Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

FakeIP启用后,日志里有IP,但是dignslookup没有结果,浏览器中也提示找不到IP,打不开对应网站 #475

Closed
3 of 4 tasks
70599 opened this issue Mar 25, 2023 · 14 comments
Closed
3 of 4 tasks

FakeIP启用后,日志里有IP,但是dignslookup没有结果,浏览器中也提示找不到IP,打不开对应网站 #475

70599 opened this issue Mar 25, 2023 · 14 comments

Comments

@70599
Copy link

70599 commented Mar 25, 2023
edited by nekohasekai

Welcome

  • Yes, I'm using the latest major release. Only such installations are supported.
  • Yes, I'm using the latest Golang release. Only such installations are supported.
  • Yes, I've searched similar issues on GitHub and didn't find any.
  • Yes, I've included all information below (version, FULL config, FULL log, etc).

Description of the problem

FakeIP启用后,日志里有IP。
但是dignslookup没有结果,浏览器中也提示找不到IP,打不开对应网站。

Version of sing-box

sing-box version 1.2.0-cc34b6f

Environment: go1.20.2 linux/arm64
Tags: with_low_memory,with_quic,with_utls,with_ech,with_clash_api
Revision: cc34b6fa99dddad583ffba59f9c823e7f5a97684
CGO: disabled

Server and client configuration file

fakeip以外的dns服务器均正常工作

"dns": {
  "servers": [
    {
      "tag": "_dns_ali",
      "address": "tls://223.5.5.5",
      "detour": "direct"
    },
    {
      "tag": "_dns_cf",
      "address": "tls://1.1.1.1",
      "detour": "selector"
    },
    {
      "tag": "_dns_fake",
      "address": "fakeip"
    },
    {
      "tag": "_dns_block",
      "address": "rcode://success"
    }
  ],
  "rules": [
    {
      "geosite": [
        "category-ads-all"
      ],
      "server": "_dns_block",
      "disable_cache": true
    },
    {
      "domain": [
        "www.google.com"
      ],
      "server": "_dns_fake"
    },
    {
      "geosite": [
        "apple",
        "google",
        "jsdelivr"
      ],
      "server": "_dns_cf"
    },
    {
      "geosite": [
        "cn"
      ],
      "server": "_dns_ali"
    }
  ],
  "final": "_dns_cf",
  "reverse_mapping": true,
  "fakeip": {
    "enabled": true,
    "inet4_range": "172.20.0.1/24"
  }
},
"inbounds": [
  {
    "tag": "_dns_in",
    "type": "direct",
    "listen": "::1",
    "listen_port": 53,
    "network": "udp"
  },
  {
    "tag": "_tun_in",
    "type": "tun",
    "inet4_address": "172.20.0.1/16",
    "auto_route": true,
    "strict_route": true,
    "sniff": true,
    "exclude_uid": [
      411,
      5567
    ]
  }
],

Server and client log file

dig没有解析结果

# dig www.google.com

; <<>> DiG 9.18.11 <<>> www.google.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 752
;; flags: qr ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;www.google.com.			IN	A

;; Query time: 7 msec
;; SERVER: 127.0.0.1#53(127.0.0.1) (UDP)
;; WHEN: Sat Mar 25 22:26:26 CST 2023
;; MSG SIZE  rcvd: 32

nslookup没有解析结果

# nslookup www.google.com

Server:		127.0.0.1
Address:	127.0.0.1:53

Non-authoritative answer:

*** Can't find www.google.com: No answer

对应日志
dig或者nslookup是不是应该解析出172.20.0.5这个fakeip?)

INFO [4071313942] dns: cached www.google.com A www.google.com. 590 IN A 172.20.0.5
INFO [4071313942] dns: exchanged www.google.com. A www.google.com. 590 IN A 172.20.0.5
INFO [2415690928] dns: cached www.google.com A www.google.com. 577 IN A 172.20.0.5
INFO [2415690928] dns: exchanged www.google.com. A www.google.com. 577 IN A 172.20.0.5
@bjxdqs
Copy link

bjxdqs commented Mar 25, 2023

dns-hijack?

@70599
Copy link
Author

70599 commented Mar 25, 2023

dns-hijack?

劫持已经成功了,直接运行dig时sing-box的日志有反应,请求已经进sing-box了。
我给出配置的中,只有www.google.com走fakeip,其他是ali或cf的dot,所有请求都按预期工作。

还是说fakeip有特殊的劫持方式?

@bjxdqs
Copy link

bjxdqs commented Mar 25, 2023

try dig @172.20.0.2 www.google.com ?

@70599
Copy link
Author

70599 commented Mar 25, 2023

try dig @172.20.0.2 www.google.com ?

# dig www.google.com @172.20.0.2
;; communications error to 172.20.0.2#53: timed out
;; communications error to 172.20.0.2#53: timed out
;; communications error to 172.20.0.2#53: timed out

; <<>> DiG 9.18.11 <<>> www.google.com @172.20.0.2
;; global options: +cmd
;; no servers could be reached

@nekohasekai
Copy link
Member

无法重现,请提供完整配置。

@70599
Copy link
Author

70599 commented Mar 26, 2023
edited

无法重现,请提供完整配置。

{
  "log": {
    "disabled": false,
    "level": "info",
    "timestamp": false
  },
  "dns": {
    "servers": [
      {
        "tag": "_dns_ali",
        "address": "tls://223.5.5.5",
        "detour": "_direct"
      },
      {
        "tag": "_dns_cf",
        "address": "tls://1.1.1.1",
        "detour": "_selector"
      },
      {
        "tag": "_dns_fake",
        "address": "fakeip"
      },
      {
        "tag": "_dns_block",
        "address": "rcode://success"
      }
    ],
    "rules": [
      {
        "geosite": [
          "category-ads-all"
        ],
        "server": "_dns_block",
        "disable_cache": true
      },
      {
        "domain": [
          "www.google.com"
        ],
        "server": "_dns_fake"
      },
      {
        "geosite": [
          "apple",
          "google",
          "jsdelivr"
        ],
        "server": "_dns_cf"
      },
      {
        "geosite": [
          "cn"
        ],
        "server": "_dns_ali"
      }
    ],
    "final": "_dns_cf",
    "reverse_mapping": true,
    "fakeip": {
      "enabled": true,
      "inet4_range": "172.20.0.1/24",
      "inet6_range": "fdfe:dcba:9876::1/18"
    }
  },
  "inbounds": [
    {
      "tag": "_dns_in",
      "type": "direct",
      "listen": "::1",
      "listen_port": 15353,
      "network": "udp"
    },
    {
      "tag": "_tun_in",
      "type": "tun",
      "inet4_address": "172.20.0.1/16",
      "auto_route": true,
      "strict_route": true,
      "sniff": true,
      "exclude_uid": [
        411,
        5567
      ]
    }
  ],
  "outbounds": [
    {
      "tag": "_direct",
      "type": "direct"
    },
    {
      "tag": "_block",
      "type": "block"
    },
    {
      "tag": "_dns_out",
      "type": "dns"
    },
    {
      "tag": "JP",
      "type": "urltest",
      "outbounds": [
        "JP 1",
        "JP 2"
      ],
      "url": "http://cp.cloudflare.com/generate_204",
      "interval": "10s",
      "tolerance": 1500
    },
    {
      "tag": "_proxy",
      "type": "urltest",
      "outbounds": [
        "JP",
        "US"
      ],
      "url": "http://cp.cloudflare.com/generate_204",
      "interval": "10s",
      "tolerance": 1500
    },
    {
      "tag": "_selector",
      "type": "selector",
      "outbounds": [
        "_proxy",
        "JP",
        "_direct",
        "JP 1",
        "JP 2",
        "US"
      ]
    },
    {
      "tag": "Apple",
      "type": "selector",
      "outbounds": [
        "_selector",
        "_proxy",
        "JP",
        "_direct",
        "JP 1",
        "JP 2",
        "US"
      ]
    },
    {
      "tag": "PayPal",
      "type": "selector",
      "outbounds": [
        "_direct",
        "_selector",
        "_proxy",
        "JP",
        "JP 1",
        "JP 2",
        "US"
      ]
    },
    {
      "tag": "Telegram",
      "type": "selector",
      "outbounds": [
        "_selector",
        "_proxy",
        "JP",
        "_direct",
        "JP 1",
        "JP 2",
        "US"
      ]
    },
    {
      "tag": "YouTube",
      "type": "selector",
      "outbounds": [
        "_selector",
        "_proxy",
        "JP",
        "_direct",
        "JP 1",
        "JP 2",
        "US"
      ]
    },
    {
      "tag": "JP 1",
      "type": "vless",
      "server": "JP 1 IP",
      "server_port": 443,
      "uuid": "JP 1 UUID",
      "flow": "xtls-rprx-vision",
      "tls": {
        "enabled": true,
        "server_name": "dl.acm.org",
        "ech": {
          "enabled": false
        },
        "utls": {
          "enabled": true,
          "fingerprint": "ios"
        },
        "reality": {
          "enabled": true,
          "public_key": "JP 1 PUB_KEY",
          "short_id": "JP 1 SHORT_ID"
        }
      },
      "packet_encoding": "xudp"
    },
    {
      "tag": "JP 2",
      "type": "vless",
      "server": "JP 2 IP",
      "server_port": 443,
      "uuid": "JP 2 UUID",
      "flow": "xtls-rprx-vision",
      "tls": {
        "enabled": true,
        "server_name": "dl.acm.org",
        "ech": {
          "enabled": false
        },
        "utls": {
          "enabled": true,
          "fingerprint": "ios"
        },
        "reality": {
          "enabled": true,
          "public_key": "JP 2 PUB_KEY",
          "short_id": "JP 2 SHORT_ID"
        }
      },
      "packet_encoding": "xudp"
    },
    {
      "tag": "US",
      "type": "vless",
      "server": "US",
      "server_port": 443,
      "uuid": "US UUID",
      "flow": "xtls-rprx-vision",
      "tls": {
        "enabled": true,
        "server_name": "captive.apple.com",
        "ech": {
          "enabled": false
        },
        "utls": {
          "enabled": true,
          "fingerprint": "ios"
        },
        "reality": {
          "enabled": true,
          "public_key": "US PUB_KEY",
          "short_id": "US SHORT_ID"
        }
      },
      "packet_encoding": "xudp"
    }
  ],
  "route": {
    "geoip": {
      "path": "/var/etc/geoip.db",
      "download_url": "https://github.com/soffchen/sing-geoip/releases/latest/download/geoip.db",
      "download_detour": "_proxy"
    },
    "geosite": {
      "path": "/var/etc/geosite.db",
      "download_url": "https://github.com/soffchen/sing-geosite/releases/latest/download/geosite.db",
      "download_detour": "_proxy"
    },
    "rules": [
      {
        "protocol": "dns",
        "outbound": "_dns_out"
      },
      {
        "inbound": [
          "_dns_in"
        ],
        "outbound": "_dns_out"
      },
      {
        "geoip": [
          "private"
        ],
        "geosite": [
          "private"
        ],
        "outbound": "_direct"
      },
      {
        "process_name": [
          "/usr/sbin/tcping"
        ],
        "outbound": "_direct"
      },
      {
        "source_ip_cidr": [
          "10.10.0.4",
          "10.10.5.0/24"
        ],
        "outbound": "_direct"
      },
      {
        "protocol": [
          "quic"
        ],
        "outbound": "_block"
      },
      {
        "domain_suffix": [
          "cloudflareinsights.com",
          "homebizprosite.info",
          "googletagmanager.com",
          "api.segment.io"
        ],
        "domain": [
          "clientstream.launchdarkly.com"
        ],
        "geosite": [
          "category-ads-all"
        ],
        "outbound": "_block"
      },
      {
        "geosite": [
          "apple"
        ],
        "outbound": "Apple"
      },
      {
        "geosite": [
          "paypal"
        ],
        "outbound": "PayPal"
      },
      {
        "geosite": [
          "telegram"
        ],
        "geoip": [
          "telegram"
        ],
        "outbound": "Telegram"
      },
      {
        "geosite": [
          "youtube"
        ],
        "outbound": "YouTube"
      },
      {
        "geosite": [
          "google",
          "jsdelivr"
        ],
        "ip_cidr": [
          "8.8.4.4",
          "8.8.8.8",
          "208.67.222.222",
          "208.67.220.220",
          "1.1.1.1",
          "1.1.1.2",
          "1.0.0.1",
          "9.9.9.9",
          "149.112.112.112"
        ],
        "outbound": "_proxy"
      },
      {
        "geosite": [
          "tld-cn",
          "category-games@cn"
        ],
        "outbound": "_direct"
      },
      {
        "domain_suffix": [
          "lg.extravm.com",
          "gubo.org",
          "lg.v.ps",
          "speedtest.v.ps"
        ],
        "domain_keyword": [
          "lg.virmach",
          "ping.vultr"
        ],
        "outbound": "_direct"
      },
      {
        "domain_suffix": [
          "argotunnel.com",
          "cftunnel.com"
        ],
        "ip_cidr": [
          "198.41.128.0/17",
          "198.41.192.0/21",
          "198.41.200.0/21"
        ],
        "outbound": "_direct"
      },
      {
        "geosite": [
          "javdb"
        ],
        "domain_suffix": [
          "acg18.moe",
          "hanime1.me",
          "hxcy.moe",
          "iwara.tv",
          "missav.com",
          "nhentai.net"
        ],
        "outbound": "US"
      },
      {
        "domain_suffix": [
          "kenfiles.com",
          "kfs.space",
          "fs20917.kfs.space"
        ],
        "outbound": "US"
      },
      {
        "geosite": [
          "geolocation-!cn"
        ],
        "outbound": "_selector"
      },
      {
        "geosite": [
          "cn"
        ],
        "geoip": [
          "cn"
        ],
        "outbound": "_direct"
      }
    ],
    "final": "_selector",
    "auto_detect_interface": true
  },
  "experimental": {
    "clash_api": {
      "external_controller": "0.0.0.0:9090",
      "external_ui": "/opt/sing-box/clash",
      "secret": "password",
      "store_selected": true,
      "store_fakeip": true,
      "cache_file": "/opt/sing-box/clash/cache.db"
    }
  }
}

我这套配置是使用在openwrt上的,sing-box监听本地15353端口,并设置为dnsmasq上游完成dns解析

# uci show dhcp | grep 15353
dhcp.@dnsmasq[0].server='127.0.0.1#15353' '::1#15353'

fakeip以外都能如预期分流dns并得到正确解析结果,只有fakeip如前述,没有结果返回。

刚才又指定解析端口,测试得到了解析结果。
(但是不知道为什么有几个connection refused

# dig www.google.com -p 15353
;; communications error to 127.0.0.1#15353: connection refused
;; communications error to 127.0.0.1#15353: connection refused
;; communications error to 127.0.0.1#15353: connection refused

; <<>> DiG 9.18.11 <<>> www.google.com -p 15353
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 11775
;; flags: qr; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;www.google.com.			IN	A

;; ANSWER SECTION:
www.google.com.		259	IN	A	172.20.0.6

;; Query time: 15 msec
;; SERVER: ::1#15353(::1) (UDP)
;; WHEN: Sun Mar 26 12:06:10 CST 2023
;; MSG SIZE  rcvd: 62

看起来可能是这种设置dnsmasq上游的方法,仅对fakeip工作不正常。
如果没有别人有类似场景可供参考的话,我就close本issue吧。

@nekohasekai
Copy link
Member

有 dnsmasq 在出错时产生的日志吗?

@70599
Copy link
Author

70599 commented Mar 26, 2023

再次测试,把dnsmasq的默认端口改成53以外,sing-box直接监听[::]:53
这时dig可以直接得到fakeip了。

# dig www.google.com

; <<>> DiG 9.18.11 <<>> www.google.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 26505
;; flags: qr; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;www.google.com.			IN	A

;; ANSWER SECTION:
www.google.com.		600	IN	A	172.20.0.7

;; Query time: 47 msec
;; SERVER: 127.0.0.1#53(127.0.0.1) (UDP)
;; WHEN: Sun Mar 26 12:18:12 CST 2023
;; MSG SIZE  rcvd: 62

但是浏览器中不能正常打开www.google.com

image

@70599
Copy link
Author

70599 commented Mar 26, 2023
edited

有 dnsmasq 在出错时产生的日志吗?

刚才复查dnsmasq的设置,发现启用了DNSSEC 检查未签名
禁用后,恢复设置dnsmasq监听默认端口53,sing-box监听15353,并设置为dnsmasq上游。

此时dig可以正常得到fakeip:

# dig www.google.com

; <<>> DiG 9.18.11 <<>> www.google.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 65433
;; flags: qr; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;www.google.com.			IN	A

;; ANSWER SECTION:
www.google.com.		487	IN	A	172.20.0.10

;; Query time: 11 msec
;; SERVER: 127.0.0.1#53(127.0.0.1) (UDP)
;; WHEN: Sun Mar 26 13:05:35 CST 2023
;; MSG SIZE  rcvd: 62

但是浏览器中依然不能正常打开www.google.com
image

@70599
Copy link
Author

70599 commented Mar 26, 2023

dns.fakeip.inet4_rangeinbounds[1].inet4_address完全照抄文档(其他配置未动)以后,现在网站也能正常打开了。

应该是我没能正确理解文档中的下述描述。

If using tun, make sure FakeIP ranges is included in the tun's routes.

我以为dns.fakeip.inet4_range应该是inbounds[1].inet4_address的子集。

@70599 70599 closed this as completed Mar 26, 2023
@nekohasekai
Copy link
Member

您可以尝试添加 DNS 规则以屏蔽 DNSSEC 检查。具体来说,添加一条 query_type 为 DNSKEY 的规则到类型为 rcode://success 的服务器的规则。

@nekohasekai nekohasekai reopened this Mar 26, 2023
@70599
Copy link
Author

70599 commented Mar 26, 2023
edited

您可以尝试添加 DNS 规则以屏蔽 DNSSEC 检查。具体来说,添加一条 query_type 为 DNSKEY 的规则到类型为 rcode://success 的服务器的规则。

感谢回复。
经过反复调试发现与DNSSEC无关。

  1. 恢复成发issue时的状态。
    dns.fakeip.inet4_rangeinbounds[1].inet4_address完全照抄文档
  2. 开启dnsmasq的日志 
    # vim /etc/dnsmasq.conf

...增加以下设置
log-dhcp
log-queries
log-facility=/tmp/log/dnsmasq.log
  3. 发现查询上游为fakeip的域名时,dnsmasq日志中出现possible DNS-rebind attack detected 
    Mar 26 15:36:56 dnsmasq[5752]: query[A] www.google.com from 10.10.2.2
Mar 26 15:36:56 dnsmasq[5752]: forwarded www.google.com to 127.0.0.1#15353
Mar 26 15:36:56 dnsmasq[5752]: possible DNS-rebind attack detected: www.google.com
  4. openwrt关闭重绑定保护,重启dnsmasq 
    # uci set dhcp.@dnsmasq[0].rebind_protection='0'
# uci commit
# service dnsmasq restart

之后dig、浏览器访问就都正常了。
(您早就提示过dnsmasq的日志,我没有马上按照建议调试,不好意思耽误时间了)

以前用过*ray系的fakedns,应该是没有触发过openwrt的重绑定保护

@nekohasekai
Copy link
Member

请尝试 inet4_range 修改为与 tun.inet4_address 不重合的值。

FakeIP ranges is included in the tun's routes.

不是指 tun 地址必须包含,auto_route 启用时默认路由所有地址(除非与别的接口冲突)。

@70599
Copy link
Author

70599 commented Mar 26, 2023

请尝试 inet4_range 修改为与 tun.inet4_address 不重合的值。

感谢建议,已经重新设置,目前没有问题了。

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@70599 @bjxdqs @nekohasekai