Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Some poisoning IP can not use fallback DNS #95

Open
comzyh opened this issue Jan 15, 2019 · 8 comments

Comments

Projects
None yet
4 participants
@comzyh
Copy link

commented Jan 15, 2019

For example, the following IP is poisoning IP, but their country code in GEOIP is empty, so clash will not use fallback DNS for them.

243.185.187.39
249.129.46.48
253.157.14.165

clash/dns/client.go

Lines 134 to 141 in 49635ea

ips, err := r.msgToIP(res.Msg)
if err == nil {
if record, _ := mmdb.Country(ips[0]); record.Country.IsoCode == "CN" || record.Country.IsoCode == "" {
// release channel
go func() { <-fallbackMsg }()
msg = res.Msg
return msg, err
}

Why does clash use fallback when record.Country.IsoCode == "" ?

@comzyh comzyh changed the title Some poisoning IP can not use DNS fallback Some poisoning IP can not use fallback DNS Jan 15, 2019

@comzyh

This comment has been minimized.

Copy link
Author

commented Jan 19, 2019

Though the enhanced mode can deal with most of DNS cache poisoning case. There are more problems.

  1. when clash is restarted, internal DNS cache of clash will go disappear
  2. clash DNS server doesn‘t apply DNS TTL countdown, so there is a chance that a downstream DNS cache hold the DNS record,but clash expired this record in its internal DNS cache
  3. multiple different domains may have same “poisoned” IP, so only one of the domains can establish a correct connection.

I encounter the third case above recently. In very rare cases,I visit GitHub in my browser and chrome tell me that the SSL certificate of the server has incorrect Common Name(google.com). I believe it's the case that gist.github.com and google.com are poisoned to the same IP.

@Dreamacro

This comment has been minimized.

Copy link
Owner

commented Jan 19, 2019

  1. when clash is restarted, internal DNS cache of clash will go disappear

Is that a problem?

  1. clash DNS server doesn‘t apply DNS TTL countdown, so there is a chance that a downstream DNS

It will be fixed later.

  1. multiple different domains may have same “poisoned” IP, so only one of the domains can establish a correct connection.

I don't understand what it means.

@comzyh

This comment has been minimized.

Copy link
Author

commented Jan 19, 2019

@BirkhoffLee

This comment has been minimized.

Copy link

commented Jan 21, 2019

I am having exact same issue that Clash
is getting poisoned IP addresses. This makes redir and dns feature literally unusable. It happens on many domains including google.com,duckduckgo.com, etc

@comzyh

This comment has been minimized.

Copy link
Author

commented Jan 29, 2019

  1. when clash is restarted, internal DNS cache of clash will go disappear

Is that a problem?

I think No.1 is a problem, for Android devices, shutting down and restarting is not a rare case.

@comzyh

This comment has been minimized.

Copy link
Author

commented Feb 25, 2019

Update, I found that some DNS poisoning is using 0.0.0.0 now, and multiple IP direct to the same 0.0.0.0, and #105 works well for me now.

dig www.google.com @10.10.0.21
;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 60429
;; Flags: qr rd ra; QUERY: 1; ANSWER: 1; AUTHORITY: 4; ADDITIONAL: 4

;; QUESTION SECTION:
;; www.google.com. IN A

;; ANSWER SECTION:
www.google.com. 13331 IN A 0.0.0.0

;; AUTHORITY SECTION:
google.com. 1548 IN NS ns3.google.com.
google.com. 1548 IN NS ns4.google.com.
google.com. 1548 IN NS ns1.google.com.
google.com. 1548 IN NS ns2.google.com.

;; ADDITIONAL SECTION:
ns1.google.com. 69955 IN A 216.239.32.10
ns4.google.com. 192082 IN A 216.239.38.10
ns1.google.com. 203873 IN AAAA 2001:4860:4802:32::a
ns2.google.com. 75511 IN AAAA 2001:4860:4802:34::a
@SukkaW

This comment has been minimized.

Copy link

commented Feb 28, 2019

image

I have exact same poisoning at youtube.com (Apex domain). This happened when I am using clash redir feature (on KoolClash).

@comzyh

This comment has been minimized.

Copy link
Author

commented Mar 8, 2019

Here is the Wikipedia link of the polluted IP address.
As you know, most of them are overseas IP addresses. I don't know other feature yet.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.