DNSCrypt / dnscrypt-proxy

dnscrypt-proxy 2 - A flexible DNS proxy, with support for encrypted DNS protocols.
https://dnscrypt.info
ISC License
11.49k stars 1.01k forks source link

SOCKS Proxy Not Working with Forwarding Rules #2441

Open kkkgo opened 1 year ago

kkkgo commented 1 year ago

THE TRACKER IS DEDICATED TO KEEPING TRACK OF BUGS, preferably after they have been already discussed and confirmed to be reproducible.

FOR ASSISTANCE, PLEASE CLOSE THIS FORM AND USE THE DISCUSSIONS SECTION INSTEAD: https://github.com/DNSCrypt/dnscrypt-proxy/discussions/categories/q-a



Reported bugs must reproducible in the context described in the "Context" section.

Installation and configuration issues are not bugs, but individual assistance request.

Context: the LATEST version of `dnscrypt-proxy` (precompiled binaries downloaded from this repository) is correctly installed and configured on your system, but something doesn't seem to produce the expected result.

If the bug is not trivial to reproduce on any platform, please include ALL the steps required to reliably duplicate it, on a vanilla, generic install of macOS, Windows, OpenBSD or Ubuntu Linux system, in their most current version.

If you don't have any clear understanding of the issue or can't enumerate the steps to reproduce it, open a discussion instead:
https://github.com/DNSCrypt/dnscrypt-proxy/discussions

## Output of the following commands:

./dnscrypt-proxy -version

./dnscrypt-proxy -check

./dnscrypt-proxy -resolve example.com

- [ ] Initially raised as discussion #...

## *What* is affected by this bug?

SOCKS Proxy Not Working with Forwarding Rules

## *When* does this occur?
I have configured dnscrypt-proxy with a SOCKS5 proxy and forwarding rules using the following settings:

```
proxy = 'socks5://10.0.0.3:1080'
force_tcp = true
forwarding_rules = 'forwarding-rules.txt'
```

## *Where* does it happen?
forwarding_rules 

## *How* do we replicate the issue?
<!-- Please list all the steps required to reliably replicate it, starting from a newly installed operating system -->

## Expected behavior (i.e. solution)

Regular DNS queries are correctly routed through the SOCKS5 proxy as expected. However, when using the forwarding_rules file to specify domain names and rules, the forwarded queries to the server do not go through the SOCKS5 proxy. Since the forwarded server can only be accessed through the SOCKS proxy, this prevents the results from being returned.

## Other Comments
kkkgo commented 1 year ago

https://github.com/DNSCrypt/dnscrypt-proxy/discussions/2440

jedisct1 commented 1 year ago

The DNS library supports dialers, so it should be compatible with SOCKS proxies.

What would be a sane syntax in the forward configuration file to mention what zones should be routed through the proxy?

kkkgo commented 1 year ago

Thank you for your enthusiastic response!

Initially, I thought the proxy should be a global option that applies to all outgoing connections. However, I later discovered that it doesn't support UDP. So, I set force_tcp = true. However, I noticed that the forwarding_rules didn't use the configured SOCKS proxy as expected. According to your reply, this is the default behavior. Unfortunately, my network environment doesn't allow direct connections to the target DNS servers for forwarding, so I require a SOCKS proxy. As you mentioned in the discussions, it's possible to forward certain regions through SOCKS, but this needs to be separate from the global proxy configuration.

I believe a configuration file that is easy to understand and less prone to confusion could look like this:

example.com     8.8.8.8:53@socks5://10.0.0.3:1080
example.com     8.8.8.8@,9.9.9.9

Here, the proxy server is concatenated with the forwarded domain server using the @ symbol, indicating that the connection should be forwarded via SOCKS5. When the content after @ is empty, it would use the value of the global proxy. It would be ideal if the proxy supports both UDP and TCP protocols.

The above is my understanding and suggestion for the configuration file. If there's anything else I can assist you with, please let me know.

kkkgo commented 1 year ago

In some cases, the user's SOCKS5 proxy may not support proxying UDP. However, DNS servers usually support TCP queries. Therefore, it might be more convenient to explicitly specify the forwarding server's protocol. For example:

example.com     tcp://8.8.8.8:53@socks5://10.0.0.3:1080
jedisct1 commented 1 year ago

Maybe a simpler and more flexible approach would be a syntax such as:

example.com proxy:8.8.8.8,9,9,9,9

And then some global configuration settings to define how exactly forwarded queries are proxied (could be SOCKS, with or without UDP, Tor, or eventually later, something else).

kkkgo commented 1 year ago

The syntax appears to be well-structured, but there could indeed be ambiguity when it comes to the term "proxy."

For instance, if we consider "proxy" as a domain name (e.g., an internal hostname in Docker), and the name "proxy" resolves to the docker IP address , the current representation might be confusing:

example.com proxy:5353
kkkgo commented 1 year ago

The syntax appears to be well-structured, but there could indeed be ambiguity when it comes to the term "proxy."

For instance, if we consider "proxy" as a domain name (e.g., an internal hostname in Docker), and the name "proxy" resolves to the docker IP address , the current representation might be confusing:

example.com proxy:5353

Of course, this is just my assumption. Perhaps, after undergoing a rigorous code inspection and format check, it should work perfectly fine without any issues.

kkkgo commented 1 year ago

As discussed earlier, I have drafted a possible format for the configuration file that could be beneficial for your development needs. This format allows users to define additional settings within the global configuration. The key additions are the forwarding_rules_conn and forwarding_rules_proxy options, which allow users to specify how to connect to forwarding DNS servers and set up DNS proxies, respectively.

New Settings in Global Configuration:

  1. forwarding_rules_conn: This setting is used to determine the connection method for forwarding DNS servers. Users can choose from the following options: both, tcp, and udp. The default value is udp. If tcp or udp is specified, the respective connection method will be used. When set to "both," both TCP and UDP requests will be sent concurrently, and the response from the fastest request will be used as the result.

    forwarding_rules_conn=both
    forwarding_rules_conn=tcp
    forwarding_rules_conn=udp
  2. forwarding_rules_proxy: This setting is used to define the proxy for forwarding DNS. Users should specify the proxy address and port in the format: "protocol://proxy_address:proxy_port". For example:

    forwarding_rules_proxy="socks5://10.0.0.3:1080"

Configuration File Format:

The configuration file, named forwarding_rules.txt, will adhere to the following format:

  1. Regular Forwarding Rules:

    example.com  8.8.8.8:53,9.9.9.9:53
  2. Forwarding Rules with Proxies: To specify DNS servers using a proxy, add @proxy after the server's address and port.

    example.com  8.8.8.8:53@proxy,9.9.9.9:53@proxy
  3. Simplified Proxy Declaration: Alternatively, use the '@' symbol before the domain name to indicate that the DNS server for that domain should be forwarded through a proxy.

    @example.com 8.8.8.8:53,9.9.9.9:53
Alizer1132 commented 3 months ago

THE TRACKER IS DEDICATED TO KEEPING TRACK OF BUGS,

preferably after they have been already discussed and confirmed to be reproducible.

FOR ASSISTANCE, PLEASE CLOSE THIS FORM AND USE THE DISCUSSIONS SECTION INSTEAD:

https://github.com/DNSCrypt/dnscrypt-proxy/discussions/categories/q-a



Reported bugs must reproducible in the context described in the "Context" section.

Installation and configuration issues are not bugs, but individual assistance request.

Context: the LATEST version of `dnscrypt-proxy` (precompiled binaries downloaded from this repository) is correctly installed and configured on your system, but something doesn't seem to produce the expected result.

If the bug is not trivial to reproduce on any platform, please include ALL the steps required to reliably duplicate it, on a vanilla, generic install of macOS, Windows, OpenBSD or Ubuntu Linux system, in their most current version.

If you don't have any clear understanding of the issue or can't enumerate the steps to reproduce it, open a discussion instead:

https://github.com/DNSCrypt/dnscrypt-proxy/discussions

## Output of the following commands:

./dnscrypt-proxy -version

./dnscrypt-proxy -check

./dnscrypt-proxy -resolve example.com

- [ ] Initially raised as discussion #...

## *What* is affected by this bug?

SOCKS Proxy Not Working with Forwarding Rules

## *When* does this occur?

I have configured dnscrypt-proxy with a SOCKS5 proxy and forwarding rules using the following settings:

```

proxy = 'socks5://10.0.0.3:1080'

force_tcp = true

forwarding_rules = 'forwarding-rules.txt'

```

## *Where* does it happen?

forwarding_rules 

## *How* do we replicate the issue?

<!-- Please list all the steps required to reliably replicate it, starting from a newly installed operating system -->

## Expected behavior (i.e. solution)

Regular DNS queries are correctly routed through the SOCKS5 proxy as expected. However, when using the forwarding_rules file to specify domain names and rules, the forwarded queries to the server do not go through the SOCKS5 proxy. Since the forwarded server can only be accessed through the SOCKS proxy, this prevents the results from being returned.

## Other Comments
Alizer1132 commented 3 months ago

THE TRACKER IS DEDICATED TO KEEPING TRACK OF BUGS,

preferably after they have been already discussed and confirmed to be reproducible.

FOR ASSISTANCE, PLEASE CLOSE THIS FORM AND USE THE DISCUSSIONS SECTION INSTEAD:

https://github.com/DNSCrypt/dnscrypt-proxy/discussions/categories/q-a



Reported bugs must reproducible in the context described in the "Context" section.

Installation and configuration issues are not bugs, but individual assistance request.

Context: the LATEST version of `dnscrypt-proxy` (precompiled binaries downloaded from this repository) is correctly installed and configured on your system, but something doesn't seem to produce the expected result.

If the bug is not trivial to reproduce on any platform, please include ALL the steps required to reliably duplicate it, on a vanilla, generic install of macOS, Windows, OpenBSD or Ubuntu Linux system, in their most current version.

If you don't have any clear understanding of the issue or can't enumerate the steps to reproduce it, open a discussion instead:

https://github.com/DNSCrypt/dnscrypt-proxy/discussions

## Output of the following commands:

./dnscrypt-proxy -version

./dnscrypt-proxy -check

./dnscrypt-proxy -resolve example.com

- [ ] Initially raised as discussion #...

## *What* is affected by this bug?

SOCKS Proxy Not Working with Forwarding Rules

## *When* does this occur?

I have configured dnscrypt-proxy with a SOCKS5 proxy and forwarding rules using the following settings:

```

proxy = 'socks5://10.0.0.3:1080'

force_tcp = true

forwarding_rules = 'forwarding-rules.txt'

```

## *Where* does it happen?

forwarding_rules 

## *How* do we replicate the issue?

<!-- Please list all the steps required to reliably replicate it, starting from a newly installed operating system -->

## Expected behavior (i.e. solution)

Regular DNS queries are correctly routed through the SOCKS5 proxy as expected. However, when using the forwarding_rules file to specify domain names and rules, the forwarded queries to the server do not go through the SOCKS5 proxy. Since the forwarded server can only be accessed through the SOCKS proxy, this prevents the results from being returned.

## Other Comments