search

SagerNet / sing-box

The universal proxy platform
https://sing-box.sagernet.org/
Other
18.81k stars 2.25k forks source link

MacOS 系统 sing-box 开启 TUN 模式,对于被 dns 污染成 0.0.0.0 的域名无法正常访问 #1791

Closed scplay closed 4 months ago

scplay commented 4 months ago

Operating system

macOS

System version

13.6.6 (22G630) m2 chip

Installation type

Original sing-box Command Line

If you are using a graphical client, please provide the version of the client.

1.8.14

Version

sing-box version 1.8.14

Environment: go1.22.3 darwin/arm64
Tags: with_gvisor,with_quic,with_wireguard,with_utls,with_reality_server,with_clash_api
CGO: enabled

Description

在 MacOS 中,如果网站被系统的 DNS 污染成 0.0.0.0 时 ( 比如 raw.githubusercontent.com 这个域名 ) inbound 使用 TUN 模式无法正确的劫持 DNS 请求, 并且无法通过 outbound 访问域名被污染的网站。

联通运营商直接下发到路由的 DNS 服务查询就会返回如下地址

nslookup raw.githubusercontent.com 192.168.1.1
Server:     192.168.1.1
Address:    192.168.1.1#53

Name:   raw.githubusercontent.com
Address: 0.0.0.0
  1. 同样系统中,使用 inbound 为 mixed 端口代理时,就可以正常访问,TUN 模式就无法访问
  2. 使用 win/iOS 的 sing-box 客户端在相同的网络环境下,同样的 config.json 配置,却可以成功通过代理访问 DNS 被污染成 0.0.0.0 的网站
  3. 神奇的时当配置文件中的 rule-set 是通过 raw.githubusercontent.com 下载时,竟然能正常下载,但是浏览器或curl 却无法打开这个网址

MacOS 系统手动切换成其他公共 DNS (比如 114 / ali 之类)可以解决这个问题,,或是浏览器开启 DoH 也可以绕过这个问题,但使用 TUN 模式就是为了系统级别的代理,不能设置 DoH/DoT 时,遇到这个问题很困扰

Reproduction

配置文件如下

{
  "log": {
    "timestamp": true
  },
  "dns": {
    "disable_cache": true,
    "independent_cache": true,
    "final": "google",
    "fakeip": {
      "enabled": true,
      "inet4_range": "198.18.0.0/15"
    },
    "servers": [
      {
        "tag": "google",
        "address": "udp://8.8.4.4",
        "detour": "proxy"
      },
      {
        "tag": "local",
        "address": "223.5.5.5",
        "detour": "direct"
      },
      {
        "tag": "dns_alidns",
        "address": "h3://223.5.5.5/dns-query",
        "detour": "direct"
      },
      {
        "tag": "dns_dnspod",
        "address": "https://1.12.12.12/dns-query",
        "detour": "direct"
      },
      {
        "tag": "fakeip",
        "address": "fakeip",
        "detour": "proxy"
      },
      { "tag": "block", "address": "rcode://refused" }
    ],
    "rules": [
      {
        "outbound": "any",
        "rewrite_ttl": 1,
        "server": "fakeip"
      },
      {
        "domain_suffix": ["githubusercontent.com"],
        "server": "fakeip"
      },
      { "rule_set": ["AdGuardSDNSFilter"], "server": "block" },
      {
        "type": "logical",
        "mode": "or",
        "rules": [
          {
            "rule_set": ["geoip-cn", "geosite-cn"]
          },
          {
            "domain_suffix": [".cn"]
          }
        ],
        "server": "google"
      }
    ],
    "strategy": "ipv4_only"
  },
  "inbounds": [
    {
      "type": "tun",
      "inet4_address": "172.19.0.1/30",
      "sniff": true,
      "auto_route": true,
      "strict_route": false,
      "sniff_override_destination": true
    },
    {
      "listen": "0.0.0.0",
      "listen_port": 1082,
      "sniff": true,
      "tag": "mixed-in",
      "type": "mixed"
    }
  ],
  "outbounds": [
    {
      "server": "<secret>",
      "server_port": 5353,

      "type": "hysteria2",
      "tag": "hy2-gia",

      "up_mbps": 100,
      "down_mbps": 100,
      "password": "<secret>",
      "tls": {
        "enabled": true,
        "server_name": "<secret>"
      }
    },
    {
      "server": "<secret>",
      "server_port": 443,

      "type": "hysteria2",
      "tag": "hy2-dc9",

      "up_mbps": 100,
      "down_mbps": 100,
      "password": "<secret>",
      "tls": {
        "enabled": true,
        "server_name": "<secret>"
      }
    },
    {
      "server": "<secret>",
      "server_port": 443,

      "type": "hysteria2",
      "tag": "hy2-cn2",

      "up_mbps": 100,
      "down_mbps": 100,
      "password": "<secret>",
      "tls": {
        "enabled": true,
        "server_name": "<secret>"
      }
    },
    {
      "server": "<secret>",
      "server_port": 5355,
      "type": "vless",
      "tls": {},
      "uuid": "<secret>",
      "tag": "vls-gia"
    },
    {
      "tag": "proxy",
      "type": "selector",
      "default": "hy2-gia",
      "outbounds": [
        "auto",
        "hy2-gia",
        "hy2-dc9",
        "hy2-cn2",
        "vls-gia",
        "direct",
        "block"
      ]
    },
    {
      "tag": "auto",
      "type": "urltest",
      "url": "https://www.gstatic.com/generate_204",
      "interval": "5m",
      "tolerance": 50,
      "interrupt_exist_connections": false,
      "outbounds": ["hy2-gia", "hy2-dc9", "hy2-cn2", "vls-gia"]
    },
    {
      "tag": "GLOBAL",
      "type": "selector",
      "default": "hy2-gia",
      "outbounds": [
        "hy2-gia",
        "hy2-dc9",
        "hy2-cn2",
        "vls-gia",
        "direct",
        "block"
      ]
    },
    {
      "type": "direct",
      "tag": "direct"
    },
    {
      "type": "block",
      "tag": "block"
    },
    {
      "type": "dns",
      "tag": "dns-out"
    }
  ],
  "route": {
    "rules": [
      {
        "protocol": "dns",
        "outbound": "dns-out"
      },
      {
        "type": "logical",
        "mode": "or",
        "rules": [
          {
            "rule_set": ["geoip-cn", "geosite-cn"]
          },
          {
            "ip_is_private": true
          },
          {
            "domain_suffix": [".cn"]
          }
        ],
        "outbound": "direct"
      },
      {
        "domain_keyword": ["git"],
        "outbound": "proxy"
      },
      {
        "type": "logical",
        "mode": "or",
        "rules": [
          {
            "port": 853,
            "network": "tcp"
          },
          {
            "port": [443, 853],
            "network": "udp"
          },
          {
            "rule_set": ["AdGuardSDNSFilter"]
          }
        ],
        "outbound": "block"
      },
      {
        "clash_mode": "rule",
        "outbound": "proxy"
      },
      {
        "clash_mode": "GLOBAL",
        "outbound": "GLOBAL"
      },
      {
        "clash_mode": "direct",
        "outbound": "direct"
      }
    ],
    "rule_set": [
      {
        "format": "binary",
        "tag": "geoip-cn",
        "type": "remote",
        "download_detour": "proxy",
        "url": "https://raw.githubusercontent.com/SagerNet/sing-geoip/rule-set/geoip-cn.srs"
      },
      {
        "format": "binary",
        "tag": "geosite-cn",
        "type": "remote",
        "download_detour": "proxy",
        "url": "https://raw.githubusercontent.com/xmdhs/sing-geosite/rule-set-Loyalsoldier/geosite-geolocation-cn.srs"
      },
      {
        "format": "binary",
        "tag": "AdGuardSDNSFilter",
        "type": "remote",
        "download_detour": "proxy",
        "url": "https://raw.githubusercontent.com/xmdhs/sing-box-ruleset/rule-set/AdGuardSDNSFilter.srs"
      },
      {
        "format": "source",
        "tag": "chrome-doh",
        "type": "remote",
        "download_detour": "proxy",
        "url": "https://gist.githubusercontent.com/xmdhs/71fc5ff6ef29f5ecaf2c52b8de5c3172/raw/chrome-doh.json"
      }
    ],
    "final": "vls-gia",
    "auto_detect_interface": true
  },
  "experimental": {
    "clash_api": {
      "external_controller": "0.0.0.0:9090",
      "external_ui": "",
      // "external_ui": "",
      "secret": "",
      "external_ui_download_url": "https://mirror.ghproxy.com/https://github.com/MetaCubeX/Yacd-meta/archive/gh-pages.zip",
      "external_ui_download_detour": "direct",
      "default_mode": "rule"
    }
  }
}

Logs

在 MacOS 系统中,网站被系统的 DNS 污染成 0.0.0.0 时, TUN 模式下,打开被污染的网站时,不会有任何日志输出, 但是 rule-set 却能正常的下载回来

sudo sing-box run -c config.mac.fakeip.clash_ui.json
+0800 2024-05-26 11:57:43 INFO router: updated default interface en9, index 7
+0800 2024-05-26 11:57:43 DEBUG router: updating rule-set chrome-doh from URL: https://gist.githubusercontent.com/xmdhs/71fc5ff6ef29f5ecaf2c52b8de5c3172/raw/chrome-doh.json
+0800 2024-05-26 11:57:43 DEBUG router: updating rule-set geoip-cn from URL: https://raw.githubusercontent.com/SagerNet/sing-geoip/rule-set/geoip-cn.srs
+0800 2024-05-26 11:57:43 INFO outbound/hysteria2[hy2-gia]: outbound connection to gist.githubusercontent.com:443
+0800 2024-05-26 11:57:43 DEBUG router: updating rule-set AdGuardSDNSFilter from URL: https://raw.githubusercontent.com/xmdhs/sing-box-ruleset/rule-set/AdGuardSDNSFilter.srs
+0800 2024-05-26 11:57:43 INFO outbound/hysteria2[hy2-gia]: outbound connection to raw.githubusercontent.com:443
+0800 2024-05-26 11:57:43 INFO outbound/hysteria2[hy2-gia]: outbound connection to raw.githubusercontent.com:443
+0800 2024-05-26 11:57:43 DEBUG router: updating rule-set geosite-cn from URL: https://raw.githubusercontent.com/xmdhs/sing-geosite/rule-set-Loyalsoldier/geosite-geolocation-cn.srs
+0800 2024-05-26 11:57:43 INFO outbound/hysteria2[hy2-gia]: outbound connection to raw.githubusercontent.com:443
+0800 2024-05-26 11:57:44 INFO router: updated rule-set chrome-doh
+0800 2024-05-26 11:57:44 INFO router: updated rule-set geosite-cn
+0800 2024-05-26 11:57:44 INFO router: updated rule-set geoip-cn
+0800 2024-05-26 11:57:44 INFO router: updated rule-set AdGuardSDNSFilter
+0800 2024-05-26 11:57:44 INFO clash-api: restful api listening at [::]:9090

使用 mixed 端口代理时,可以正常访问,日志如下

+0800 2024-05-26 12:06:17 INFO [2842266992 0ms] inbound/mixed[mixed-in]: inbound connection from 127.0.0.1:54362
+0800 2024-05-26 12:06:17 INFO [2842266992 1ms] inbound/mixed[mixed-in]: inbound connection to raw.githubusercontent.com:80
+0800 2024-05-26 12:06:17 DEBUG [2842266992 1ms] router: sniffed protocol: http, domain: raw.githubusercontent.com
+0800 2024-05-26 12:06:17 DEBUG [2842266992 1ms] router: match[2] domain_keyword=git => proxy
+0800 2024-05-26 12:06:17 INFO [2842266992 2ms] outbound/hysteria2[hy2-gia]: outbound connection to raw.githubusercontent.com:80
+0800 2024-05-26 12:06:17 INFO [79787410 0ms] inbound/mixed[mixed-in]: inbound connection from 127.0.0.1:54364
+0800 2024-05-26 12:06:17 INFO [79787410 0ms] inbound/mixed[mixed-in]: inbound connection to raw.githubusercontent.com:443
+0800 2024-05-26 12:06:17 DEBUG [79787410 1ms] router: sniffed protocol: tls, domain: raw.githubusercontent.com
+0800 2024-05-26 12:06:17 DEBUG [79787410 1ms] router: match[2] domain_keyword=git => proxy
+0800 2024-05-26 12:06:17 INFO [79787410 1ms] outbound/hysteria2[hy2-gia]: outbound connection to raw.githubusercontent.com:443
+0800 2024-05-26 12:06:17 INFO [1339437910 0ms] inbound/tun[0]: inbound connection from 172.19.0.1:54365
+0800 2024-05-26 12:06:17 INFO [1339437910 0ms] inbound/tun[0]: inbound connection to 223.5.5.5:853
+0800 2024-05-26 12:06:17 DEBUG [1339437910 1ms] router: sniffed protocol: tls, domain: dns.alidns.com
+0800 2024-05-26 12:06:17 DEBUG [1339437910 1ms] router: match[1] rule_set=[geoip-cn geosite-cn] || ip_is_private=true || domain_suffix=.cn => direct
+0800 2024-05-26 12:06:17 INFO [1339437910 1ms] outbound/direct[direct]: outbound connection to dns.alidns.com:853
+0800 2024-05-26 12:06:17 DEBUG [1339437910 1ms] dns: lookup domain dns.alidns.com
+0800 2024-05-26 12:06:17 DEBUG [1339437910 1ms] dns: match[3] rule_set=[geoip-cn geosite-cn] || domain_suffix=.cn => google
+0800 2024-05-26 12:06:18 INFO [3838349070 0ms] inbound/mixed[mixed-in]: inbound connection from 127.0.0.1:54367
+0800 2024-05-26 12:06:18 INFO [3838349070 0ms] inbound/mixed[mixed-in]: inbound connection to github.com:443
+0800 2024-05-26 12:06:18 DEBUG [3838349070 1ms] router: sniffed protocol: tls, domain: github.com
+0800 2024-05-26 12:06:18 DEBUG [3838349070 1ms] router: match[2] domain_keyword=git => proxy
+0800 2024-05-26 12:06:18 INFO [3838349070 1ms] outbound/hysteria2[hy2-gia]: outbound connection to github.com:443
+0800 2024-05-26 12:06:18 DEBUG [1339437910 162ms] dns: exchanged dns.alidns.com NOERROR 3556
+0800 2024-05-26 12:06:18 DEBUG [1339437910 162ms] dns: exchanged dns.alidns.com A dns.alidns.com. 3556 IN A 223.5.5.5
+0800 2024-05-26 12:06:18 DEBUG [1339437910 162ms] dns: exchanged dns.alidns.com A dns.alidns.com. 3556 IN A 223.6.6.6
+0800 2024-05-26 12:06:18 DEBUG [1339437910 162ms] dns: lookup succeed for dns.alidns.com: 223.5.5.5 223.6.6.6
+0800 2024-05-26 12:06:18 INFO [7743462 0ms] inbound/tun[0]: inbound connection from 172.19.0.1:54369
+0800 2024-05-26 12:06:18 INFO [7743462 0ms] inbound/tun[0]: inbound connection to 13.107.246.73:443


### Supporter

- [ ] I am a [sponsor](https://github.com/sponsors/nekohasekai/)

### Integrity requirements

- [X] I confirm that I have read the documentation, understand the meaning of all the configuration items I wrote, and did not pile up seemingly useful options or default values.
- [X] I confirm that I have provided the server and client configuration files and process that can be reproduced locally, instead of a complicated client configuration file that has been stripped of sensitive data.
- [X] I confirm that I have provided the simplest configuration that can be used to reproduce the error I reported, instead of depending on remote servers, TUN, graphical interface clients, or other closed-source software.
- [X] I confirm that I have provided the complete configuration files and logs, rather than just providing parts I think are useful out of confidence in my own intelligence.