Nmap Development mailing list archives
DNS issue: wrong DNS-Server is used.
From: "newsgrep ." <newsgrep () hotmail com>
Date: Mon, 10 Dec 2018 20:49:38 +0000
My problem in short:
====================
There are some DNS-Servers configured on an inactive interface (208.67.220.220 and
(208.67.220.222), which are then used by Nmap instead of the DNS-Server (192.168.2.1)
of the active intrface (eth1) that is used for the scan. This leads to the problem that
the wrong DNS-Server is used and that local DNS-Names can not be resolved.
My System:
==========
Windows 10 .0.17134.165 64Bit
Nmap 7.70, Npcap version 0.99-r2, based on libpcap version 1.8.1
Running with administrative privileges.
Ip of my GW and DNS: 192.168.2.1.
IP of a random Linux box on my network: 192.168.2.2
My only connected networkinterface (wifi / wlan) is:
eth1 (eth1) 192.168.2.42/24 ethernet up 1500 A0:88:69:AF:AB:DB
\Device\NPF_{478C34AB-F50A-4D08-8F96-E517DE69489F
with one DNS-Server configured 192.168.2.1.
Nmap output:
============
When I run "nmap 192.168.2.2 -sn -R -dd" I get this (line numbers added by me):
[... output 1]
1 Completed ARP Ping Scan at 12:50, 2.34s elapsed (1 total hosts)
2 Overall sending rates: 0.43 packets / s, 17.93 bytes / s.
3 mass_rdns: Using DNS server 192.168.2.1
4 Interface {0b60d9ac-1325-4ea0-87c6-0f1c18d8deeb} is not known; ignoring its nameservers.
5 mass_rdns: Using DNS server 192.168.2.1
6 Interface {4a8ac9ba-ee80-49d1-92d4-a53e0847e37f} is not known; ignoring its nameservers.
7 Interface {52bef847-4ae9-4acf-b091-fd9324e14f89} is not known; ignoring its nameservers.
8 Interface {5842239c-25bd-409d-9d82-0134c98c5d49} is not known; ignoring its nameservers.
9 Interface {6aa17278-d045-4e64-93f6-e3d2b1f650d9} is not known; ignoring its nameservers.
10 Interface {707c25fb-3586-4793-ba00-9400ccf2d0af} is not known; ignoring its nameservers.
11 Interface {8718928d-cbeb-45ea-a621-800a9249001d} is not known; ignoring its nameservers.
12 Interface {9787dd06-93e4-4ad0-a234-be6a9f028bdf} is not known; ignoring its nameservers.
13 Interface {b3c56828-1c21-44bb-9e50-87b99b6afe15} is not known; ignoring its nameservers.
14 Interface {b5989594-4306-4d77-8b75-7be6b3e3634c} is not known; ignoring its nameservers.
15 Interface {C2B6F598-4948-4328-B889-68F3CD7D217F} is not known; ignoring its nameservers.
16 mass_rdns: Using DNS server 192.168.2.1
17 mass_rdns: Using DNS server 208.67.220.220
18 mass_rdns: Using DNS server 208.67.220.222
19 Interface {ed00082b-1ea3-4c13-a24a-ab42ccc70c1c} is not known; ignoring its nameservers.
20 Interface {ee67dd7f-24fe-11e8-ba91-806e6f6e6963} is not known; ignoring its nameservers.
21 Interface {fc8b2978-80c8-4de2-b411-da8f4552ba72} is not known; ignoring its nameservers.
22 NSOCK INFO [7.8590s] nsock_iod_new2(): nsock_iod_new (IOD #1)
23 NSOCK INFO [7.8750s] nsock_connect_udp(): UDP connection requested to 208.67.220.222:53 (IOD #1) EID 8
24 NSOCK INFO [7.8750s] nsock_read(): Read request from IOD #1 [208.67.220.222:53] (timeout: -1ms) EID 18
25 NSOCK INFO [7.8750s] nsock_iod_new2(): nsock_iod_new (IOD #2)
26 NSOCK INFO [7.8750s] nsock_connect_udp(): UDP connection requested to 208.67.220.220:53 (IOD #2) EID 24
27 NSOCK INFO [7.8750s] nsock_read(): Read request from IOD #2 [208.67.220.220:53] (timeout: -1ms) EID 34
28 NSOCK INFO [7.8750s] nsock_iod_new2(): nsock_iod_new (IOD #3)
29 NSOCK INFO [7.8750s] nsock_connect_udp(): UDP connection requested to 192.168.2.1:53 (IOD #3) EID 40
30 NSOCK INFO [7.8900s] nsock_read(): Read request from IOD #3 [192.168.2.1:53] (timeout: -1ms) EID 50
31 NSOCK INFO [7.8900s] nsock_iod_new2(): nsock_iod_new (IOD #4)
32 NSOCK INFO [7.8900s] nsock_connect_udp(): UDP connection requested to 192.168.2.1:53 (IOD #4) EID 56
33 NSOCK INFO [7.8900s] nsock_read(): Read request from IOD #4 [192.168.2.1:53] (timeout: -1ms) EID 66
34 NSOCK INFO [7.8900s] nsock_iod_new2(): nsock_iod_new (IOD #5)
35 NSOCK INFO [7.8900s] nsock_connect_udp(): UDP connection requested to 192.168.2.1:53 (IOD #5) EID 72
36 NSOCK INFO [7.9060s] nsock_read(): Read request from IOD #5 [192.168.2.1:53] (timeout: -1ms) EID 82
37 Initiating Parallel DNS resolution of 1 host. at 12:50
38 NSOCK INFO [7.9060s] nsock_write(): Write request for 42 bytes to IOD #1 EID 91 [208.67.220.222:53]
39 NSOCK INFO [7.9060s] nsock_trace_handler_callback(): Callback: CONNECT SUCCESS for EID 8 [208.67.220.222:53]
40 NSOCK INFO [7.9060s] nsock_trace_handler_callback(): Callback: WRITE SUCCESS for EID 91 [208.67.220.222:53]
41 NSOCK INFO [7.9060s] nsock_trace_handler_callback(): Callback: CONNECT SUCCESS for EID 24 [208.67.220.220:53]
42 NSOCK INFO [7.9060s] nsock_trace_handler_callback(): Callback: CONNECT SUCCESS for EID 40 [192.168.2.1:53]
43 NSOCK INFO [7.9060s] nsock_trace_handler_callback(): Callback: CONNECT SUCCESS for EID 56 [192.168.2.1:53]
44 NSOCK INFO [7.9060s] nsock_trace_handler_callback(): Callback: CONNECT SUCCESS for EID 72 [192.168.2.1:53]
45 NSOCK INFO [7.9370s] nsock_trace_handler_callback(): Callback: READ SUCCESS for EID 18 [208.67.220.222:53] (101
bytes)
46 NSOCK INFO [7.9370s] nsock_read(): Read request from IOD #1 [208.67.220.222:53] (timeout: -1ms) EID 98
47 NSOCK INFO [7.9370s] nsock_iod_delete(): nsock_iod_delete (IOD #1)
48 NSOCK INFO [7.9370s] nevent_delete(): nevent_delete on event #98 (type READ)
49 NSOCK INFO [7.9370s] nsock_iod_delete(): nsock_iod_delete (IOD #2)
50 NSOCK INFO [7.9370s] nevent_delete(): nevent_delete on event #34 (type READ)
51 NSOCK INFO [7.9370s] nsock_iod_delete(): nsock_iod_delete (IOD #3)
52 NSOCK INFO [7.9370s] nevent_delete(): nevent_delete on event #50 (type READ)
53 NSOCK INFO [7.9370s] nsock_iod_delete(): nsock_iod_delete (IOD #4)
54 NSOCK INFO [7.9370s] nevent_delete(): nevent_delete on event #66 (type READ)
55 NSOCK INFO [7.9370s] nsock_iod_delete(): nsock_iod_delete (IOD #5)
56 NSOCK INFO [7.9370s] nevent_delete(): nevent_delete on event #82 (type READ)
57 mass_rdns: 4.91s 0/1 [#: 5, OK: 0, NX: 0, DR: 0, SF: 0, TR: 1]
58 Completed Parallel DNS resolution of 1 host. at 12:50, 0.06s elapsed
59 DNS resolution of 1 IPs took 4.94s. Mode: Async [#: 5, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]
60 Nmap scan report for 192.168.2.2
[... end of output 1]
My problem in detail:
=====================
* "mass_rdns" findes the DNS-Server 192.168.2.1 three times so "nsock_iod_new2(): nsock_iod_new" creates three "IOD #".
(Line: 3, 5, 16)
* It is not printed in the debug output in which file or interface a DNS-Server was found.
* nsock_iod_new2(), nsock_connect_udp() and nsock_read() take place before "Initiating Parallel DNS resolution" (Line
37)
* During the Parallel DNS resolution the "nsock_write():" (Line 38) only takes place for IOD #1 (which is the most
recently discovered DNS-Server 208.67.220.222, Line 18) which like IOD #2 (208.67.220.220, Line 17) belongs to an
inactive interface.
This means that IOD #1 is the only "WRITE SUCCESS" (EID 91, Line 40) and "READ SUCCESS" (EID 18, Line 45) callback of
"nsock_trace_handler_callback()".
* Also IOD #1 does a "nsock_read()" twice (EID 18, 98; Line 24, 46) but only the first nsock_read() receives a callback
(Line 45), by this also the "nsock_iod_delete()" (Line 47) for IOD #1 gets associated with EID 98 (Line 48) and so
"nevent_delete()" is never run for EID 18 (Line 24).
Further notes:
==============
When I run nmap 192.168.2.2 -sn -R -dd --system-dns,
the resolution over the local DNS (192.168.2.1) works fine but the used DNS-Server is never printed in the output.
Actually it feels like there is a lot of debug output missing:
[... start of output 2]
1 Completed ARP Ping Scan at 13:53, 2.14s elapsed (1 total hosts)
2 Overall sending rates: 0.47 packets / s, 19.63 bytes / s.
3 Initiating System DNS resolution of 1 host. at 13:53
4 Completed System DNS resolution of 1 host. at 13:53, 0.02s elapsed
5 DNS resolution of 1 IPs took 0.02s. Mode: System [OK: 1, ??: 0]
[... end of output 2]
This is odd, specialy compared to the output of, the also successful,
nmap 192.168.2.2 -sn -R -dd --dns-servers 192.168.2.1:
[... start of output 3]
1 Completed ARP Ping Scan at 13:57, 2.22s elapsed (1 total hosts)
2 Overall sending rates: 0.45 packets / s, 18.93 bytes / s.
3 mass_rdns: Using DNS server 192.168.2.1
4 NSOCK INFO [2.9690s] nsock_iod_new2(): nsock_iod_new (IOD #1)
5 NSOCK INFO [2.9690s] nsock_connect_udp(): UDP connection requested to 192.168.2.1:53 (IOD #1) EID 8
6 NSOCK INFO [2.9840s] nsock_read(): Read request from IOD #1 [192.168.2.1:53] (timeout: -1ms) EID 18
7 Initiating Parallel DNS resolution of 1 host. at 13:57
8 NSOCK INFO [2.9840s] nsock_write(): Write request for 42 bytes to IOD #1 EID 27 [192.168.2.1:53]
9 NSOCK INFO [2.9840s] nsock_trace_handler_callback(): Callback: CONNECT SUCCESS for EID 8 [192.168.2.1:53]
10 NSOCK INFO [2.9840s] nsock_trace_handler_callback(): Callback: WRITE SUCCESS for EID 27 [192.168.2.1:53]
11 NSOCK INFO [2.9840s] nsock_trace_handler_callback(): Callback: READ SUCCESS for EID 18 [192.168.2.1:53] (118
bytes)
12 NSOCK INFO [3.0000s] nsock_read(): Read request from IOD #1 [192.168.2.1:53] (timeout: -1ms) EID 34
13 NSOCK INFO [3.0000s] nsock_iod_delete(): nsock_iod_delete (IOD #1)
14 NSOCK INFO [3.0000s] nevent_delete(): nevent_delete on event #34 (type READ)
15 mass_rdns: 0.03s 0/1 [#: 1, OK: 0, NX: 0, DR: 0, SF: 0, TR: 1]
16 Completed Parallel DNS resolution of 1 host. at 13:57, 0.02s elapsed
17 DNS resolution of 1 IPs took 0.03s. Mode: Async [#: 1, OK: 1, NX: 0, DR: 0, SF: 0, TR: 1, CN: 0]
[... end of output 3]
Also is there a way to get a more verbose debug output? -v3, -v4, -d3, -d4, -d5, or -d6 like used here
https://nmap.org/book/nping-man-output-options.html seem to make no difference at all.
Also I think that line numbers would be great for the debug output.
kind regards,
Paul
_______________________________________________ Sent through the dev mailing list https://nmap.org/mailman/listinfo/dev Archived at http://seclists.org/nmap-dev/
Current thread:
- DNS issue: wrong DNS-Server is used. newsgrep . (Dec 10)