有关DNS分流规则中关于直连部分逻辑疑问

Mustang0394 commented 1 year ago

描述问题

程序使用最新的Windows版本Nekoray3.9
“DNS”选项卡中直连DNS保持默认的“localhost”，在DNS的简易路由中设置了预设的“绕过局域网和大陆”，代理模式设置为系统代理这时如果我想额外屏蔽某些CN域名，比如baidu.com。
我尝试把 domain:baidu.com 加入到简易路由中“阻止-域名”的部分，发现并没有任何屏蔽的效果。如果我同时把 简易路由 预设里附带的geoip:cn和geosite:cn规则删除，这时候屏蔽会起到效果
所以看起来是在路由规则里面，直连的优先级会高于阻止
我还尝试了将域名加入系统hosts，也仍然无法实现屏蔽的需求
查看日志，程序直接向路由器的53端口发送了DNS请求，看起来似乎没有走系统的DNS规则，这导致了系统的hosts设置是无效的

所以我想咨询下：

如何让路由规则里面阻止部分的优先级能高于直连?
如何能让程序在直连DNS时能使用系统的DNS请求，以便让系统hosts发挥效果？

谢谢

预期行为：

实际行为：

如何复现

提供有帮助的截图，录像，文字说明，订阅链接等。

日志

如果有日志，请上传。请在文档内查看导出日志的详细步骤。

arm64v8a commented 1 year ago

如何让路由规则里面阻止部分的优先级能高于直连?

默认就是阻止优先级高于直连。如果有疑问可以导出配置分析。

如何能让程序在直连DNS时能使用系统的DNS请求，以便让系统hosts发挥效果？

Core 貌似不支持此功能，只能看你的应用会不会读 hosts

Mustang0394 commented 1 year ago

@arm64v8a

这是我的配置，已删去服务器配置信息

{
  "dns": {
    "independent_cache": true,
    "rules": [
      {
        "domain": [],
        "domain_keyword": [],
        "domain_regex": [],
        "domain_suffix": [],
        "geosite": ["cn"],
        "server": "dns-direct"
      }
    ],
    "servers": [
      {
        "address": "https://1.0.0.1/dns-query",
        "address_resolver": "dns-local",
        "detour": "proxy",
        "strategy": "prefer_ipv4",
        "tag": "dns-remote"
      },
      {
        "address": "underlying://0.0.0.0",
        "address_resolver": "dns-local",
        "detour": "direct",
        "strategy": "prefer_ipv4",
        "tag": "dns-direct"
      },
      {
        "address": "underlying://0.0.0.0",
        "detour": "direct",
        "tag": "dns-local"
      }
    ]
  },
  "inbounds": [
    {
      "domain_strategy": "prefer_ipv4",
      "listen": "0.0.0.0",
      "listen_port": 8080,
      "sniff": true,
      "sniff_override_destination": true,
      "tag": "mixed-in",
      "type": "mixed"
    }
  ],
  "log": { "level": "info" },
  "outbounds": [
    {
      "domain_strategy": "prefer_ipv4",
      "flow": "xtls-rprx-vision",
      "packet_encoding": "xudp",
      "server": "1.1.1.1",
      "server_port": 443,
      "tag": "proxy",
      "tls": {
        "enabled": true,
        "reality": {
          "enabled": true,
          "public_key": "",
          "short_id": ""
        },
        "server_name": "",
        "utls": { "enabled": true, "fingerprint": "chrome" }
      },
      "type": "vless",
      "uuid": ""
    },
    { "tag": "direct", "type": "direct" },
    { "tag": "bypass", "type": "direct" },
    { "tag": "block", "type": "block" },
    { "tag": "dns-out", "type": "dns" }
  ],
  "route": {
    "auto_detect_interface": false,
    "final": "proxy",
    "geoip": { "path": "C:/nekoray/current/geoip.db" },
    "geosite": { "path": "C:/nekoray/current/geosite.db" },
    "rules": [
      { "outbound": "dns-out", "protocol": "dns" },
      { "geoip": ["cn", "private"], "ip_cidr": [], "outbound": "bypass" },
      {
        "domain": [],
        "domain_keyword": [],
        "domain_regex": [],
        "domain_suffix": [
          "appcenter.ms",
          "app-measurement.com",
          "firebase.io",
          "crashlytics.com",
          "google-analytics.com",
          "baidu.com"
        ],
        "geosite": ["category-ads-all"],
        "outbound": "block"
      },
      {
        "domain": [],
        "domain_keyword": [],
        "domain_regex": [],
        "domain_suffix": [],
        "geosite": ["cn"],
        "outbound": "bypass"
      },
      {
        "network": "udp",
        "outbound": "block",
        "port": [135, 137, 138, 139, 5353]
      },
      { "ip_cidr": ["224.0.0.0/3", "ff00::/8"], "outbound": "block" },
      { "outbound": "block", "source_ip_cidr": ["224.0.0.0/3", "ff00::/8"] }
    ]
  }
}

我就是用浏览器测试的，添加好阻止baidu.com以后，浏览器访问baidu.com还能正常访问，nekoray的日志显示如下：

INFO[0210] [3400323124 0ms] inbound/mixed[mixed-in]: inbound connection from 127.0.0.1:57918
INFO[0210] [3400323124 0ms] inbound/mixed[mixed-in]: inbound connection to baidu.com:443
INFO[0210] dns: exchanged baidu.com A baidu.com. 265 IN A 110.xx.xx.xx
INFO[0210] dns: exchanged baidu.com A baidu.com. 265 IN A 39.xx.xx.xx
INFO[0210] [3400323124 16ms] dns: lookup succeed for baidu.com: 110.xx.xx.xx 39.xx.xx.xx
INFO[0210] [3400323124 16ms] outbound/direct[bypass]: outbound connection to baidu.com:443
ERROR[0211] [1891941574 2m4s] inbound/mixed[mixed-in]: process connection from 127.0.0.1:57147: download: write tcp4 127.0.0.1:18080->127.0.0.1:57147: wsasend: An established connection was aborted by the software in your host machine.
ERROR[0211] [2913265583 2m2s] inbound/mixed[mixed-in]: process connection from 127.0.0.1:57752: download: write tcp4 127.0.0.1:18080->127.0.0.1:57752: wsasend: An established connection was aborted by the software in your host machine.
INFO[0211] [1648053959 0ms] inbound/mixed[mixed-in]: inbound connection from 127.0.0.1:57920
INFO[0211] [1648053959 0ms] inbound/mixed[mixed-in]: inbound connection to www.baidu.com:443
INFO[0211] dns: exchanged www.baidu.com CNAME www.baidu.com. 28 IN CNAME www.a.shifen.com.
INFO[0211] dns: exchanged www.baidu.com A www.a.shifen.com. 28 IN A 182.xx.xx.xx
INFO[0211] dns: exchanged www.baidu.com A www.a.shifen.com. 28 IN A 182.xx.xx.xx
INFO[0211] [1648053959 16ms] dns: lookup succeed for www.baidu.com: 182.xx.xx.xx 182.xx.xx.xx
INFO[0211] [1648053959 16ms] outbound/direct[bypass]: outbound connection to www.baidu.com:443

Mustang0394 commented 1 year ago

多试了几次，找到了问题。当 首选项 - 路由设置 - 通用 - 域名策略 这里如果设置成prefer_ipv4，这时候直连的优先级会高于阻止。如果把这选项保持默认留空，那么阻止的优先级会高于直连

不过我还是不太明白为啥这里的域名策略会影响路由的优先级

fzs209 commented 10 months ago

多试了几次，找到了问题。当 首选项 - 路由设置 - 通用 - 域名策略 这里如果设置成prefer_ipv4，这时候直连的优先级会高于阻止。如果把这选项保持默认留空，那么阻止的优先级会高于直连

不过我还是不太明白为啥这里的域名策略会影响路由的优先级

我的理解是域名策略设置成prefer_ipv4后，baidu.com会在入站时被解析成ip地址然后在路由规则处匹配geoip:cn走直连系统代理，不管路由规则怎么写域名策略设置成空白后，都不会发起DNS请求

MatsuriDayo / nekoray

有关DNS分流规则中关于直连部分逻辑疑问 #682