macOS/Linux - DNS Failing when connected to a VPN

[aomdev1]

Hi,

I've been struggling with this for a while and was wondering if anyone here had already solved this issue before. When I connect to my VPN (I am using ExpressVPN specifically) and try to run Amass with active enumeration, I get back the 'No DNS resolvers passed the sanity check' error. At first I thought this was an issue with my system/DNS configuration and not Amass itself - but I noticed that DNS lookups via the command line, in browsers, all worked fine, and I also wrote a quick script with dnspython and confirmed that that all seems to be working too - so now I'm wondering if this is an issue with Amass, or perhaps something to do with golang in general?

I also tried the same thing on Linux - same VPN and all, and I get back the same error. On Linux I've tried adding Google's NS to the etc/resolv.conf file, and still no luck - similarly in Mac I added 8.8.8.8 to my DNS servers in System Preferences with no luck. I'm going to try installing by building from source and see if that changes anything, but I'm not hopeful.

The reason I'd really like to get this working is that I seem to get rate limited by either the DNS servers or my ISP pretty quickly whenever I try to use brute force mode, even when I lower the max concurrent DNS queries setting. Has anyone seen this before, or have any insight into why this might be happening?

Thanks in advance!

[syedumerqadri]

Same with me...

[caffix]

This indicates that the default resolvers are not reachable and you should set resolvers that can be used within your environment.

This can be achieved using the ‘-r’ and/or ‘-rf’ flags

[aomdev1]

This indicates that the default resolvers are not reachable and you should set resolvers that can be used within your environment.

This can be achieved using the ‘-r’ and/or ‘-rf’ flags

Hi @caffix, thanks for the response!

I should have mentioned that I did try passing in resolvers and still somehow got the same error. I took the resolvers directly from the etc/resolv.conf file (including the ones that my VPN automatically adds when it connects), and tried a bunch of different ones with the same results. So, that is pretty odd and led me to come across this:

https://docwhat.org/macos-dns-and-go?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+docwhat+%28The+Doctor+What%29

Apparently there have been issues reported with Golang DNS resolution behind VPNs on Mac before - the procedure in that article didn't work for me, but I did some more research and found this older issue:

https://github.com/hashicorp/terraform/issues/3536

Specifically this response:

@jtopjian Here is what we found... The issue is that Mac OS X native net dns resolver goes directly to resolv.conf and our vpn client does not update the resolv.conf since it split tunnels the queries based on dns suffix. We fixed the issue by having it build using this command:

export CGO_ENABLED=1; XC_OS="darwin" XC_ARCH="amd64" make bin

A packet capture confirmed that it was traversing the vpn rather then going directly to the servers in resolv.conf.

This issue is from 2015, so I'm not sure if this could still be related - it also only mentioned macOS, while I'm having the issue on Ubuntu as well (and I can see that my VPN is updating the resolv.conf file on Ubuntu). I had originally downloaded Amass directly in the binary form, so I did try to compile Amass myself with the CGO_ENABLED flag with no luck, though I will admit I've never coded with Go myself so I may have been doing something wrong (I'm going to play around with it this week and see if I have any luck).

Anyway, I'm still not sure if this issue is actually an issue with Amass itself, so I'm not expecting you guys to have a solution - if it does turn out to be a problem with Golang and the OS DNS settings itself, that would make sense to me since dig, nslookup, dnspython, etc are still working. If I do end up figuring this out, I will let you guys know!

Also, @syedumercg - are you also using ExpressVPN specifically? I did turn off their setting 'Only use ExpressVPN DNS servers while connected", but I guess it could be possible that there is some problem with the VPN itself (although that wouldn't explain why dnspython and other command line lookups still work).

Thanks!

Update: Adding some screenshots of what's going on using Ubuntu (10.21.0.1 is one of ExpressVPN's DNS servers - when I connect to the VPN it automatically updates the resolvers.conf file)

[allyomalley]

Hi!

Not sure if anyone is still looking at this, but I had been having the same problem on a Mac with the 'No DNS Resolvers passed the sanity check' message. However, I just updated to Amass 3.1.9 and am now getting an interesting error:

panic: runtime error: index out of range [0] with length 0

goroutine 1 [running]:
github.com/OWASP/Amass/resolvers.(*ResolverPool).performElection(0xc000352a20, 0x0, 0x0, 0x0, 0x1c4a1c7, 0xe, 0x1c3c278, 0x1, 0x0, 0x1, ...)
    /Users/caffix/go/src/github.com/OWASP/Amass/resolvers/pool.go:301 +0xa5d
github.com/OWASP/Amass/resolvers.(*ResolverPool).Resolve(0xc000352a20, 0x1c4a1c7, 0xe, 0x1c3c278, 0x1, 0x1, 0x1058830, 0xc00645b438, 0xc00645b440, 0x8, ...)
    /Users/caffix/go/src/github.com/OWASP/Amass/resolvers/pool.go:253 +0x313
github.com/OWASP/Amass/services/sources.(*RADb).OnStart(0xc001160d20, 0x20de238, 0xc001160d20)
    /Users/caffix/go/src/github.com/OWASP/Amass/services/sources/radb.go:60 +0x69
github.com/OWASP/Amass/services.(*BaseService).Start(0xc001160d20, 0x0, 0x0)
    /Users/caffix/go/src/github.com/OWASP/Amass/services/service.go:173 +0x17e
github.com/OWASP/Amass/enum.(*Enumeration).Start(0xc000ba0000, 0x0, 0x0)
    /Users/caffix/go/src/github.com/OWASP/Amass/enum/enum.go:118 +0x2f4
main.processEnumOutput(0xc000ba0000, 0xc0009c0000, 0xc0000c4030)
    /Users/caffix/go/src/github.com/OWASP/Amass/cmd/amass/enum.go:376 +0x5ba
main.runEnumCommand(0xc0000300c0, 0x8, 0x8)
    /Users/caffix/go/src/github.com/OWASP/Amass/cmd/amass/enum.go:248 +0xc00
main.main()
    /Users/caffix/go/src/github.com/OWASP/Amass/cmd/amass/main.go:92 +0x4c9
ip-10-0-0-167:amass_updated allysonomalley$ ./amass enum -include-unresolvable -d awsapps.com -o awsappspass.txt -log log_awsapps_pass.txt
panic: runtime error: index out of range [0] with length 0

goroutine 1 [running]:
github.com/OWASP/Amass/resolvers.(*ResolverPool).performElection(0xc000132900, 0x0, 0x0, 0x0, 0x1c4a1c7, 0xe, 0x1c3c278, 0x1, 0x0, 0x1, ...)
    /Users/caffix/go/src/github.com/OWASP/Amass/resolvers/pool.go:301 +0xa5d
github.com/OWASP/Amass/resolvers.(*ResolverPool).Resolve(0xc000132900, 0x1c4a1c7, 0xe, 0x1c3c278, 0x1, 0x1, 0x1058830, 0xc0009c7438, 0xc0009c7440, 0x8, ...)
    /Users/caffix/go/src/github.com/OWASP/Amass/resolvers/pool.go:253 +0x313
github.com/OWASP/Amass/services/sources.(*RADb).OnStart(0xc001112d20, 0x20de238, 0xc001112d20)
    /Users/caffix/go/src/github.com/OWASP/Amass/services/sources/radb.go:60 +0x69
github.com/OWASP/Amass/services.(*BaseService).Start(0xc001112d20, 0x0, 0x0)
    /Users/caffix/go/src/github.com/OWASP/Amass/services/service.go:173 +0x17e
github.com/OWASP/Amass/enum.(*Enumeration).Start(0xc000ba4000, 0x0, 0x0)
    /Users/caffix/go/src/github.com/OWASP/Amass/enum/enum.go:118 +0x2f4
main.processEnumOutput(0xc000ba4000, 0xc0001be000, 0xc000ba8000)
    /Users/caffix/go/src/github.com/OWASP/Amass/cmd/amass/enum.go:376 +0x5ba
main.runEnumCommand(0xc0000d4020, 0x7, 0x7)
    /Users/caffix/go/src/github.com/OWASP/Amass/cmd/amass/enum.go:248 +0xc00
main.main()
    /Users/caffix/go/src/github.com/OWASP/Amass/cmd/amass/main.go:92 +0x4c9

I've honestly never used golang before, but I'm going to try and look into what's going wrong - it seems like it is an issue with Amass not being able to locate any valid DNS servers. I'll post an update if I find anything!

[caffix]

@allyomalley Thank you very much for your help! I have a small fix coming in v3.1.10

[infosec-martin]

Hi, I'm using amass v3.1.10 on macos and have a similar issue when connected to a VPN (tested with Private Internet Access). I get the error "The enumeration was unable to build the pool of resolvers" even when explicitly specifying PIA's DNS resolvers using the -r flag.

[ghost]

having the same issue here i have looked for anyway around this but with -r is just does not return anything and with -rf it gives me Failed to parse the esolver file: Error opening the file 10.161.0.1: open 10.161.0.1: no such file or directory @caffix is there anyway around this issue?would love to know thank you in advance.

[spazbg]

Same problem with Mullvad DNS

[caffix]

@spazbg You experienced a problem when using a VPN? Or, are you referring to something else? Also, what version of Amass are you using?

[spazbg]

I have Mullard installed on my Windows 10 host, and I have Kali Linux on a Virtual box, I have the latest version of amass, and when I run it on my Kali machine a got no results. If I stopped my VPN on my windows 10, Amass is working perfectly on my Kali machine.

[caffix]

This issue has likely been addressed while resolving #444

[nicksahler]

I still get this issue with Mullvad on MacOS 😢

[omniaprobate]

I started seeing the "The system was unable to build the pool of resolvers" error for the first time in the last couple weeks. I'm running Kali 2020.4 update 1 on VirtualBox, Amass now updated to v3.11.2, and I'm using Private Internet Access VPN.

While connected to the PIA VPN and running amass enum -d example.com, it'd return the error, and the log file would just say "Failed to establish a UDP connection to :53 : dial udp :53: connect: network is unreachable" over and over. As soon as I disconnected from the VPN enum would run as expected and return results.

I reconnected to PIA VPN, ran cat /etc/resolv.conf, and grabbed the nameserver value returned. Now if I run amass enum -r <nameserver value> -d example.com, I no longer see the error and enum returns results.