当Sing-Box的DNS设置指向本地其他DNS服务时，则无法正常返回DNS解析结果

jklolixxs commented 9 months ago

操作系统

Linux

系统版本

Debian GNU/Linux 12 (bookworm)

安装类型

其他

如果您使用图形客户端程序，请提供该程序版本。

ghcr.io/sagernet/sing-box

版本

root@server:~# docker compose exec -it sing-box sing-box version
sing-box version unknown

Environment: go1.21.6 linux/amd64
Tags: with_gvisor,with_quic,with_dhcp,with_wireguard,with_ech,with_utls,with_reality_server,with_acme,with_clash_api
Revision: c8318058bb4a15e9d6751a71e78bdd3b68c57b32
CGO: disabled

选择的是官方Docker镜像latest版本

描述

我在本地使用Docker搭建了一台AdGuardHome服务器，监听在5335端口上，且可以正常返回DNS结果

root@server:~# dig @127.0.0.1 -p 5335 raw.githubusercontent.com
; <<>> DiG 9.18.12-1-Debian <<>> @127.0.0.1 -p 5335 raw.githubusercontent.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 53269
;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;raw.githubusercontent.com.     IN      A

;; ANSWER SECTION:
raw.githubusercontent.com. 1636 IN      A       185.199.108.133
raw.githubusercontent.com. 1636 IN      A       185.199.109.133
raw.githubusercontent.com. 1636 IN      A       185.199.110.133
raw.githubusercontent.com. 1636 IN      A       185.199.111.133

;; Query time: 120 msec
;; SERVER: 127.0.0.1#5335(127.0.0.1) (UDP)
;; WHEN: Wed Jan 31 22:59:04 EST 2024
;; MSG SIZE  rcvd: 118

但如果让Sing-Box监听127.0.0.1:5335，所有域名将无法获取DNS解析，导致rule_set一直下载不下来，卡死如果将Sing-Box的DNS设置为8.8.8.8或任意一个非内网IP的DNS，立刻就可以正常获取DNS解析

重现方式

Sing-Box配置文件采取

{
  "log": {
    "level": "debug",
    "timestamp": false
  },
  "experimental": {
    "cache_file": {
      "enabled": true,
      "path": "/etc/sing-box/.cache"
    }
  },
  "dns": {
    "servers": [
      {
        "tag": "adguardhome",
        "address": "udp://127.0.0.1:5335"
      }
    ],
    "rules": [],
    "final": "adguardhome",
    "disable_cache": false
  },
  "inbounds": [
    {
      "type": "shadowsocks",
      "tag": "shadowsocks",
      "listen": "::",
      "listen_port": xxxx,
      "sniff": true,
      "method": "2022-blake3-aes-128-gcm",
      "password": "xxxxx",
      "multiplex": {
        "enabled": true,
        "padding": true,
        "brutal": {
          "enabled": true,
          "up_mbps": 500,
          "down_mbps": 100
        }
      }
    }
  ],
  "outbounds": [
    {
      "type": "direct",
      "tag": "direct"
    },
    {
      "type": "wireguard",
      "tag": "warp-free",
      "local_address": [
        "172.16.0.2/32",
        "2606:4700:110:8faa:5c53:83a:bb8f:e896/128"
      ],
      "private_key": "sJEwDIni4gto4k4MnlrmC+T+1DNz6gXQzM622BvNaWA=",
      "server": "162.159.192.1",
      "server_port": 2408,
      "peer_public_key": "bmXOC+F1FxEMF9dyiK2H5/1SUtzH0JuVo51h2wPfgyo=",
      "reserved": [
        87,
        48,
        236
      ]
    },
    {
      "type": "dns",
      "tag": "dns"
    },
    {
      "type": "block",
      "tag": "block"
    }
  ],
  "route": {
    "rule_set": [
      {
        "tag": "geosite-openai",
        "type": "remote",
        "format": "binary",
        "url": "https://raw.githubusercontent.com/SagerNet/sing-geosite/rule-set/geosite-openai.srs",
        "download_detour": "direct",
        "update_interval": "1d"
      }
    ],
    "rules": [
      {
        "protocol": "dns",
        "outbound": "dns"
      },
      {
        "rule_set": "geosite-openai",
        "outbound": "warp-free"
      }
    ],
    "final": "direct",
    "auto_detect_interface": true
  }
}

AdGuardHome配置文件采取

http:
  pprof:
    port: 6060
    enabled: false
  address: 0.0.0.0:65335
  session_ttl: 720h
users:
  - name: admin
    password: $2a$10$8jDEJT7oZ2YneenVQyr2P.JYvfMGDNTcQ4y9r2sPhHgkD.EUSQcxK # 密码admin
auth_attempts: 5
block_auth_min: 15
http_proxy: ""
language: ""
theme: auto
dns:
  bind_hosts:
    - 0.0.0.0
  port: 5335
  anonymize_client_ip: false
  ratelimit: 0
  ratelimit_subnet_len_ipv4: 24
  ratelimit_subnet_len_ipv6: 56
  ratelimit_whitelist: []
  refuse_any: true
  upstream_dns:
    - tls://dns.google
    - tls://one.one.one.one
  upstream_dns_file: ""
  bootstrap_dns:
    - 8.8.8.8
    - 1.1.1.1
  fallback_dns:
    - 8.8.8.8
    - 1.1.1.1
  all_servers: true
  fastest_addr: false
  fastest_timeout: 1s
  allowed_clients: []
  disallowed_clients: []
  blocked_hosts:
    - version.bind
    - id.server
    - hostname.bind
  trusted_proxies:
    - 127.0.0.0/8
    - ::1/128
  cache_size: 104857600
  cache_ttl_min: 300
  cache_ttl_max: 3600
  cache_optimistic: true
  bogus_nxdomain: []
  aaaa_disabled: false
  enable_dnssec: true
  edns_client_subnet:
    custom_ip: ""
    enabled: true
    use_custom: false
  max_goroutines: 300
  handle_ddr: true
  ipset: []
  ipset_file: ""
  bootstrap_prefer_ipv6: false
  upstream_timeout: 10s
  private_networks: []
  use_private_ptr_resolvers: false
  local_ptr_upstreams: []
  use_dns64: false
  dns64_prefixes: []
  serve_http3: false
  use_http3_upstreams: false
  serve_plain_dns: true
tls:
  enabled: false
  server_name: ""
  force_https: false
  port_https: 443
  port_dns_over_tls: 853
  port_dns_over_quic: 853
  port_dnscrypt: 0
  dnscrypt_config_file: ""
  allow_unencrypted_doh: false
  certificate_chain: ""
  private_key: ""
  certificate_path: ""
  private_key_path: ""
  strict_sni_check: false
querylog:
  ignored: []
  interval: 168h
  size_memory: 1000
  enabled: true
  file_enabled: true
statistics:
  ignored: []
  interval: 168h
  enabled: true
filters:
  - enabled: true
    url: https://adguardteam.github.io/HostlistsRegistry/assets/filter_1.txt
    name: AdGuard DNS filter
    id: 1
  - enabled: true
    url: https://adguardteam.github.io/HostlistsRegistry/assets/filter_2.txt
    name: AdAway Default Blocklist
    id: 2
whitelist_filters: []
user_rules: []
dhcp:
  enabled: false
  interface_name: ""
  local_domain_name: lan
  dhcpv4:
    gateway_ip: ""
    subnet_mask: ""
    range_start: ""
    range_end: ""
    lease_duration: 86400
    icmp_timeout_msec: 1000
    options: []
  dhcpv6:
    range_start: ""
    lease_duration: 86400
    ra_slaac_only: false
    ra_allow_slaac: false
filtering:
  blocking_ipv4: ""
  blocking_ipv6: ""
  blocked_services:
    schedule:
      time_zone: UTC
    ids: []
  protection_disabled_until: null
  safe_search:
    enabled: false
    bing: true
    duckduckgo: true
    google: true
    pixabay: true
    yandex: true
    youtube: true
  blocking_mode: default
  parental_block_host: family-block.dns.adguard.com
  safebrowsing_block_host: standard-block.dns.adguard.com
  rewrites: []
  safebrowsing_cache_size: 1048576
  safesearch_cache_size: 1048576
  parental_cache_size: 1048576
  cache_time: 30
  filters_update_interval: 1
  blocked_response_ttl: 10
  filtering_enabled: true
  parental_enabled: false
  safebrowsing_enabled: false
  protection_enabled: true
clients:
  runtime_sources:
    whois: true
    arp: true
    rdns: false
    dhcp: true
    hosts: true
  persistent: []
log:
  file: ""
  max_backups: 0
  max_size: 100
  max_age: 3
  compress: false
  local_time: false
  verbose: false
os:
  group: ""
  user: ""
  rlimit_nofile: 0
schema_version: 27

Docker Compose 配置文件采取

version: "3"

services:
  sing-box:
    image: ghcr.io/sagernet/sing-box
    container_name: sing-box
    restart: unless-stopped
    network_mode: host
    cap_add:
      - NET_ADMIN
      - NET_BIND_SERVICE
    devices:
      - /dev/net/tun
    volumes:
      - ./sing-box/:/etc/sing-box/
    command: -D /etc/sing-box/ -C /etc/sing-box/ run

  adguardhome:
    image: adguard/adguardhome:latest
    container_name: adguardhome
    restart: unless-stopped
    # network_mode: host
    volumes:
      - ./adguardhome/work:/opt/adguardhome/work
      - ./adguardhome/conf:/opt/adguardhome/conf
    ports:
      - 5335:5335/udp # DNS监听端口
      - 65335:65335/tcp #web ui端口

启动docker compose，查看sing-box日志，则会看到

root@server:~# docker compose logs -f sing-box
sing-box  | INFO[0000] router: updated default interface eth0, index 2
sing-box  | DEBUG[0000] outbound/wireguard[warp-free]: uapi: updating private key
sing-box  | DEBUG[0000] outbound/wireguard[warp-free]: peer(bmXO…fgyo) - uapi: created
sing-box  | DEBUG[0000] outbound/wireguard[warp-free]: peer(bmXO…fgyo) - uapi: updating endpoint
sing-box  | DEBUG[0000] outbound/wireguard[warp-free]: peer(bmXO…fgyo) - uapi: adding allowedip
sing-box  | DEBUG[0000] outbound/wireguard[warp-free]: peer(bmXO…fgyo) - uapi: adding allowedip
sing-box  | DEBUG[0000] router: updating rule-set geosite-openai from URL: https://raw.githubusercontent.com/SagerNet/sing-geosite/rule-set/geosite-openai.srs
sing-box  | INFO[0000] outbound/direct[direct]: outbound connection to raw.githubusercontent.com:443
sing-box  | DEBUG[0000] dns: lookup domain raw.githubusercontent.com
sing-box  | INFO[0000] outbound/direct[direct]: outbound packet connection to 107.175.254.219:5335
sing-box  | DEBUG[0000] outbound/wireguard[warp-free]: routine: encryption worker 1 - started
sing-box  | DEBUG[0000] outbound/wireguard[warp-free]: routine: decryption worker 1 - started
sing-box  | DEBUG[0000] outbound/wireguard[warp-free]: routine: handshake worker 1 - started
sing-box  | DEBUG[0000] outbound/wireguard[warp-free]: routine: tun reader - started
sing-box  | DEBUG[0000] outbound/wireguard[warp-free]: routine: event worker - started
sing-box  | DEBUG[0000] outbound/wireguard[warp-free]: interface up requested
sing-box  | DEBUG[0000] outbound/wireguard[warp-free]: udp bind has been updated
sing-box  | DEBUG[0000] outbound/wireguard[warp-free]: peer(bmXO…fgyo) - starting
sing-box  | DEBUG[0000] outbound/wireguard[warp-free]: interface state was Down, requested Up, now Up
sing-box  | DEBUG[0000] outbound/wireguard[warp-free]: peer(bmXO…fgyo) - routine: sequential receiver - started
sing-box  | DEBUG[0000] outbound/wireguard[warp-free]: routine: receive incoming receive - started
sing-box  | DEBUG[0000] outbound/wireguard[warp-free]: peer(bmXO…fgyo) - routine: sequential sender - started
sing-box  | WARN[0010] router: initialize rule-set take too much time to finish!
sing-box  | DEBUG[0010] dns: lookup failed for raw.githubusercontent.com: exchange6: context canceled | exchange4: context canceled | upstream: context deadline exceeded
sing-box  | DEBUG[0010] outbound/wireguard[warp-free]: device closing
sing-box  | DEBUG[0010] outbound/wireguard[warp-free]: routine: receive incoming receive - stopped
sing-box  | DEBUG[0010] outbound/wireguard[warp-free]: peer(bmXO…fgyo) - stopping
sing-box  | DEBUG[0010] outbound/wireguard[warp-free]: peer(bmXO…fgyo) - routine: sequential sender - stopped
sing-box  | DEBUG[0010] outbound/wireguard[warp-free]: routine: tun reader - stopped
sing-box  | DEBUG[0010] outbound/wireguard[warp-free]: peer(bmXO…fgyo) - routine: sequential receiver - stopped
sing-box  | DEBUG[0010] outbound/wireguard[warp-free]: device closed
sing-box  | FATAL[0010] start service: initialize rule-set[0]: initial rule-set: geosite-openai: Get "https://raw.githubusercontent.com/SagerNet/sing-geosite/rule-set/geosite-openai.srs": exchange6: context canceled | exchange4: context canceled | upstream: context deadline exceeded
sing-box exited with code 1

但此时5335端口处于正常监听状态，并可以返回正确的DNS解析结果

root@server:~# dig @127.0.0.1 -p 5335 raw.githubusercontent.com
; <<>> DiG 9.18.12-1-Debian <<>> @127.0.0.1 -p 5335 raw.githubusercontent.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 53269
;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;raw.githubusercontent.com.     IN      A

;; ANSWER SECTION:
raw.githubusercontent.com. 1636 IN      A       185.199.108.133
raw.githubusercontent.com. 1636 IN      A       185.199.109.133
raw.githubusercontent.com. 1636 IN      A       185.199.110.133
raw.githubusercontent.com. 1636 IN      A       185.199.111.133

;; Query time: 120 msec
;; SERVER: 127.0.0.1#5335(127.0.0.1) (UDP)
;; WHEN: Wed Jan 31 22:59:04 EST 2024
;; MSG SIZE  rcvd: 118

日志

root@server:~# docker compose logs -f sing-box
sing-box  | INFO[0000] router: updated default interface eth0, index 2
sing-box  | DEBUG[0000] outbound/wireguard[warp-free]: uapi: updating private key
sing-box  | DEBUG[0000] outbound/wireguard[warp-free]: peer(bmXO…fgyo) - uapi: created
sing-box  | DEBUG[0000] outbound/wireguard[warp-free]: peer(bmXO…fgyo) - uapi: updating endpoint
sing-box  | DEBUG[0000] outbound/wireguard[warp-free]: peer(bmXO…fgyo) - uapi: adding allowedip
sing-box  | DEBUG[0000] outbound/wireguard[warp-free]: peer(bmXO…fgyo) - uapi: adding allowedip
sing-box  | DEBUG[0000] router: updating rule-set geosite-openai from URL: https://raw.githubusercontent.com/SagerNet/sing-geosite/rule-set/geosite-openai.srs
sing-box  | INFO[0000] outbound/direct[direct]: outbound connection to raw.githubusercontent.com:443
sing-box  | DEBUG[0000] dns: lookup domain raw.githubusercontent.com
sing-box  | INFO[0000] outbound/direct[direct]: outbound packet connection to 107.175.254.219:5335
sing-box  | DEBUG[0000] outbound/wireguard[warp-free]: routine: encryption worker 1 - started
sing-box  | DEBUG[0000] outbound/wireguard[warp-free]: routine: decryption worker 1 - started
sing-box  | DEBUG[0000] outbound/wireguard[warp-free]: routine: handshake worker 1 - started
sing-box  | DEBUG[0000] outbound/wireguard[warp-free]: routine: tun reader - started
sing-box  | DEBUG[0000] outbound/wireguard[warp-free]: routine: event worker - started
sing-box  | DEBUG[0000] outbound/wireguard[warp-free]: interface up requested
sing-box  | DEBUG[0000] outbound/wireguard[warp-free]: udp bind has been updated
sing-box  | DEBUG[0000] outbound/wireguard[warp-free]: peer(bmXO…fgyo) - starting
sing-box  | DEBUG[0000] outbound/wireguard[warp-free]: interface state was Down, requested Up, now Up
sing-box  | DEBUG[0000] outbound/wireguard[warp-free]: peer(bmXO…fgyo) - routine: sequential receiver - started
sing-box  | DEBUG[0000] outbound/wireguard[warp-free]: routine: receive incoming receive - started
sing-box  | DEBUG[0000] outbound/wireguard[warp-free]: peer(bmXO…fgyo) - routine: sequential sender - started
sing-box  | WARN[0010] router: initialize rule-set take too much time to finish!
sing-box  | DEBUG[0010] dns: lookup failed for raw.githubusercontent.com: exchange6: context canceled | exchange4: context canceled | upstream: context deadline exceeded
sing-box  | DEBUG[0010] outbound/wireguard[warp-free]: device closing
sing-box  | DEBUG[0010] outbound/wireguard[warp-free]: routine: receive incoming receive - stopped
sing-box  | DEBUG[0010] outbound/wireguard[warp-free]: peer(bmXO…fgyo) - stopping
sing-box  | DEBUG[0010] outbound/wireguard[warp-free]: peer(bmXO…fgyo) - routine: sequential sender - stopped
sing-box  | DEBUG[0010] outbound/wireguard[warp-free]: routine: tun reader - stopped
sing-box  | DEBUG[0010] outbound/wireguard[warp-free]: peer(bmXO…fgyo) - routine: sequential receiver - stopped
sing-box  | DEBUG[0010] outbound/wireguard[warp-free]: device closed
sing-box  | FATAL[0010] start service: initialize rule-set[0]: initial rule-set: geosite-openai: Get "https://raw.githubusercontent.com/SagerNet/sing-geosite/rule-set/geosite-openai.srs": exchange6: context canceled | exchange4: context canceled | upstream: context deadline exceeded
sing-box exited with code 1

完整性要求

[X] 我保证阅读了文档，了解所有我编写的配置文件项的含义，而不是大量堆砌看似有用的选项或默认值。
[X] 我保证提供了可以在本地重现该问题的服务器、客户端配置文件与流程，而不是一个脱敏的复杂客户端配置文件。
[X] 我保证提供了可用于重现我报告的错误的最简配置，而不是依赖远程服务器、TUN、图形界面客户端或者其他闭源软件。
[X] 我保证提供了完整的配置文件与日志，而不是出于对自身智力的自信而仅提供了部分认为有用的部分。

jklolixxs commented 9 months ago

sing-box version 1.8.4-17aebc5

Environment: go1.21.6 linux/amd64
Tags: with_quic,with_grpc,with_dhcp,with_wireguard,with_ech,with_utls,with_reality_server,with_acme,with_clash_api,with_v2ray_api,with_gvisor
Revision: 17aebc56c1b72696aa379a4806a6b73eb4fa3f85
CGO: disabled

我看到发了新的commits，并尝试自己编译了一版，运行试验，并未得到解决并且我看到了主题被打上了 no locally reproducible process provided 的标签，那我就将我所有的文件均传送上来

https://github.com/jklolixxs/test

在Debian12系统中，下载后运行即可复现我在5家VPS商的Debian12系统上均可复现成功，包括服务商提供的Debian12与我自行DD的Debian12

jklolixxs commented 9 months ago

sing-box version 1.8.4-17aebc5

Environment: go1.21.6 linux/amd64
Tags: with_quic,with_grpc,with_dhcp,with_wireguard,with_ech,with_utls,with_reality_server,with_acme,with_clash_api,with_v2ray_api,with_gvisor
Revision: 17aebc56c1b72696aa379a4806a6b73eb4fa3f85
CGO: disabled
我看到发了新的commits，并尝试自己编译了一版，运行试验，并未得到解决并且我看到了主题被打上了 no locally reproducible process provided 的标签，那我就将我所有的文件均传送上来
https://github.com/jklolixxs/test
在Debian12系统中，下载后运行即可复现我在5家VPS商的Debian12系统上均可复现成功，包括服务商提供的Debian12与我自行DD的Debian12

@nekohasekai

SagerNet / sing-box