we add an option to change this? customize DNS settings

feisec avatar Sep 12 '24 04:09 feisec

Same issue here.... using the retries count can fix it

realgam3 avatar Sep 17 '24 10:09 realgam3

@blockisec are the dns names defined in the /etc/hosts? Otherwise if they are defined in an internal dns resolver you might need to use system resolvers via the -sr flag:

-sr, -system-resolvers                use system DNS resolving as error fallback

Mzack9999 avatar Sep 20 '24 18:09 Mzack9999

no they can be publicly resolved. As I already mentioned, the system-resolvers flag does not solve the problem. Set burp as a proxy however, does workaround the DNS issues for nuclei.

blockisec avatar Sep 20 '24 19:09 blockisec

@blockisec would it be possible to share one of the targets (feel free to jump join our discord at and DM me at mzack9999) and more info about your network configuration (lan? wifi? vpn?)? I'll try to reproduce the issue and work on a fix. Thanks!

Mzack9999 avatar Sep 20 '24 19:09 Mzack9999

@blockisec would it be possible to share one of the targets (feel free to jump join our discord at and DM me at mzack9999) and more info about your network configuration (lan? wifi? vpn?)?

I'll try to reproduce the issue and work on a fix. Thanks!

  • I can share an example in private, But it's not consistent... And it still fail from time to time with system resolvers flag... The discord link expired... can you share another link?

realgam3 avatar Sep 20 '24 20:09 realgam3

@Mzack9999 I am using a VPN, mostly Wireguard (in Qubes-OS, while VPN is running in a separate VM). I already run curl in a loop while running a nuclei template against the target. curl worked, nuclei failed to resolve. As realgam3 mentioned, it is not consistent on my side too.

blockisec avatar Sep 21 '24 05:09 blockisec

In my side I try to resolve an address inside Kubernetes cluster in the format {service}.{namespace}.svc through nuclei template

outside nuclei, curl is ok $ curl -I nginx.default.svc HTTP/1.1 200 OK. resolution running through nuclei is failing [WRN] [osint_leaked-credentials] Could not execute request for google.com: [:RUNTIME] got err while executing http://nginx.default.svc?google.com <- Get "http://nginx.default.svc?google.com": errKind=network-permanent-error no address found for host

Its works for the FQDN of the cluster [DBG] [osint_leaked-credentials] Dumped HTTP response http://nginx.default.svc.7123e038.cluster.local?google.com

GODEBUG=netdns=cgo

is nuclei resolve via /etc/resolv.conf?

fegger-ducksify avatar Sep 24 '24 19:09 fegger-ducksify

In my side I try to resolve an address inside Kubernetes cluster in the format {service}.{namespace}.svc through nuclei template

outside nuclei, curl is ok $ curl -I nginx.default.svc HTTP/1.1 200 OK. resolution running through nuclei is failing [WRN] [osint_leaked-credentials] Could not execute request for google.com: [:RUNTIME] got err while executing http://nginx.default.svc?google.com <- Get "http://nginx.default.svc?google.com": errKind=network-permanent-error no address found for host

Its works for the FQDN of the cluster [DBG] [osint_leaked-credentials] Dumped HTTP response http://nginx.default.svc.7123e038.cluster.local?google.com

GODEBUG=netdns=cgo

is nuclei resolve via /etc/resolv.conf?

Your situation is easier just add the flag -system-resolvers...

realgam3 avatar Sep 27 '24 09:09 realgam3

Is there an existing issue for this?

  • [x] I have searched the existing issues.

Current Behavior

nuclei stopped working scanning hostnames. DNS on the system works fine outside of nuclei.

Could not execute request for
[...SNIP...]
errKind=network-permanent-error no address found for host

Expected Behavior

resolve hosts correctly

Steps To Reproduce

  1. run nuclei with -debug flag to see error

Relevant log output

No response

Environment

- OS: Qubes-OS (Blackarch Template)
- Nuclei: v3.3.1
- Go: 1.23.0

Anything else?

it should be noted, that it works only sometimes to add -system-resolvers flag, but not always. as a workaround that seems to work always until now is proxy everything through burp.

I have a workaround for you but it's not pretty.... add the flag -system-resolvers then add the dns record and ip you got from nslookup to /etc/hosts it will solve the issue completely. That was the only way my pipeline didn't fail again... It seems that there is an issue where the DNS doesn't really care about cache and TTL it's just asking every time for the record IP and if it fails it's just doesn't try again (the best way to make sure is to record the traffic with tcpdump but it with this workarround I didn't need it)

realgam3 avatar Sep 27 '24 09:09 realgam3

realgam3, I confirm that it works. But the ip to put in /etc/host is a ClusterIP and he is supposed to change every time the pod is restarted.

The clue will be perhaps to run a nuclei pre-step that add the record from nslookup out

fegger-ducksify avatar Sep 27 '24 09:09 fegger-ducksify