获取ipv6地址失败后产生DNS泄露

jiuqianyuan commented 3 months ago

完整性要求

[X] 我保证阅读了文档，了解所有我编写的配置文件项的含义，而不是大量堆砌看似有用的选项或默认值。
[X] 我搜索了issues，没有发现已提出的类似问题。

版本

v1.8.13

描述

发现xray作为中转服务器，发起dns查询时，如果域名没有返回IPV6地址，dns就会向默认的国内dns发起查询，引起DNS泄露，如下方的日志和config.json 文件

重现方式

以如下配置，作为中转服务器使用，

客户端配置


{
  "log":{
        "access": "./access.log",
        "error": "./error.log",
        "loglevel":"info"
    },
  "dns": {
    "hosts": {
      "dns.google": "8.8.8.8",
      "dns.pub": "119.29.29.29",
      "dns.alidns.com": "223.5.5.5",
      "geosite:category-ads-all": "127.0.0.1",
      "proxy.example.com": "127.0.0.1"
    },
    "servers": [
      "114.114.114.114",
      {
      "address": "https://dns.google/dns-query",
      "domains": [
          "geosite:tiktok",
          "geosite:geolocation-!cn",
          "geosite:greatfire",
          "geosite:gfw",
          "domain:zoom.us"
          ]
      },
      "8.8.8.8",
      {
        "address": "localhost",
        "skipFallback": true
      }
    ]
  },
    "routing": {
    "domainStrategy": "IPIfNonMatch",
    "domainMatcher": "mph",
    "rules": [
      {
        "type": "field",
        "inboundTag": [
          "sdas444",
          "socks"
        ],
        "port": 53,
        "outboundTag": "dns-out" 
      }, 
      {
        "type": "field",
        "inboundTag": [
          "api"
        ],
        "outboundTag": "api"
      },
      {
        "type": "field",
        "outboundTag": "direct",
        "protocol": [
          "bittorrent"
        ]
      },
      {
        "type": "field",
        "outboundTag": "block",
        "domain": [
          "geosite:category-ads-all"
        ]
      },
      {
        "type": "field",
        "outboundTag": "direct",
        "ip": [
          "223.5.5.5/32",
          "119.29.29.29/32",
          "180.76.76.76/32",
          "114.114.114.114/32",
          "geoip:cn",
          "geoip:private"
        ]
      },
      {
        "type": "field",
        "outboundTag": "proxy",
        "domain": [
          "geosite:tiktok",
          "geosite:geolocation-!cn",
          "geosite:greatfire",
          "geosite:gfw",
          "domain:zoom.us"
        ]
      },
      {
      "type": "field",
      "outboundTag": "proxy",
      "ip": [
        "1.1.1.1/32",
        "1.0.0.1/32",
        "8.8.8.8/32",
        "8.8.4.4/32",
        "geoip:!cn",
        "geoip:us",
        "geoip:ca",
        "geoip:telegram",
        "geoip:cloudflare",
        "geoip:cloudfront",
        "geoip:facebook",
        "geoip:fastly",
        "geoip:google",
        "geoip:netflix",
        "geoip:twitter"
        ]
      },
      {
        "type": "field",
        "port": "0-65535",
        "outboundTag": "direct"
      }
    ]
  },
    "stats":{},
    "outbounds":[
      {
      "tag": "proxy",
      "protocol": "socks",
      "settings": {
        "servers": [
          {
            "address": "127.0.0.1",
            "ota": false,
            "port": 7890
          }
        ]
      },
      "streamSettings": {
        "network": "tcp"
      }
    },
        {
            "settings":{},
            "protocol":"freedom",
            "tag":"direct"
        },
        {
      "tag": "dns-out",
      "protocol": "dns",
      "streamSettings": {
        "sockopt": {
          "mark": 255
        }
      }  
    },
        {
            "settings":{},
            "protocol":"blackhole",
            "tag":"block"
        }
    ],
    "api":{
        "tag":"api",
        "services":[
            "StatsService"
        ]
    },
    "transport":{},
    "reverse":{},
    "inbounds":[
        {
            "settings":{
                "disableInsecureEncryption":true,
        "network": "tcp,udp",
        "followRedirect": true,
                "default":{
                    "security":"auto",
                    "level":0
                },
                "clients":[
                    {
                        "id":"64ba0d63-013e-4de3-bbfe-0fcc4d6de611",
                        "alterId":0,
                        "email":"sdf444@gmail.com"
                    }
                ]
            },
            "protocol":"vmess",
            "port":11305,
            "streamSettings":{
                "security":"none",
                "network": "tcp"
            },
            "tag":"sdas444",
            "listen":"0.0.0.0"
        },
        {
      "tag": "socks",
      "port": 10808,
      "listen": "127.0.0.1",
      "protocol": "socks",
      "settings": {
        "auth": "noauth",
        "udp": true,
        "allowTransparent": false
      }
    },
        {
            "settings":{
                "address":"127.0.0.1"
            },
            "protocol":"dokodemo-door",
            "port":10085,
            "tag":"api",
            "listen":"127.0.0.1"
        }
    ],
    "policy":{
        "system":{
            "statsInboundUplink":true,
            "statsInboundDownlink":true
        },
        "levels":{
            "0":{
                "statsUserDownlink":true,
                "handshake":4,
                "statsUserUplink":true,
                "connIdle":300,
                "uplinkOnly":2,
                "downlinkOnly":5,
                "bufferSize":10240
            }
        }
    }
}

服务端配置

N/A

客户端日志


2024/05/27 10:20:37 [Info] app/dns: DOH//dns.google querying: pornhub.com.
2024/05/27 10:20:37 [Info] app/dns: DOH//dns.google querying: pornhub.com.
2024/05/27 10:20:37 [Info] app/dispatcher: taking detour [proxy] for [tcp:dns.google:443]
2024/05/27 10:20:37 [Info] transport/internet/tcp: dialing TCP to tcp:127.0.0.1:7890
2024/05/27 10:20:37 [Info] app/dispatcher: taking detour [proxy] for [tcp:dns.google:443]
2024/05/27 10:20:37 [Info] transport/internet/tcp: dialing TCP to tcp:127.0.0.1:7890
2024/05/27 10:20:37 [Info] app/dns: DOH//dns.google got answer: pornhub.com. TypeA -> [66.254.114.41] 475.1111ms
2024/05/27 10:20:37 [Info] app/dns: DOH//dns.google got answer: pornhub.com. TypeAAAA -> [] 476.5043ms
2024/05/27 10:20:37 [Info] app/dns: failed to lookup ip for domain pornhub.com at server DOH//dns.google > empty response
2024/05/27 10:20:37 [Info] transport/internet/udp: establishing new connection for udp:114.114.114.114:53
2024/05/27 10:20:37 [Info] app/dispatcher: taking detour [direct] for [udp:114.114.114.114:53]
2024/05/27 10:20:37 [Info] proxy/freedom: connection opened to udp:114.114.114.114:53, local endpoint [::]:62328, remote endpoint 114.114.114.114:53
2024/05/27 10:20:37 [Info] app/dns: UDP:114.114.114.114:53 got answer: pornhub.com. TypeAAAA -> [[2a03:2880:f127:83:face:b00c:0:25de]] 12.6481ms
2024/05/27 10:20:37 [Info] [1683205298] proxy/vmess/inbound: received request for tcp:pornhub.com:443
2024/05/27 10:20:37 [Info] [1683205298] app/dispatcher: taking detour [proxy] for [tcp:pornhub.com:443]
2024/05/27 10:20:37 [Info] [1683205298] transport/internet/tcp: dialing TCP to tcp:127.0.0.1:7890
2024/05/27 10:20:38 [Info] app/dns: DOH//dns.google querying: www.pornhub.com.
2024/05/27 10:20:38 [Info] app/dns: DOH//dns.google querying: www.pornhub.com.
2024/05/27 10:20:38 [Info] app/dns: DOH//dns.google got answer: www.pornhub.com. TypeAAAA -> [] 70.9233ms
2024/05/27 10:20:38 [Info] app/dns: failed to lookup ip for domain www.pornhub.com at server DOH//dns.google > empty response
2024/05/27 10:20:38 [Info] app/dns: DOH//dns.google got answer: www.pornhub.com. TypeA -> [66.254.114.41] 72.2311ms
2024/05/27 10:20:38 [Info] app/dns: UDP:114.114.114.114:53 got answer: www.pornhub.com. TypeAAAA -> [[2a03:2880:f126:83:face:b00c:0:25de]] 27.8965ms
2024/05/27 10:20:38 [Info] [2097258233] proxy/vmess/inbound: received request for tcp:www.pornhub.com:443
2024/05/27 10:20:38 [Info] [2097258233] app/dispatcher: taking detour [proxy] for [tcp:www.pornhub.com:443]

服务端日志

N/A

Fangliding commented 3 months ago

预期行为第一轮查询会使用配置了domains且命中的服务器如果查询未果将使用其他服务器进行查询这里配置了114.114.114.114 自然会用它查询

jiuqianyuan commented 3 months ago

预期行为第一轮查询会使用配置了domains且命中的服务器如果查询未果将使用其他服务器进行查询这里配置了114.114.114.114 自然会用它查询

这里pornhub.com已经命中了，只不过查询结果只有ipv4地址，没有ipv6地址，因为ipv6地址返回为空导致触发向114.114.114.114兜底查询。如果这个算是正常的行为，那么求教配置中该如何修改，以避免此种行为

SatenRuiko-Lv0 commented 2 months ago

useip直接用ipv4试试？

jiuqianyuan commented 2 months ago

useip直接用ipv4试试？

queryStrategy: "IPV4"模式好像没事，只有在queryStrategy: "UseIP"下且IPV6地址返回为空时，会有问题

jiuqianyuan commented 2 months ago

预期行为第一轮查询将使用配置了域且指定的服务器如果查询未果将使用其他服务器进行查询这里配置了114.114.114.114 自然会使用它查询

大佬不考虑处理下吗，测试v2ray不会有泄漏行为

Fangliding commented 2 months ago

写成复杂配置 disableFallback 打开就是了 DNS部分除非行为与文档明显不符不然不会因为什么DNS泄露去改

jiuqianyuan commented 2 months ago

写成复杂配置 disableFallback 打开就是了 DNS部分除非行为与文档明显不符不然不会因为什么DNS泄露去改

感谢，也算是解决了。但跟v2ray-core 配置相同，文档描述相同，但结果不同，有时候容易产生误导。

mclovin-2k commented 2 months ago

pornhub.com 这个域名肯定会命中 "geosite:geolocation-!cn" 规则走 Proxy 了，在 IPIfNonMatch 的配置下，就不应该有什么 DNS 查询。你这个DNS查询是怎么来的？

jiuqianyuan commented 2 months ago

pornhub.com 这个域名肯定会命中 "geosite:geolocation-!cn" 规则走 Proxy 了，在 IPIfNonMatch 的配置下，就不应该有什么 DNS 查询。你这个DNS查询是怎么来的？

fakedns才不用进行dns查询吧

XTLS / Xray-core