Nmap scans broken for clients using DNS Encryption

[anti4r]

I use Stubby the DNS stub resolver to encrypt my DNS requests. When performing an NMAP scan of any kind, the scan fails with NSOCK ERROR [0.0570s] nsock_make_socket(): Socket trouble: Address family not supported by protocol nmap: nsock_core.c:1258: nsock_pool_add_event: Assertion nse->iod->sd >= 0' failed. [1] 870 abort (core dumped) nmap 127.0.0.1 for all targets and all versions of Nmap.

Problem confirmed by disabling stubby resolver and using default DNS servers.

[dmiller-nmap]

Thanks for the bug report! I'll look into this, but for now you can use either of these workarounds:

1. Use the --dns-servers option to specify standard DNS servers to use with Nmap's parallel resolver. Ordinary UDP DNS queries will be sent to these servers, which is the fastest option for large numbers of targets.
2. Use the --system-dns option to resolve addresses one at a time using gethostbyname, which should work fine with Stubby. Your queries ought to be sent via DNS-over-TLS.