DNS cannot get though vless xtls-rprx-vision

zakuwaki commented 1 year ago

Welcome

[X] Yes, I'm using the latest major release. Only such installations are supported.
[X] Yes, I'm using the latest Golang release. Only such installations are supported.
[X] Yes, I've searched similar issues on GitHub and didn't find any.
[X] Yes, I've included all information below (version, FULL config, FULL log, etc).

Description of the problem

DNS cannot get though reality. udp:// and tcp:// both failed

Version of sing-box

```console $ sing-box version # Paste output here sing-box version 1.2-beta5 Environment: go1.19.6 linux/amd64 Tags: with_utls,with_reality_server,with_gvisor,with_wireguard,with_clash_api Revision: 27aba99e6c6c1d03dff3912bd5345cddeeaae26b CGO: disabled ```

Server and client configuration file

server ```json { "inbounds": [ { "type": "vless", "listen": "0.0.0.0", "listen_port": 443, "users": [ { "uuid": "bf000d23-0752-40b4-affe-68f7707a9661", "flow": "xtls-rprx-vision" } ], "tls": { "enabled": true, "server_name": "goproxy.cn", "reality": { "enabled": true, "handshake": { "server": "goproxy.cn", "server_port": 443 }, "private_key": "obei5cUocO4a1QcrzqLKge2AJjC2MSBXifclGi99uoQ", "short_id": [ "141294801e782f67" ], "max_time_difference": "1m" } } } ] } ``` client ```json { "dns": { "servers": [ { "address": "119.29.29.29" } ] }, "inbounds": [ { "type": "socks", "listen": "0.0.0.0", "listen_port": 11080, "sniff": true, "sniff_override_destination": true, "domain_strategy": "ipv4_only" } ], "outbounds": [ { "type": "vless", "server": "127.0.0.1", "server_port": 443, "uuid": "bf000d23-0752-40b4-affe-68f7707a9661", "flow": "xtls-rprx-vision", "packet_encoding": "xudp", "tls": { "enabled": true, "server_name": "goproxy.cn", "utls": { "enabled": true, "fingerprint": "chrome" }, "reality": { "enabled": true, "public_key": "D4sZ_w2mzS2ITDoDYT5vDYjH2CUpJXgV0qYyBTSJrmI", "short_id": "141294801e782f67" } } } ] } ```

Server and client log file

server ```console INFO[0000] inbound/vless[0]: tcp server started at 0.0.0.0:443 INFO[0000] sing-box started (0.00s) INFO[0029] [3503580230] inbound/vless[0]: inbound connection from 127.0.0.1:55202 DEBUG[0029] [3503580230] dns: lookup domain goproxy.cn DEBUG[0029] [3503580230] dns: lookup succeed for goproxy.cn: 122.205.109.41 ERROR[0029] [3503580230] inbound/vless[0]: process connection from 127.0.0.1:55202: flow mismatch: expected xtls-rprx-vision, but got none INFO[0040] [1767817249] inbound/vless[0]: inbound connection from 127.0.0.1:59588 DEBUG[0040] [1767817249] dns: lookup domain goproxy.cn DEBUG[0040] [1767817249] dns: lookup succeed for goproxy.cn: 122.205.109.41 ERROR[0040] [1767817249] inbound/vless[0]: process connection from 127.0.0.1:59588: flow mismatch: expected xtls-rprx-vision, but got none INFO[0084] [3617776529] inbound/vless[0]: inbound connection from 127.0.0.1:41340 DEBUG[0084] [3617776529] dns: lookup domain goproxy.cn DEBUG[0084] [3617776529] dns: lookup succeed for goproxy.cn: 122.205.109.41 ERROR[0084] [3617776529] inbound/vless[0]: process connection from 127.0.0.1:41340: flow mismatch: expected xtls-rprx-vision, but got none ``` client ```console INFO[0000] inbound/socks[0]: tcp server started at 0.0.0.0:11080 INFO[0000] sing-box started (0.00s) INFO[0004] [3398694606] inbound/socks[0]: inbound connection from 127.0.0.1:44954 DEBUG[0019] [3398694606] inbound/socks[0]: connection closed: process connection from 127.0.0.1:44954: EOF INFO[0027] [1952911964] inbound/socks[0]: inbound connection from 127.0.0.1:52614 INFO[0027] [1952911964] inbound/socks[0]: inbound connection to 110.242.68.66:80 DEBUG[0027] [1952911964] router: sniffed protocol: http, domain: baidu.com DEBUG[0027] [1952911964] dns: lookup domain baidu.com INFO[0027] outbound/vless[0]: outbound packet connection to 119.29.29.29:53 ERROR[0037] [1952911964] dns: lookup failed for baidu.com: context deadline exceeded DEBUG[0037] [1952911964] inbound/socks[0]: connection closed: process connection from 127.0.0.1:52614: context deadline exceeded INFO[0039] [715043861] inbound/socks[0]: inbound connection from 127.0.0.1:59552 INFO[0039] [715043861] inbound/socks[0]: inbound connection to 110.242.68.66:80 DEBUG[0039] [715043861] router: sniffed protocol: http, domain: baidu.com DEBUG[0039] [715043861] dns: lookup domain baidu.com INFO[0039] outbound/vless[0]: outbound packet connection to 119.29.29.29:53 ERROR[0049] [715043861] dns: lookup failed for baidu.com: context deadline exceeded DEBUG[0049] [715043861] inbound/socks[0]: connection closed: process connection from 127.0.0.1:59552: context deadline exceeded INFO[0078] [393897727] inbound/socks[0]: inbound connection from 127.0.0.1:60328 INFO[0083] [393897727] inbound/socks[0]: inbound connection to 39.156.66.10:80 DEBUG[0083] [393897727] router: sniffed protocol: http, domain: baidu.com DEBUG[0083] [393897727] dns: lookup domain baidu.com INFO[0083] outbound/vless[0]: outbound packet connection to 119.29.29.29:53 ERROR[0093] [393897727] dns: lookup failed for baidu.com: context deadline exceeded DEBUG[0093] [393897727] inbound/socks[0]: connection closed: process connection from 127.0.0.1:60328: context deadline exceeded ```

zakuwaki commented 1 year ago

when change client dns config to

"dns": {
    "servers": [
        {
            "address": "tcp://119.29.29.29"
        }
    ]
}

server and client log:

```console INFO[0000] inbound/vless[0]: tcp server started at 0.0.0.0:443 INFO[0000] sing-box started (0.00s) INFO[0003] [1799437816] inbound/vless[0]: inbound connection from 127.0.0.1:59598 DEBUG[0003] [1799437816] dns: lookup domain goproxy.cn DEBUG[0003] [1799437816] dns: lookup succeed for goproxy.cn: 122.205.109.41 INFO[0003] [1658123783] inbound/vless[0]: [0] inbound connection to 119.29.29.29:53 INFO[0003] [1658123783] outbound/direct: outbound connection to 119.29.29.29:53 TRACE[0003] inbound/vless[0]: Xtls Unpadding new block 21 29 padding 175 0 TRACE[0004] inbound/vless[0]: XtlsPadding 29 13 0 DEBUG[0013] [1799437816] inbound/vless[0]: connection closed: process connection from 127.0.0.1:59598: upload: EOF | download: EOF INFO[0022] [957554543] inbound/vless[0]: inbound connection from 127.0.0.1:57988 DEBUG[0022] [957554543] dns: lookup domain goproxy.cn DEBUG[0022] [957554543] dns: lookup succeed for goproxy.cn: 122.205.109.41 INFO[0022] [1761398890] inbound/vless[0]: [0] inbound connection to 119.29.29.29:53 INFO[0022] [1761398890] outbound/direct: outbound connection to 119.29.29.29:53 TRACE[0022] inbound/vless[0]: Xtls Unpadding new block 21 29 padding 139 0 DEBUG[0022] [957554543] inbound/vless[0]: connection closed: process connection from 127.0.0.1:57988: download: EOF | upload: readfrom tcp 192.168.1.2:41134->119.29.29.29:53: read tcp4 127.0.0.1:443->127.0.0.1:57988: use of closed network connection ``` ```console INFO[0000] inbound/socks[0]: tcp server started at 0.0.0.0:11080 INFO[0000] sing-box started (0.00s) INFO[0002] [2965646922] inbound/socks[0]: inbound connection from 127.0.0.1:52496 INFO[0002] [2965646922] inbound/socks[0]: inbound connection to 110.242.68.66:80 DEBUG[0002] [2965646922] router: sniffed protocol: http, domain: baidu.com DEBUG[0002] [2965646922] dns: lookup domain baidu.com INFO[0002] outbound/vless[0]: outbound connection to 119.29.29.29:53 TRACE[0002] outbound/vless[0]: XtlsPadding 29 175 0 ERROR[0012] [2965646922] dns: lookup failed for baidu.com: context deadline exceeded DEBUG[0012] [2965646922] inbound/socks[0]: connection closed: process connection from 127.0.0.1:52496: context deadline exceeded INFO[0021] [1918039982] inbound/socks[0]: inbound connection from 127.0.0.1:50222 INFO[0021] [1918039982] inbound/socks[0]: inbound connection to 39.156.66.10:80 DEBUG[0021] [1918039982] router: sniffed protocol: http, domain: baidu.com DEBUG[0021] [1918039982] dns: lookup domain baidu.com INFO[0021] outbound/vless[0]: outbound connection to 119.29.29.29:53 TRACE[0021] outbound/vless[0]: XtlsPadding 29 139 0 ERROR[0031] [1918039982] dns: lookup failed for baidu.com: context deadline exceeded DEBUG[0031] [1918039982] inbound/socks[0]: connection closed: process connection from 127.0.0.1:50222: context deadline exceeded ```

chika0801 commented 1 year ago

在服务端配置

入站加

            "sniff": true,
            "sniff_override_destination": true,
            "domain_strategy": "ipv4_only",

或者

出站加 https://github.com/chika0801/sing-box-install/blob/68a32fee4cea8e67fb781dc974db443d0cd7dbf5/examples/netflix_unlock_select_IPv6.json#L16

才会使用到你设置的DNS

zakuwaki commented 1 year ago

@chika0801 谢谢你。这其实是一个简单的demo，是具体使用场景下的抽象，为了方便作者排查问题。实际的使用场景是将远端的dns server通过隧道透传到本地

5ce3ddee9be640c309a23341951434861dc4c2e0 此配置场景能够在reality中传输dns数据

nekohasekai commented 1 year ago

请查看您issue中服务器日志的部分。

zakuwaki commented 1 year ago

使用 cd5c2a7999b157e3ca25b35a958a050efee9456c 版本的日志，注意将服务端users下的flow字段删除。可以正常使用并查询到dns信息

"users": [
    {
        "uuid": "bf000d23-0752-40b4-affe-68f7707a9661"
    }
]

server ```console INFO[0000] inbound/vless[0]: tcp server started at 0.0.0.0:443 INFO[0000] sing-box started (0.00s) INFO[0016] [1271286602] inbound/vless[0]: inbound connection from 127.0.0.1:44378 DEBUG[0016] [1271286602] dns: lookup domain goproxy.cn DEBUG[0017] [1271286602] dns: lookup succeed for goproxy.cn: 122.205.109.41 INFO[0017] [3341901535] inbound/vless[0]: [0] inbound packet connection to 119.29.29.29:53 INFO[0017] [3341901535] outbound/direct: outbound packet connection INFO[0017] [1541165731] inbound/vless[0]: inbound connection from 127.0.0.1:44390 DEBUG[0017] [1541165731] dns: lookup domain goproxy.cn DEBUG[0017] [1541165731] dns: lookup succeed for goproxy.cn: 122.205.109.41 INFO[0017] [2273166869] inbound/vless[0]: [0] inbound connection to 110.242.68.66:80 INFO[0017] [2273166869] outbound/direct: outbound connection to 110.242.68.66:80 DEBUG[0017] [1541165731] inbound/vless[0]: connection closed: process connection from 127.0.0.1:44390: upload: EOF | download: EOF ``` client ```console INFO[0000] inbound/socks[0]: tcp server started at 0.0.0.0:11080 INFO[0000] sing-box started (0.00s) INFO[0005] [551062345] inbound/socks[0]: inbound connection from 127.0.0.1:51676 INFO[0005] [551062345] inbound/socks[0]: inbound connection to 110.242.68.66:80 DEBUG[0005] [551062345] router: sniffed protocol: http, domain: baidu.com DEBUG[0005] [551062345] dns: lookup domain baidu.com INFO[0005] outbound/vless[0]: outbound packet connection to 119.29.29.29:53 DEBUG[0005] [551062345] dns: exchanged baidu.com NOERROR 600 INFO[0005] [551062345] dns: exchanged baidu.com A baidu.com. 186 IN A 110.242.68.66 INFO[0005] [551062345] dns: exchanged baidu.com A baidu.com. 186 IN A 39.156.66.10 INFO[0005] [551062345] dns: lookup succeed for baidu.com: 110.242.68.66 39.156.66.10 DEBUG[0005] [551062345] dns: resolved [110.242.68.66 39.156.66.10] INFO[0005] [551062345] outbound/vless[0]: outbound connection to 110.242.68.66:80 DEBUG[0005] [551062345] inbound/socks[0]: connection closed: process connection from 127.0.0.1:51676: upload: EOF | download: EOF ```

实际上客户端均开启了xtls-rprx-vision

当客户端在 27aba99e6c6c1d03dff3912bd5345cddeeaae26b 下，去除dns模块的配置时，一切就是正常的，不再出现flow mismatch: expected xtls-rprx-vision, but got none的问题。所以这里highlight是dns传输的问题。

{
    "inbounds": [
        {
            "type": "socks",
            "listen": "0.0.0.0",
            "listen_port": 11080,
            "sniff": true,
            "sniff_override_destination": true,
            "domain_strategy": "ipv4_only"
        }
    ],
    "outbounds": [
        {
            "type": "vless",
            "server": "127.0.0.1",
            "server_port": 443,
            "uuid": "bf000d23-0752-40b4-affe-68f7707a9661",
            "flow": "xtls-rprx-vision",
            "packet_encoding": "xudp",
            "tls": {
                "enabled": true,
                "server_name": "goproxy.cn",
                "utls": {
                    "enabled": true,
                    "fingerprint": "chrome"
                },
                "reality": {
                    "enabled": true,
                    "public_key": "D4sZ_w2mzS2ITDoDYT5vDYjH2CUpJXgV0qYyBTSJrmI",
                    "short_id": "141294801e782f67"
                }
            }
        }
    ]
}

nekohasekai commented 1 year ago

描述不清，请将 reality 与 vision 分开检查。

zakuwaki commented 1 year ago

实锤了，是xtls-rprx-vision的问题

开启reality，关闭xtls-rprx-vision，能够正常连接
开启reality，开启xtls-rprx-vision，不能正常连接
关闭reality，开启xtls-rprx-vision，不能正常连接

minimal config

server

{
    "inbounds": [
        {
            "type": "vless",
            "listen": "0.0.0.0",
            "listen_port": 443,
            "users": [
                {
                    "uuid": "bf000d23-0752-40b4-affe-68f7707a9661",
                    "flow": "xtls-rprx-vision"
                }
            ]
        }
    ]
}

client

{
    "dns": {
        "servers": [
            {
                "address": "119.29.29.29"
            }
        ]
    },
    "inbounds": [
        {
            "type": "socks",
            "listen": "0.0.0.0",
            "listen_port": 11080,
            "sniff": true,
            "sniff_override_destination": true,
            "domain_strategy": "ipv4_only"
        }
    ],
    "outbounds": [
        {
            "type": "vless",
            "server": "127.0.0.1",
            "server_port": 443,
            "uuid": "bf000d23-0752-40b4-affe-68f7707a9661",
            "flow": "xtls-rprx-vision",
            "packet_encoding": "xudp"
        }
    ]
}

nekohasekai commented 1 year ago

试了，应该是 sing-box 或者 vision 的协议实现有问题，暂时不要用吧。

RPRX commented 1 year ago

可能是服务端查了 flow？客户端 UDP 和 MUX 指令不应带 flow，服务端也不应检查（因为 flow 没有生效，但是以后可能会定义）

nekohasekai commented 1 year ago

7ecb9fc738be799d66bb18d2b18267b3460d4f7e

nekohasekai commented 1 year ago

看起来是同时支持了普通 TLS 代理，根据反馈它会导致 Vision 被一起封端口

按这个逻辑 mux 也应该开 vision

RPRX commented 1 year ago

（下面一行）

服务端 Vision 还要禁掉非 XUDP 的 MUX

RPRX commented 1 year ago

客户端一定会把 XUDP 粘在 VLESS 头后面一起发，MUX ID 为 1+，而 XUDP ID 为 0，服务端简单判断一下即可： https://github.com/XTLS/Xray-core/blob/a4790133d23547f219628f445f576171b3921ab6/proxy/vless/inbound/inbound.go#L158

逻辑：默认拒绝 MUX，除非能确认首包就包含 XUDP。

zakuwaki commented 1 year ago

7ecb9fc

开启"flow": "xtls-rprx-vision"，确定在udp下修复。换了一个支持tcp的dns问题依然存在（关闭后正常）

server

INFO[0000] inbound/vless[0]: tcp server started at 0.0.0.0:443
INFO[0000] sing-box started (0.00s)
INFO[0028] [1120430546] inbound/vless[0]: inbound connection from 127.0.0.1:46930
DEBUG[0028] [1120430546] dns: lookup domain goproxy.cn
DEBUG[0028] [1120430546] dns: lookup succeed for goproxy.cn: 122.205.109.41
INFO[0028] [1646825650] inbound/vless[0]: [0] inbound connection to 127.0.0.1:53
INFO[0028] [1646825650] outbound/direct: outbound connection to 127.0.0.1:53
TRACE[0028] inbound/vless[0]: Xtls Unpadding new block 21 26 padding 32 0
TRACE[0028] inbound/vless[0]: XtlsPadding 42 21 0
DEBUG[0038] [1120430546] inbound/vless[0]: connection closed: process connection from 127.0.0.1:46930: upload: EOF | download: EOF

INFO[0000] inbound/socks[0]: tcp server started at 0.0.0.0:11080
INFO[0000] sing-box started (0.00s)
INFO[0015] [2323261235] inbound/socks[0]: inbound connection from 127.0.0.1:41592
INFO[0015] [2323261235] inbound/socks[0]: inbound connection to 183.3.226.35:80
DEBUG[0015] [2323261235] router: sniffed protocol: http, domain: qq.com
DEBUG[0015] [2323261235] dns: lookup domain qq.com
INFO[0015] outbound/vless[0]: outbound connection to 127.0.0.1:53
TRACE[0015] outbound/vless[0]: XtlsPadding 26 32 0
ERROR[0025] [2323261235] dns: lookup failed for qq.com: context deadline exceeded
DEBUG[0025] [2323261235] inbound/socks[0]: connection closed: process connection from 127.0.0.1:41592: context deadline exceeded

nekohasekai commented 1 year ago

应该是我的 vision 实现有问题，这几天身体非常差，~~所以先咕着~~

nekohasekai commented 1 year ago

https://github.com/SagerNet/sing-box/commit/5b3b74bd0f66d20ca6288077307e2a96476431d5

zakuwaki commented 1 year ago

感谢世界！问题已被修复🎉🎉🎉

SagerNet / sing-box