-
Notifications
You must be signed in to change notification settings - Fork 4.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add routeOnly sniffing option #1271
Conversation
Codecov Report
@@ Coverage Diff @@
## master #1271 +/- ##
==========================================
- Coverage 44.72% 44.72% -0.01%
==========================================
Files 485 485
Lines 29465 29482 +17
==========================================
+ Hits 13179 13186 +7
- Misses 14884 14896 +12
+ Partials 1402 1400 -2
Continue to review full report at Codecov.
|
This option can be useful if you want to make sure the target the server is going to dial is the target your client resolver resovled. But please note that it does not provide any "privacy protection", as the server operator can still easily sniff out the SNI or intercept DNS traffic if you're using plain unencrypted DNS. It also does not provide "the expected connection behavior of the client", because you essentially prevented server-side happy eyeballs from happening, and it's impossible to properly implement happy eyeballs from the client side of a proxy. |
当路由策略使用IPIfNonMatch,在域名匹配失败后尝试ip匹配,这里是使用嗅探出的域名来解析ip还是target原本的目标连接ip? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
What about always setting RouteTarget
no matter RouteOnly
is true or false? Then Router
would only have to look at RouteTarget
when picking a route. This makes the router code cleaner, less likely to break in the future. And it's no longer necessary to modify GetTargetIPs()
.
Instead of adding a new field and option, why not just add the fakedns result to the attribute of the connection. We will need to support things like routing by process name in the future, we can make a minor infrastructure change here to make it easier to add more routing attributes later. |
@@ -241,7 +245,11 @@ func (d *DefaultDispatcher) Dispatch(ctx context.Context, destination net.Destin | |||
domain := result.Domain() | |||
newError("sniffed domain: ", domain).WriteToLog(session.ExportIDToError(ctx)) | |||
destination.Address = net.ParseAddress(domain) | |||
ob.Target = destination | |||
if sniffingRequest.RouteOnly && result.Protocol() != "fakedns" { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Traffic will be dispatched to fake IPs if fakeDNS enabled, RouteOnly enabled and both meta and content sniffing success.
if sniffingRequest.RouteOnly && result.Protocol() != "fakedns" { | |
protocol := result.Protocol() | |
if resultComposite, ok := result.(SnifferResultComposite); ok { | |
protocol = resultComposite.ProtocolForDomainResult() | |
} | |
if sniffingRequest.RouteOnly && protocol != "fakedns" { |
This option can be useful if a client uses https altsvc. Which leads to wrong IP if destOverride is enabled. |
Allows the sniffed domain to be used for routing only, without overriding the destination address. This improves the routing accuracy of AsIs, and provides the expected connection behavior of the client (not resolving the domain name again on the server side), which adds a degree of privacy protection when connecting to uncontrolled servers.