FakeIP启用后，日志里有IP，但是`dig`或`nslookup`没有结果，浏览器中也提示找不到IP，打不开对应网站

[70599]

Welcome

• [X] Yes, I'm using the latest major release. Only such installations are supported.
• [X] Yes, I'm using the latest Golang release. Only such installations are supported.
• [X] Yes, I've searched similar issues on GitHub and didn't find any.
• [ ] Yes, I've included all information below (version, FULL config, FULL log, etc).

Description of the problem

FakeIP启用后，日志里有IP。 但是dig或nslookup没有结果，浏览器中也提示找不到IP，打不开对应网站。

Version of sing-box

```console sing-box version 1.2.0-cc34b6f Environment: go1.20.2 linux/arm64 Tags: with_low_memory,with_quic,with_utls,with_ech,with_clash_api Revision: cc34b6fa99dddad583ffba59f9c823e7f5a97684 CGO: disabled ```

Server and client configuration file

fakeip以外的dns服务器均正常工作 ```json "dns": { "servers": [ { "tag": "_dns_ali", "address": "tls://223.5.5.5", "detour": "direct" }, { "tag": "_dns_cf", "address": "tls://1.1.1.1", "detour": "selector" }, { "tag": "_dns_fake", "address": "fakeip" }, { "tag": "_dns_block", "address": "rcode://success" } ], "rules": [ { "geosite": [ "category-ads-all" ], "server": "_dns_block", "disable_cache": true }, { "domain": [ "www.google.com" ], "server": "_dns_fake" }, { "geosite": [ "apple", "google", "jsdelivr" ], "server": "_dns_cf" }, { "geosite": [ "cn" ], "server": "_dns_ali" } ], "final": "_dns_cf", "reverse_mapping": true, "fakeip": { "enabled": true, "inet4_range": "172.20.0.1/24" } }, "inbounds": [ { "tag": "_dns_in", "type": "direct", "listen": "::1", "listen_port": 53, "network": "udp" }, { "tag": "_tun_in", "type": "tun", "inet4_address": "172.20.0.1/16", "auto_route": true, "strict_route": true, "sniff": true, "exclude_uid": [ 411, 5567 ] } ], ```

Server and client log file

`dig`没有解析结果 ```shell # dig www.google.com ; <<>> DiG 9.18.11 <<>> www.google.com ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 752 ;; flags: qr ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;www.google.com. IN A ;; Query time: 7 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) (UDP) ;; WHEN: Sat Mar 25 22:26:26 CST 2023 ;; MSG SIZE rcvd: 32 ``` ---- `nslookup`没有解析结果 ```shell # nslookup www.google.com Server: 127.0.0.1 Address: 127.0.0.1:53 Non-authoritative answer: *** Can't find www.google.com: No answer ``` ---- 对应日志 （`dig`或者`nslookup`是不是应该解析出`172.20.0.5`这个fakeip？） ```console INFO [4071313942] dns: cached www.google.com A www.google.com. 590 IN A 172.20.0.5 INFO [4071313942] dns: exchanged www.google.com. A www.google.com. 590 IN A 172.20.0.5 INFO [2415690928] dns: cached www.google.com A www.google.com. 577 IN A 172.20.0.5 INFO [2415690928] dns: exchanged www.google.com. A www.google.com. 577 IN A 172.20.0.5 ```

[bjxdqs]

dns-hijack?

[70599]

dns-hijack?

劫持已经成功了，直接运行dig时sing-box的日志有反应，请求已经进sing-box了。 我给出配置的中，只有www.google.com走fakeip，其他是ali或cf的dot，所有请求都按预期工作。

还是说fakeip有特殊的劫持方式？

[bjxdqs]

try dig @172.20.0.2 www.google.com ?

[70599]

try dig @172.20.0.2 www.google.com ?

# dig www.google.com @172.20.0.2
;; communications error to 172.20.0.2#53: timed out
;; communications error to 172.20.0.2#53: timed out
;; communications error to 172.20.0.2#53: timed out

; <<>> DiG 9.18.11 <<>> www.google.com @172.20.0.2
;; global options: +cmd
;; no servers could be reached

[nekohasekai]

无法重现，请提供完整配置。

[70599]

无法重现，请提供完整配置。

```json { "log": { "disabled": false, "level": "info", "timestamp": false }, "dns": { "servers": [ { "tag": "_dns_ali", "address": "tls://223.5.5.5", "detour": "_direct" }, { "tag": "_dns_cf", "address": "tls://1.1.1.1", "detour": "_selector" }, { "tag": "_dns_fake", "address": "fakeip" }, { "tag": "_dns_block", "address": "rcode://success" } ], "rules": [ { "geosite": [ "category-ads-all" ], "server": "_dns_block", "disable_cache": true }, { "domain": [ "www.google.com" ], "server": "_dns_fake" }, { "geosite": [ "apple", "google", "jsdelivr" ], "server": "_dns_cf" }, { "geosite": [ "cn" ], "server": "_dns_ali" } ], "final": "_dns_cf", "reverse_mapping": true, "fakeip": { "enabled": true, "inet4_range": "172.20.0.1/24", "inet6_range": "fdfe:dcba:9876::1/18" } }, "inbounds": [ { "tag": "_dns_in", "type": "direct", "listen": "::1", "listen_port": 15353, "network": "udp" }, { "tag": "_tun_in", "type": "tun", "inet4_address": "172.20.0.1/16", "auto_route": true, "strict_route": true, "sniff": true, "exclude_uid": [ 411, 5567 ] } ], "outbounds": [ { "tag": "_direct", "type": "direct" }, { "tag": "_block", "type": "block" }, { "tag": "_dns_out", "type": "dns" }, { "tag": "JP", "type": "urltest", "outbounds": [ "JP 1", "JP 2" ], "url": "http://cp.cloudflare.com/generate_204", "interval": "10s", "tolerance": 1500 }, { "tag": "_proxy", "type": "urltest", "outbounds": [ "JP", "US" ], "url": "http://cp.cloudflare.com/generate_204", "interval": "10s", "tolerance": 1500 }, { "tag": "_selector", "type": "selector", "outbounds": [ "_proxy", "JP", "_direct", "JP 1", "JP 2", "US" ] }, { "tag": "Apple", "type": "selector", "outbounds": [ "_selector", "_proxy", "JP", "_direct", "JP 1", "JP 2", "US" ] }, { "tag": "PayPal", "type": "selector", "outbounds": [ "_direct", "_selector", "_proxy", "JP", "JP 1", "JP 2", "US" ] }, { "tag": "Telegram", "type": "selector", "outbounds": [ "_selector", "_proxy", "JP", "_direct", "JP 1", "JP 2", "US" ] }, { "tag": "YouTube", "type": "selector", "outbounds": [ "_selector", "_proxy", "JP", "_direct", "JP 1", "JP 2", "US" ] }, { "tag": "JP 1", "type": "vless", "server": "JP 1 IP", "server_port": 443, "uuid": "JP 1 UUID", "flow": "xtls-rprx-vision", "tls": { "enabled": true, "server_name": "dl.acm.org", "ech": { "enabled": false }, "utls": { "enabled": true, "fingerprint": "ios" }, "reality": { "enabled": true, "public_key": "JP 1 PUB_KEY", "short_id": "JP 1 SHORT_ID" } }, "packet_encoding": "xudp" }, { "tag": "JP 2", "type": "vless", "server": "JP 2 IP", "server_port": 443, "uuid": "JP 2 UUID", "flow": "xtls-rprx-vision", "tls": { "enabled": true, "server_name": "dl.acm.org", "ech": { "enabled": false }, "utls": { "enabled": true, "fingerprint": "ios" }, "reality": { "enabled": true, "public_key": "JP 2 PUB_KEY", "short_id": "JP 2 SHORT_ID" } }, "packet_encoding": "xudp" }, { "tag": "US", "type": "vless", "server": "US", "server_port": 443, "uuid": "US UUID", "flow": "xtls-rprx-vision", "tls": { "enabled": true, "server_name": "captive.apple.com", "ech": { "enabled": false }, "utls": { "enabled": true, "fingerprint": "ios" }, "reality": { "enabled": true, "public_key": "US PUB_KEY", "short_id": "US SHORT_ID" } }, "packet_encoding": "xudp" } ], "route": { "geoip": { "path": "/var/etc/geoip.db", "download_url": "https://github.com/soffchen/sing-geoip/releases/latest/download/geoip.db", "download_detour": "_proxy" }, "geosite": { "path": "/var/etc/geosite.db", "download_url": "https://github.com/soffchen/sing-geosite/releases/latest/download/geosite.db", "download_detour": "_proxy" }, "rules": [ { "protocol": "dns", "outbound": "_dns_out" }, { "inbound": [ "_dns_in" ], "outbound": "_dns_out" }, { "geoip": [ "private" ], "geosite": [ "private" ], "outbound": "_direct" }, { "process_name": [ "/usr/sbin/tcping" ], "outbound": "_direct" }, { "source_ip_cidr": [ "10.10.0.4", "10.10.5.0/24" ], "outbound": "_direct" }, { "protocol": [ "quic" ], "outbound": "_block" }, { "domain_suffix": [ "cloudflareinsights.com", "homebizprosite.info", "googletagmanager.com", "api.segment.io" ], "domain": [ "clientstream.launchdarkly.com" ], "geosite": [ "category-ads-all" ], "outbound": "_block" }, { "geosite": [ "apple" ], "outbound": "Apple" }, { "geosite": [ "paypal" ], "outbound": "PayPal" }, { "geosite": [ "telegram" ], "geoip": [ "telegram" ], "outbound": "Telegram" }, { "geosite": [ "youtube" ], "outbound": "YouTube" }, { "geosite": [ "google", "jsdelivr" ], "ip_cidr": [ "8.8.4.4", "8.8.8.8", "208.67.222.222", "208.67.220.220", "1.1.1.1", "1.1.1.2", "1.0.0.1", "9.9.9.9", "149.112.112.112" ], "outbound": "_proxy" }, { "geosite": [ "tld-cn", "category-games@cn" ], "outbound": "_direct" }, { "domain_suffix": [ "lg.extravm.com", "gubo.org", "lg.v.ps", "speedtest.v.ps" ], "domain_keyword": [ "lg.virmach", "ping.vultr" ], "outbound": "_direct" }, { "domain_suffix": [ "argotunnel.com", "cftunnel.com" ], "ip_cidr": [ "198.41.128.0/17", "198.41.192.0/21", "198.41.200.0/21" ], "outbound": "_direct" }, { "geosite": [ "javdb" ], "domain_suffix": [ "acg18.moe", "hanime1.me", "hxcy.moe", "iwara.tv", "missav.com", "nhentai.net" ], "outbound": "US" }, { "domain_suffix": [ "kenfiles.com", "kfs.space", "fs20917.kfs.space" ], "outbound": "US" }, { "geosite": [ "geolocation-!cn" ], "outbound": "_selector" }, { "geosite": [ "cn" ], "geoip": [ "cn" ], "outbound": "_direct" } ], "final": "_selector", "auto_detect_interface": true }, "experimental": { "clash_api": { "external_controller": "0.0.0.0:9090", "external_ui": "/opt/sing-box/clash", "secret": "password", "store_selected": true, "store_fakeip": true, "cache_file": "/opt/sing-box/clash/cache.db" } } } ```

我这套配置是使用在openwrt上的，sing-box监听本地15353端口，并设置为dnsmasq上游完成dns解析

# uci show dhcp | grep 15353
dhcp.@dnsmasq[0].server='127.0.0.1#15353' '::1#15353'

fakeip以外都能如预期分流dns并得到正确解析结果，只有fakeip如前述，没有结果返回。

---

刚才又指定解析端口，测试得到了解析结果。 （但是不知道为什么有几个connection refused）

# dig www.google.com -p 15353
;; communications error to 127.0.0.1#15353: connection refused
;; communications error to 127.0.0.1#15353: connection refused
;; communications error to 127.0.0.1#15353: connection refused

; <<>> DiG 9.18.11 <<>> www.google.com -p 15353
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 11775
;; flags: qr; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;www.google.com.            IN  A

;; ANSWER SECTION:
www.google.com.     259 IN  A   172.20.0.6

;; Query time: 15 msec
;; SERVER: ::1#15353(::1) (UDP)
;; WHEN: Sun Mar 26 12:06:10 CST 2023
;; MSG SIZE  rcvd: 62

看起来可能是这种设置dnsmasq上游的方法，仅对fakeip工作不正常。 如果没有别人有类似场景可供参考的话，我就close本issue吧。

[nekohasekai]

有 dnsmasq 在出错时产生的日志吗？

[70599]

再次测试，把dnsmasq的默认端口改成53以外，sing-box直接监听[::]:53。 这时dig可以直接得到fakeip了。

# dig www.google.com

; <<>> DiG 9.18.11 <<>> www.google.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 26505
;; flags: qr; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;www.google.com.            IN  A

;; ANSWER SECTION:
www.google.com.     600 IN  A   172.20.0.7

;; Query time: 47 msec
;; SERVER: 127.0.0.1#53(127.0.0.1) (UDP)
;; WHEN: Sun Mar 26 12:18:12 CST 2023
;; MSG SIZE  rcvd: 62

---

但是浏览器中不能正常打开www.google.com

[70599]

有 dnsmasq 在出错时产生的日志吗？

刚才复查dnsmasq的设置，发现启用了DNSSEC 检查未签名。 禁用后，恢复设置dnsmasq监听默认端口53，sing-box监听15353，并设置为dnsmasq上游。

此时dig可以正常得到fakeip：

# dig www.google.com

; <<>> DiG 9.18.11 <<>> www.google.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 65433
;; flags: qr; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;www.google.com.            IN  A

;; ANSWER SECTION:
www.google.com.     487 IN  A   172.20.0.10

;; Query time: 11 msec
;; SERVER: 127.0.0.1#53(127.0.0.1) (UDP)
;; WHEN: Sun Mar 26 13:05:35 CST 2023
;; MSG SIZE  rcvd: 62

---

但是浏览器中依然不能正常打开www.google.com。

[70599]

dns.fakeip.inet4_range和inbounds[1].inet4_address完全照抄文档（其他配置未动）以后，现在网站也能正常打开了。

应该是我没能正确理解文档中的下述描述。

If using tun, make sure FakeIP ranges is included in the tun's routes.

我以为dns.fakeip.inet4_range应该是inbounds[1].inet4_address的子集。

[nekohasekai]

您可以尝试添加 DNS 规则以屏蔽 DNSSEC 检查。具体来说，添加一条 query_type 为 DNSKEY 的规则到类型为 rcode://success 的服务器的规则。

[70599]

您可以尝试添加 DNS 规则以屏蔽 DNSSEC 检查。具体来说，添加一条 query_type 为 DNSKEY 的规则到类型为 rcode://success 的服务器的规则。

感谢回复。 经过反复调试发现与DNSSEC无关。

1. 恢复成发issue时的状态。 dns.fakeip.inet4_range和inbounds[1].inet4_address完全照抄文档

2. 开启dnsmasq的日志

   # vim /etc/dnsmasq.conf
   
   ...增加以下设置
   log-dhcp
   log-queries
   log-facility=/tmp/log/dnsmasq.log

3. 发现查询上游为fakeip的域名时，dnsmasq日志中出现possible DNS-rebind attack detected

   Mar 26 15:36:56 dnsmasq[5752]: query[A] www.google.com from 10.10.2.2
   Mar 26 15:36:56 dnsmasq[5752]: forwarded www.google.com to 127.0.0.1#15353
   Mar 26 15:36:56 dnsmasq[5752]: possible DNS-rebind attack detected: www.google.com

4. openwrt关闭重绑定保护，重启dnsmasq

   # uci set dhcp.@dnsmasq[0].rebind_protection='0'
   # uci commit
   # service dnsmasq restart

之后dig、浏览器访问就都正常了。 （您早就提示过dnsmasq的日志，我没有马上按照建议调试，不好意思耽误时间了）

以前用过*ray系的fakedns，应该是没有触发过openwrt的重绑定保护。

[nekohasekai]

请尝试 inet4_range 修改为与 tun.inet4_address 不重合的值。

FakeIP ranges is included in the tun's routes.

不是指 tun 地址必须包含，auto_route 启用时默认路由所有地址（除非与别的接口冲突）。

[70599]

请尝试 inet4_range 修改为与 tun.inet4_address 不重合的值。

感谢建议，已经重新设置，目前没有问题了。