search

MetaCubeX / mihomo

A simple Python Pydantic model for Honkai: Star Rail parsed data from the Mihomo API.
https://wiki.metacubex.one
MIT License
16.62k stars 2.66k forks source link

[Bug] mihomo returns poisoned DNS from a proxy instead of configured nameserver #1025

Open lux5am opened 9 months ago

lux5am commented 9 months ago

Verify steps

Mihomo version

Mihomo Meta alpha-20658f6 android arm64 with go1.21.6 Mon Feb 5 14:41:30 UTC 2024 Use tags: with_gvisor

What OS are you seeing the problem on?

Linux

Mihomo config

allow-lan: true
bind-address: "*"
mode: rule
log-level: info
find-process-mode: always
unified-delay: true
keep-alive-interval: 1800

external-controller: 0.0.0.0:9090
external-ui: ./ui

dns:
  enable: true
  listen: 127.0.0.1:1053
  enhanced-mode: redir-host
  fake-ip-range: 198.18.0.1/16
  nameserver:
    - https://94.140.14.14/dns-query#🔼Dns

proxies: []

proxy-groups:
  - name: 🌝Proxy
    type: select
    use:
      - myproxies
  - name: 🔼Dns
    type: select
    use:
      - myproxies

proxy-providers:
  myproxies:
    type: file
    path: ./proxy_provider/myproxies.yaml
    health-check:
      enable: true
      url: http://www.gstatic.com/generate_204
      interval: 1800

rules:
  - IP-CIDR,94.140.14.14/32,🔼Dns
  - MATCH,🌝Proxy

tun:
  enable: true
  mtu: 9000
  device: utun
  stack: system # gvisor / system / mixed
  dns-hijack:
    - 0.0.0.0:53
  auto-route: true
  strict-route: false
  auto-detect-interface: true
  include-android-user: [0, 10]
  exclude-package: [] # blacklist
  include-package: [] # whitelist

tproxy-port: 0
redir-port: 9797

Mihomo log

No response

Description

It seems mihomo randomly returns a DNS response from a selected proxy instead of configured nameserver. Or what people say DNS leak.

This causing unexpected behaviour like forced safe search on google, youtube, bing, yandex etc. And require login to see public accounts on Facebook and Instagram.

This behaviour also make blocking ads via DNS like Adguard or nextdns isn't effective.

p.s I'm using a magisk module to run mihomo named Box for Root.

Picrel: Here I set DNS to UK, and proxy to Japan Screenshot_20240206-111617_Kiwi Browser Screenshot_20240206-111736_Kiwi Browser

Then change the proxy only to Poland Screenshot_20240206-111655_Kiwi Browser Screenshot_20240206-111731_Kiwi Browser

And if I use nextdns in nameserver. In nextdns dashboard markup_1000009789 (1)

markup_1000009373

Skyxim commented 9 months ago

This is logical, the DNS query goes through the UK, then the network traffic reaches a proxy server in Japan, the proxy server re-resolves the domain name and initiates the request to the actual target, so there are two zones for DNS.

DNS in proxy software is used for the resolution required by IP rules and the domain name that needs to be connected. It is different from the working principle of VPN. For the so-called DNS leak, you need to run it in global mode to achieve similar effects. There is no guarantee in rule mode.

lux5am commented 9 months ago

This is logical, the DNS query goes through the UK, then the network traffic reaches a proxy server in Japan, the proxy server re-resolves the domain name and initiates the request to the actual target, so there are two zones for DNS.

DNS in proxy software is used for the resolution required by IP rules and the domain name that needs to be connected. It is different from the working principle of VPN. For the so-called DNS leak, you need to run it in global mode to achieve similar effects. There is no guarantee in rule mode.

So mihomo send the domain name to the proxy server to re-resolve? Is there any particular reason why so? Why don't just connect with the ip returned from the configured nameserver? Such behaviour is different with xray and sing-box's DNS resolver where they don't ask the proxy server to re-resolve the domain. So there's no proxy server's DNS detected.

I notice while opening public Facebook account it's directly asking for login. And if I use a proxy server with strict gov requirement such as Indonesia, it block many website and redirect it to gov blocking page. Some website like reddit, gambling, adult etc where blocked. And of course all search engine including youtube enabled safe search and couldn't be toggled off.

Currently I use adguardhome with nextdns to resolve the DNS. In android I use global private/secure DNS but such option isn't available on older android version. While it's also rerouted to a particular proxy server in mihomo with rules. And there's no such problem as above. But it would be nice if I don't need intermediate DNS proxy just to resolve the domain name since mihomo has its own DNS resolver. It becomes my concern since I also use mihomo with openclash on openwrt router. With limited ram I can't really use many program.

Skyxim commented 9 months ago

So mihomo send the domain name to the proxy server to re-resolve

This is something designed by the proxy. Re-resolving DNS may be a bit misunderstood. It should be said that the traffic metadata will be sent to the server. The server uses the metadata to initiate a link to the real server. If the metadata contains the domain name, it will naturally be re-resolved.

lux5am commented 9 months ago

So mihomo send the domain name to the proxy server to re-resolve

This is something designed by the proxy. Re-resolving DNS may be a bit misunderstood. It should be said that the traffic metadata will be sent to the server. The server uses the metadata to initiate a link to the real server. If the metadata contains the domain name, it will naturally be re-resolved.

Can it be turned off tho? I mean to not send the metadata containing the domain name to the proxy server? I don't think there would be any problem since I can use mihomo without mihomo's DNS resolver. I don't really want to use other project since they don't have proxy providers and proxy group with fallback, loud balancing. I already comfortable with clash/mihomo.

lux5am commented 9 months ago

@Skyxim can you please kindly pointing out to me where such mechanism can be turned off in the source code? Maybe I can use my own customization build if my request isn't aligned with the project's goal. But it would be nice if mihomo can accommodate it. Maybe add a global option to turn of sending metadata to proxy server.

Skyxim commented 9 months ago

like this https://github.com/MetaCubeX/mihomo/blob/20658f6eac2b9fb876b377547ee0190eb2e57b05/tunnel/tunnel.go#L386

metadata.Pure()

add here https://github.com/MetaCubeX/mihomo/blob/20658f6eac2b9fb876b377547ee0190eb2e57b05/tunnel/tunnel.go#L511

lux5am commented 9 months ago

Thank you. I will try.