Without outbound any, the ip address of the node proxy server cannot be resolved in tun mode

Flashcard8009 commented 8 months ago

Operating system

Windows

System version

Version 23H2 (OS Build 22631.3296)

Installation type

Original sing-box Command Line

If you are using a graphical client, please provide the version of the client.

No response

Version

sing-box version 1.8.10

Environment: go1.22.1 windows/amd64
Tags: with_gvisor,with_quic,with_dhcp,with_wireguard,with_ech,with_utls,with_reality_server,with_acme,with_clash_api
Revision: ed2f8b96376616d12cb65da2e5ae60a0bdb9269e
CGO: disabled

Description

Without outbound any, the ip address of the node proxy server cannot be resolved

yaml:

```diff log: level: info timestamp: true dns: final: dns_proxy independent_cache: true strategy: prefer_ipv4 servers: - { tag: dns_proxy, address: 8.8.8.8, detour: 默认 } - { tag: dns_resolver, address: 223.5.5.5, detour: 国内 } rules: - { rule_set: [ MainlandNetwork ], server: dns_resolver } - { rule_set: [ AboardNetwork, GeoSite@category-anticensorship, GeoSite@tld-!cn, GeoSite@gfw, GeoSite@geolocation-!cn ], server: dns_proxy } - { rule_set: [ GeoSite@cn, GeoSite@tld-cn ], server: dns_resolver } + - { outbound: [ any ], server: dns_resolver } inbounds: - type: mixed tag: mixed-in listen: 0.0.0.0 listen_port: 2080 sniff: true sniff_override_destination: true domain_strategy: prefer_ipv4 route: final: 默认 auto_detect_interface: true rule_set: ... rules: ... outbounds: - { tag: 默认, type: selector, outbounds: [ ss, DIRECT ], interrupt_exist_connections: true } - { tag: 国内, outbounds: [ DIRECT, 默认 ], type: selector, interrupt_exist_connections: true } - { tag: DIRECT, type: direct } - { tag: dns-out, type: dns } - tag: ss type: shadowsocks method: chacha20-ietf-poly1305 multiplex: { enabled: true } ```

json:

```diff [ { "log": { "level": "info", "timestamp": true }, "dns": { "final": "dns_proxy", "independent_cache": true, "strategy": "prefer_ipv4", "servers": [ { "tag": "dns_proxy", "address": "8.8.8.8", "detour": "默认" }, { "tag": "dns_resolver", "address": "223.5.5.5", "detour": "国内" } ], "rules": [ { "rule_set": [ "MainlandNetwork" ], "server": "dns_resolver" }, { "rule_set": [ "AboardNetwork", "GeoSite@category-anticensorship", "GeoSite@tld-!cn", "GeoSite@gfw", "GeoSite@geolocation-!cn" ], "server": "dns_proxy" }, { "rule_set": [ "GeoSite@cn", "GeoSite@tld-cn" ], "server": "dns_resolver" }, + { + "outbound": [ + "any" + ], + "server": "dns_resolver" + } ] }, "inbounds": [ { "type": "mixed", "tag": "mixed-in", "listen": "0.0.0.0", "listen_port": 2080, "sniff": true, "sniff_override_destination": true, "domain_strategy": "prefer_ipv4" } ], "route": { "final": "默认", "auto_detect_interface": true, "rule_set": "...", "rules": "..." }, "outbounds": [ { "tag": "默认", "type": "selector", "outbounds": [ "ss", "DIRECT" ], "interrupt_exist_connections": true }, { "tag": "国内", "outbounds": [ "DIRECT", "默认" ], "type": "selector", "interrupt_exist_connections": true }, { "tag": "DIRECT", "type": "direct" }, { "tag": "dns-out", "type": "dns" }, { "tag": "ss", "type": "shadowsocks", "method": "chacha20-ietf-poly1305", "multiplex": { "enabled": true } } ] } ] ```

Reproduction

run client

(base) PS C:\Program Files (x86)\v2rayN-With-Core\bin\sing_box> .\sing-box.exe run -D. -c ./tun.yml

Observe the yacd panel It can be found that all the connections are ip addresses, including the log printed by the console, and the domain name is not resolved

Expected

Can implement an effect similar to proxy_nameserver in clash meta, so that the proxy server domain name is resolved by a separate dns

Logs

No response

Supporter

[ ] I am a sponsor

Integrity requirements

[X] I confirm that I have read the documentation, understand the meaning of all the configuration items I wrote, and did not pile up seemingly useful options or default values.
[X] I confirm that I have provided the server and client configuration files and process that can be reproduced locally, instead of a complicated client configuration file that has been stripped of sensitive data.
[X] I confirm that I have provided the simplest configuration that can be used to reproduce the error I reported, instead of depending on remote servers, TUN, graphical interface clients, or other closed-source software.
[X] I confirm that I have provided the complete configuration files and logs, rather than just providing parts I think are useful out of confidence in my own intelligence.

dyhkwong commented 8 months ago

If outbound server address is resolved by the outbound itself (as your default dns goes through the outbound), it will cause bootstrap dilemma. You should fix your own config and what else are you expecting?

Flashcard8009 commented 8 months ago

If outbound server address is resolved by the outbound itself (as your default dns goes through the outbound), it will cause bootstrap dilemma. You should fix your own config and what else are you expecting?

Thank you very much for your reply. Is it possible to use ip dns only to resolve the domain name of the outbound proxy server, and the dns resolution packet for the domain name of the proxy server is directed to the local network card outbound

Flashcard8009 commented 8 months ago

And I seem to find that if a domain name is not in dns.rules.rule_set. In this case, the dns request is routed to outbound:any, and the dns request is sent to dns_resolver, resulting in DNS leakage

SagerNet / sing-box