服务器入站设置了 "domain_strategy" 后，路由匹配异常

[b11p]

Operating system

Linux

System version

6.8.10-200.fc39.x86_64

Installation type

Original sing-box Command Line

If you are using a graphical client, please provide the version of the client.

No response

Version

sing-box version 1.9.3

Environment: go1.22.4 linux/amd64
Tags: with_gvisor,with_quic,with_dhcp,with_wireguard,with_ech,with_utls,with_reality_server,with_acme,with_clash_api
Revision: 085f60337799afc906069b540a38368968c123e4
CGO: disabled

Description

两个bug：

1. 路由规则匹配完，连接端口莫名其妙变成 53
2. 0.0.0.0/0 匹配到 ipv6 地址

Reproduction

使用以下配置，然后访问对应域名即可复现。 测试地址: https://v4.ip.zxinc.org/info.php?type=json https://v6.ip.zxinc.org/info.php?type=json

若删去入站的 "domain_strategy": "prefer_ipv6",，则不会触发 bug，但无法按照目标地址进行路由匹配。

完整配置

入站shadowsocks和出站wireguard密码已删去。

{
    "dns": {
        "independent_cache": true,
        "rules": [
            {
                "server": "dns-local",
                "domain": "engage.cloudflareclient.com"
            },
            {
                "invert": true,
                "server": "dns-local",
                "rule_set": [
                    "geosite-cn",
                    "geoip-cn"
                ]
            },
            {
                "server": "dns-local",
                "ip_cidr": [
                    "0.0.0.0/0"
                ]
            },
            {
                "server": "dns-cf",
                "ip_cidr": [
                    "::/0"
                ]
            }
        ],
        "servers": [
            {
                "address": "local",
                "detour": "direct",
                "tag": "dns-direct",
                "strategy": "prefer_ipv4"
            },
            {
                "address": "local",
                "detour": "direct",
                "tag": "dns-local",
                "strategy": "prefer_ipv4"
            },
            {
                "address": "1.1.1.1",
                "detour": "wireguard-out",
                "tag": "dns-cf",
                "strategy": "prefer_ipv6"
            }
        ]
    },
    "inbounds": [
        {
            "listen": "::",
            "listen_port": 1,
            "udp_timeout": "5m",
            "domain_strategy": "prefer_ipv6",
            "type": "shadowsocks",
            "tag": "ss-in",
            "method": "2022-blake3-aes-256-gcm",
            "password": "",
            "multiplex": {
                "enabled": true,
                "padding": false
            }
        }
    ],
    "log": {
        "level": "debug"
    },
    "outbounds": [
        {
            "tag": "direct",
            "type": "direct"
        },
        {
            "tag": "block",
            "type": "block"
        },
        {
            "type": "wireguard",
            "tag": "wireguard-out",
            "server": "",
            "server_port": 2408,
            "local_address": [
                ".2/32",
                ":ca5/128"
            ],
            "private_key": "",
            "peer_public_key": "",
            "reserved": "",
            "mtu": 1280
        }
    ],
    "route": {
        "auto_detect_interface": true,
        "rule_set": [
            {
                "format": "binary",
                "url": "https://raw.githubusercontent.com/SagerNet/sing-geosite/rule-set/geosite-cn.srs",
                "download_detour": "direct",
                "tag": "geosite-cn",
                "type": "remote"
            },
            {
                "format": "binary",
                "url": "https://raw.githubusercontent.com/SagerNet/sing-geoip/rule-set/geoip-cn.srs",
                "download_detour": "direct",
                "tag": "geoip-cn",
                "type": "remote"
            }
        ],
        "rules": [
            {
                "domain_suffix": [
                    "googleapis.cn"
                ],
                "outbound": "direct"
            },
            {
                "outbound": "wireguard-out",
                "rule_set": [
                    "geosite-cn"
                ]
            },
            {
                "outbound": "wireguard-out",
                "rule_set": [
                    "geoip-cn"
                ]
            },
            {
                "outbound": "block",
                "ip_is_private": true
            },
            {
                "outbound": "direct",
                "ip_cidr": [
                    "0.0.0.0/0"
                ]
            },
            {
                "outbound": "wireguard-out",
                "ip_cidr": [
                    "::/0"
                ]
            }
        ]
    }
}

我测试出来的较小的可以复现的配置

{
    "dns": {
        "independent_cache": true,
        "servers": [
            {
                "address": "local",
                "strategy": "prefer_ipv4"
            }
        ]
    },
    "inbounds": [
        {
            "listen": "::",
            "listen_port": -------------,
            "udp_timeout": "5m",
            "domain_strategy": "prefer_ipv4",
            "type": "shadowsocks",
            "tag": "ss-in",
            "method": "2022-blake3-aes-256-gcm",
            "password": "xxxxxxxxxxxxxxxxx",
            "multiplex": {
                "enabled": true,
                "padding": false
            }
        }
    ],
    "log": {
        "level": "debug"
    },
    "outbounds": [
        {
            "tag": "direct",
            "type": "direct"
        },
        {
            "tag": "block",
            "type": "block"
        }
    ],
    "route": {
        "auto_detect_interface": true,
        "rules": [
            {
                "domain_suffix": [
                    "googleapis.cn"
                ],
                "outbound": "direct"
            },
            {
                "outbound": "block",
                "ip_is_private": true
            },
            {
                "outbound": "direct",
                "ip_cidr": [
                    "0.0.0.0/0"
                ]
            },
            {
                "outbound": "block",
                "ip_cidr": [
                    "::/0"
                ]
            }
        ]
    }
}

Logs

INFO[0000] sing-box started (0.122s)
INFO[0246] [2273405480 0ms] inbound/shadowsocks[ss-in]: inbound connection from x.x.x.x:15321
INFO[0246] [2154410382 2ms] inbound/shadowsocks[ss-in]: inbound connection to v4.ip.zxinc.org:443
DEBUG[0246] [2154410382 2ms] dns: lookup domain v4.ip.zxinc.org
DEBUG[0246] [2154410382 3ms] dns: match[2] ip_cidr=0.0.0.0/0 => dns-local
INFO[0246] [2154410382 4ms] outbound/direct[direct]: outbound packet connection to 1.1.1.1:53
INFO[0246] [2154410382 4ms] outbound/direct[direct]: outbound packet connection to 1.1.1.1:53
INFO[0246] [2154410382 608ms] dns: lookup succeed for v4.ip.zxinc.org: 45.32.25.90
DEBUG[0246] [2154410382 608ms] dns: resolved [45.32.25.90]
DEBUG[0246] [2154410382 609ms] router: match[4] ip_cidr=0.0.0.0/0 => direct
INFO[0246] [2154410382 609ms] outbound/direct[direct]: outbound connection to 1.1.1.1:53
ERROR[0247] [2273405480 790ms] inbound/shadowsocks[ss-in]: process connection from x.x.x.x:15321: shadowsocks: serve TCP from x.x.x.x:15321: dial tcp 45.32.25.90:53: connect: connection refused
INFO[0655] [851769475 0ms] inbound/shadowsocks[ss-in]: inbound connection from x.x.x.x:15077
INFO[0655] [3058879823 1ms] inbound/shadowsocks[ss-in]: inbound connection to v6.ip.zxinc.org:443
DEBUG[0655] [3058879823 1ms] dns: lookup domain v6.ip.zxinc.org
DEBUG[0655] [3058879823 2ms] dns: match[2] ip_cidr=0.0.0.0/0 => dns-local
INFO[0655] [3058879823 3ms] outbound/direct[direct]: outbound packet connection to 1.1.1.1:53
INFO[0655] [3058879823 3ms] outbound/direct[direct]: outbound packet connection to 1.1.1.1:53
INFO[0656] [3058879823 441ms] dns: lookup succeed for v6.ip.zxinc.org: 2001:19f0:7002:121:5400:4ff:feb5:29ec
DEBUG[0656] [3058879823 442ms] dns: resolved [2001:19f0:7002:121:5400:4ff:feb5:29ec]
DEBUG[0656] [3058879823 442ms] router: match[4] ip_cidr=0.0.0.0/0 => direct
INFO[0656] [3058879823 442ms] outbound/direct[direct]: outbound connection to 1.1.1.1:53
ERROR[0656] [851769475 443ms] inbound/shadowsocks[ss-in]: process connection from x.x.x.x:15077: shadowsocks: serve TCP from x.x.x.x:15077: dial tcp [2001:19f0:7002:121:5400:4ff:feb5:29ec]:53: connect: network is unreachable

Supporter

• [ ] I am a sponsor

Integrity requirements

• [X] I confirm that I have read the documentation, understand the meaning of all the configuration items I wrote, and did not pile up seemingly useful options or default values.
• [X] I confirm that I have provided the server and client configuration files and process that can be reproduced locally, instead of a complicated client configuration file that has been stripped of sensitive data.
• [X] I confirm that I have provided the simplest configuration that can be used to reproduce the error I reported, instead of depending on remote servers, TUN, graphical interface clients, or other closed-source software.
• [X] I confirm that I have provided the complete configuration files and logs, rather than just providing parts I think are useful out of confidence in my own intelligence.