AdguardTeam / AdGuardHome

Network-wide ads & trackers blocking DNS server
https://adguard.com/adguard-home/overview.html
GNU General Public License v3.0
25.63k stars 1.84k forks source link

When using encrypted DNS as the upstream server, Windows10 will not be able to ping the IPv6-only domain, #7375

Open ckx000 opened 4 weeks ago

ckx000 commented 4 weeks ago

Prerequisites

The problem

PON )}JXNR8J23XVS76D6Y 开了加密上游后 adgh返回的单栈v6域名 会返回A的soa记录(可能是想让设备去这边查询?) After enabling an encrypted upstream, ADGH returns SOA records for A queries when handling IPv6-only domains. (It seems like it may be trying to direct devices to query via these SOA records?)

I1%@W@A$AV4$5`HSW3{KP(6 抓包数据是这样的 The packet capture looks like this:

所以每次返回SOA记录后、被win缓存了,win10的ping就会卡故障,这种时候只能用ping -6指定才能正常pingv6地址(nslookup不受影响,经查资料,win10的ping和nslookup的dns查询是2种实现方式 完全不同),且用ipconfig/flushdns清除dns缓存后 第一次可以正常ping通(看上图蓝框),之后就报无法查找主机 Every time an SOA record is returned, Windows caches it. On Windows 10, this causes the ping command to fail, and it freezes when trying to ping (only ping -6 works to correctly ping an IPv6 address). Interestingly, nslookup is not affected. According to documentation, the ping and nslookup DNS query implementations in Windows 10 are completely different. After clearing the DNS cache with ipconfig /flushdns, the first ping works normally (see the blue box in the screenshot), but subsequent attempts to resolve the host fail.

同时查看缓存列表 Checking the cache list: PRN$6YQP%5AP_R6 {H%BAB6 几秒后A这个记录消失 After a few seconds, the A record disappears: (QJ_{GEOMJR0%_20(V2P N4

win就会一直报无法查找主机(此时再ping,win会向adgh提交A记录查询,而其一直返回soa记录,win就一直报错直到下次//flushdns)。清缓存后只有第一次单栈v6域名的查询是正常。第2次就复现上述问题,即使其他单栈v6域名查询也是如此。 At this point, Windows keeps reporting that the host cannot be found. If you attempt to ping again, Windows sends an A record query to ADGH, which continues to return the SOA record, causing Windows to keep failing until the DNS cache is flushed again. After clearing the cache, the first lookup for an IPv6-only domain works fine, but the issue reappears on the second attempt, even when querying different IPv6-only domains.

以上现象在win10专业版 22H2 19045.5011、win10企业版 1803 17134.1 均出现 该A记录返回soa引起的现象在linux下不会发生 This behavior is seen on both Windows 10 Professional version 22H2 (19045.5011) and Windows 10 Enterprise version 1803 (17134.1). However, this issue does not occur on Linux when an SOA record is returned for an A query.

adgh不使用加密上游时 When ADGH is not using an encrypted upstream: J2$Z0SZ5PUE8F_4F)KN 9MX

返回的A记录就是空的,win一切正常。 The A record is simply empty, and everything works fine on Windows. (在adgh不开加密上游查询时,同过dns列表ipconfig /displaydns命令,得到的结果如同上面的2张图一样) (When querying without encrypted upstream and checking the DNS cache list via the ipconfig /displaydns command, the results look the same as the two screenshots above.)

Proposed solution

希望能在ADGH里增加一个开关。 I would like to request the addition of a switch in ADGH. 当使用加密上游时,针对这些单ipv6域名返回的A记录不要带SOA记录 When using an encrypted upstream, for IPv6-only domains, the A records returned should not include the SOA record.

Alternatives considered and additional information

我个人的猜测 ping的机制是首先查看dns缓存列表 没有的话就提交adgh查询A+AAAA。adgh返回了A记录soa和AAAA记录地址,ping去通v6了。 My personal guess is that the mechanism of ping first checks the DNS cache. If there’s no cached entry, it submits both A and AAAA queries to ADGH. ADGH returns the SOA record for the A query and an IPv6 address for the AAAA query, allowing ping to successfully reach the IPv6 address. 当系统发起下一次ping时,其发现dns列表里有A记录的soa数据,因某种原因(认为)会继续着向adgh提交a记录的查询请求(并没有提交AAAA的查询请求),结果只返回了A记录的soa。win它就认为返回的数据中没有地址数据就卡在这了,也不会去尝试dns缓存中的ipv6地址数据。 However, when the system initiates the next ping, it finds the SOA data for the A record in the DNS cache. For some reason (perhaps due to how the system interprets this), it sends another A record query to ADGH (but does not send an AAAA query). As a result, it only receives the SOA record again. At this point, Windows assumes there’s no valid address in the response, causing it to freeze without attempting to use the IPv6 address that’s still in the DNS cache.

ckx000 commented 4 weeks ago

image IN Linux。。without encrypted upstream

image use an encrypted upstream