First time nuclei user - docker, version checks, and template downloads

[hkelley]

I'm trying to get nuclei running under docker and hitting some roadblocks with the nuclei version checking and template downloads.

I don't think this is a connectivity or proxy issue with docker because I can run a basic scan like this and get data:

docker run --rm -v /mnt/c/temp/nuclei:/nuclei projectdiscovery/nuclei:latest -t /nuclei/templates/anything.yaml -u https://icanhazip.com -duc  -jsonl

But when I try to run anything without -duc , e.g.

docker run --rm projectdiscovery/nuclei:latest -u https://icanhazip.com --debug

I get these errors:

                     __     _
   ____  __  _______/ /__  (_)
  / __ \/ / / / ___/ / _ \/ /
 / / / / /_/ / /__/ /  __/ /
/_/ /_/\__,_/\___/_/\___/_/   v3.5.1

                projectdiscovery.io

[ERR] nuclei version check failed got: GET https://api.pdtm.sh/api/v1/tools/nuclei?arch=amd64&go_version=go1.24.4&machine_id=8954cea57a035afaf8495e3c17a8f5b41e0918baf0ab3c933231e48ae611f0a5&os=alpine&utm_source=docker&v=v3.5.1 giving up after 3 attempts: Get "https://api.pdtm.sh/api/v1/tools/nuclei?arch=amd64&go_version=go1.24.4&machine_id=8954cea57a035afaf8495e3c17a8f5b41e0918baf0ab3c933231e48ae611f0a5&os=alpine&utm_source=docker&v=v3.5.1": context deadline exceeded (Client.Timeout exceeded while awaiting headers)
[INF] nuclei-templates are not installed, installing...
[WRN] failed to install nuclei templates: cause="lookup api.github.com on 172.17.144.1:53: read udp 172.17.0.2:59859->172.17.144.1:53: i/o timeout" chain="failed to install templates at /root/nuclei-templates"
[WRN] failed to update nuclei templates: cause="lookup api.github.com on 172.17.144.1:53: read udp 172.17.0.2:44259->172.17.144.1:53: i/o timeout" chain="failed to install templates at /root/nuclei-templates"
[WRN] failed to update nuclei ignore file: GET https://api.pdtm.sh/api/v1/tools/nuclei/ignore?arch=amd64&go_version=go1.24.4&machine_id=8954cea57a035afaf8495e3c17a8f5b41e0918baf0ab3c933231e48ae611f0a5&os=alpine&utm_source=docker&v=v3.5.1 giving up after 3 attempts: Get "https://api.pdtm.sh/api/v1/tools/nuclei/ignore?arch=amd64&go_version=go1.24.4&machine_id=8954cea57a035afaf8495e3c17a8f5b41e0918baf0ab3c933231e48ae611f0a5&os=alpine&utm_source=docker&v=v3.5.1": dial tcp: lookup api.pdtm.sh on 172.17.144.1:53: read udp 172.17.0.2:36785->172.17.144.1:53: i/o timeout
[ERR] Could not read nuclei-ignore file: open /root/.config/nuclei/.nuclei-ignore: no such file or directory
[ERR] Could not find template '/root/nuclei-templates': no templates found in path "/root/nuclei-templates"
[INF] Current nuclei version: v3.5.1 (outdated)
[INF] Current nuclei-templates version:  (latest)
[WRN] Scan results upload to cloud is disabled.
[INF] Targets loaded for current scan: 1
[INF] Scan completed in 105.423µs. No results found.
[FTL] Could not run nuclei: no templates provided for scan

A health check indicates similar name-resolution issues:

docker run --rm projectdiscovery/nuclei:latest -hc

These i/o timeouts are a common theme.

                     __     _
   ____  __  _______/ /__  (_)
  / __ \/ / / / ___/ / _ \/ /
 / / / / /_/ / /__/ /  __/ /
/_/ /_/\__,_/\___/_/\___/_/   v3.5.1

                projectdiscovery.io

Version: v3.5.1
Operating System: linux
Architecture: amd64
Go Version: go1.24.4
Compiler: gc
File "/root/.config/nuclei/config.yaml" Read => Ok
File "/root/.config/nuclei/config.yaml" Write => Ok
File "/root/.config/nuclei/.nuclei-ignore" Read => Ko (open /root/.config/nuclei/.nuclei-ignore: no such file or directory)
File "/root/.config/nuclei/.nuclei-ignore" Write => Ko (open /root/.config/nuclei/.nuclei-ignore: no such file or directory)
File "/root/nuclei-templates/.checksum" Read => Ko (open /root/nuclei-templates/.checksum: no such file or directory)
File "/root/nuclei-templates/.checksum" Write => Ko (open /root/nuclei-templates/.checksum: no such file or directory)
IPv4 connectivity to scanme.sh:80 => Ko (dial tcp4: lookup scanme.sh on 172.17.144.1:53: read udp 172.17.0.2:57060->172.17.144.1:53: i/o timeout)
IPv6 connectivity to scanme.sh:80 => Ko (dial tcp6: lookup scanme.sh on 172.17.144.1:53: read udp 172.17.0.2:36579->172.17.144.1:53: i/o timeout)
IPv4 UDP connectivity to scanme.sh:53 => Ko (dial udp4: lookup scanme.sh on 172.17.144.1:53: read udp 172.17.0.2:35643->172.17.144.1:53: i/o timeout)

curl (outside docker) to that same URL returns data:

curl https://api.pdtm.sh/api/v1/tools/nuclei?arch=amd64&go_version=go1.24.4&machine_id=8954cea57a035afaf8495e3c17a8f5b41e0918baf0ab3c933231e48ae611f0a5&os=alpine&utm_source=docker&v=v3.5.1
[1] 6035
[2] 6036
[3] 6037
[4] 6038
[5] 6039
[2]   Done                    go_version=go1.24.4
[3]   Done                    machine_id=8954cea57a035afaf8495e3c17a8f5b41e0918baf0ab3c933231e48ae611f0a5
[4]-  Done                    os=alpine

{"ignore-hash":"54fa34605b18f2f8f8c4ca885f6dc529","tools":[{"name":"nuclei","repo":"nuclei","requirements":null,"version":"3.5.1","go_install_path":"v3/cmd/nuclei@latest","assets":{"nuclei_3.5.1_linux_amd64.zip":"316493771","nuclei_3.5.1_macOS_amd64.zip":"316493768","nuclei_3.5.1_windows_amd64.zip":"316493765"},"install_type":"binary"},{"name":"nuclei-templates","repo":"nuclei-templates","requirements":null,"version":"10.3.1","go_install_path":"","assets":{},"install_type":""}]}

[hkelley]

I'm still not clear why the scan can use DNS but the system update components cannot, but this --dns flag seems to smooth things over.
Additionally, I had to map /etc/ssl/certs into the container to make the update components trust my corporate proxy.

docker run  --dns 8.8.8.8 -v /usr/local/share/ca-certificates:/etc/ssl/certs:ro -v /mnt/c/temp/nuclei:/nuclei projectdiscovery/nuclei:latest -t /nuclei/templates/ -u google.com --debug -je /nuclei/output/x.json

I assume the scanner is somehow using different DNS and CA trust settings from the updater/version checker.

[adysec]

Problem

Nuclei scans work with -duc because templates are local. Without -duc, version check and template download fail due to DNS/timeouts inside the Docker container. Host DNS works fine, but Docker uses its internal DNS (e.g., 172.17.x.x) which often times out.

Solution:

Use a reliable DNS and optionally mount system CA certs:

docker run --rm \
  --dns 8.8.8.8 \
  -v /etc/ssl/certs:/etc/ssl/certs:ro \
  -v /path/to/templates:/nuclei \
  projectdiscovery/nuclei:latest \
  -t /nuclei/templates/ -u https://icanhazip.com --debug

• --dns 8.8.8.8 fixes container DNS resolution.
• Mounting CA certs helps with corporate HTTPS proxies.
• Pre-download templates (-duc) avoids network issues entirely.

[hkelley]

Do the version check and template download functions of nuclei use a separate DNS and CA mechanism from the scan engine?

[adysec]

Yes, your observation is correct.
Nuclei’s update/version-check routines rely on the system DNS resolver + CA trust store inside the container, while the scan engine can work even if those components differ or fail.

Inside Docker, the updater is hitting network resolution & certificate validation issues because it’s using Docker’s internal DNS + default CA bundle, while your scan can still succeed thanks to direct outbound requests.

Adding --dns and mounting CA certs forces the updater to use a working resolver & trust chain, which is why it fixed your problem.

So yes — the update/version-check subsystem effectively uses a separate DNS/CA path from the actual scan engine.