Tun/config_client_android_local_dns_with_fakeip.json配置存在DNS泄露，猜测为DNS ruleset规则导致的

fs8vsx59h commented 9 months ago

原配置

    "dns": {
        "servers": [
            {
                "tag": "dns_proxy",
                "address": "https://1.1.1.1/dns-query",
                "address_resolver": "dns_resolver",
                "strategy": "ipv4_only",
                "detour": "proxy"
            },
            {
                "tag": "dns_direct",
                "address": "https://dns.alidns.com/dns-query",
                "address_resolver": "dns_resolver",
                "strategy": "prefer_ipv6",
                "detour": "direct"
            },
            {
                "tag": "dns_success",
                "address": "rcode://success"
            },
            {
                "tag": "dns_refused",
                "address": "rcode://refused"
            },
            {
                "tag": "dns_resolver",
                "address": "223.5.5.5",
                "strategy": "ipv4_only",
                "detour": "direct"
            },
            {
                "tag": "dns_fakeip",
                "address": "fakeip",
                "strategy": "ipv4_only"
            }
        ],
        "rules": [
            {
                "outbound": "any",
                "server": "dns_resolver"
            },
            {
                "rule_set": "BlockHttpDNS",
                "rule_set": "geosite-category-ads-all",
                "domain_suffix": [
                    "mcdn.bilivideo.cn",
                    "szbdyd.com"
                ],
                "domain_regex": [
                    "cn-[a-zA-Z0-9-]+\\.bilivideo\\.com",
                    "[a-zA-Z0-9-]+-pcdn-[a-zA-Z0-9-]+\\.biliapi\\.net"
                ],
                "server": "dns_success",
                "disable_cache": true
            },
            {
                "rule_set": "geosite-geolocation-!cn",
                "query_type": [
                    "A",
                    "AAAA"
                ],
                "server": "dns_fakeip"
            },
            {
                "rule_set": "geosite-geolocation-!cn",
                "query_type": [
                    "CNAME"
                ],
                "server": "dns_proxy"
            },
            {
                "query_type": [
                    "A",
                    "AAAA",
                    "CNAME"
                ],
                "invert": true,
                "server": "dns_refused",
                "disable_cache": true
            }
        ],
        "final": "dns_direct",
        "independent_cache": true,
        "fakeip": {
            "enabled": true,
            "inet4_range": "198.18.0.0/15",
            "inet6_range": "fc00::/18"
        }
    }

ipleak.net测试结果

74a93efc-ccd3-4b53-9a5b-8443017ac504

删除国内外分流部分dns rule:

  "dns": {
    "servers": [
      {
        "tag": "dns_proxy",
        "address": "https://1.1.1.1/dns-query",
        "address_resolver": "dns_resolver",
        "strategy": "ipv4_only",
        "detour": "proxy"
      },
      {
        "tag": "dns_direct",
        "address": "https://dns.alidns.com/dns-query",
        "address_resolver": "dns_resolver",
        "strategy": "prefer_ipv6",
        "detour": "direct"
      },
      {
        "tag": "dns_success",
        "address": "rcode://success"
      },
      {
        "tag": "dns_refused",
        "address": "rcode://refused"
      },
      {
        "tag": "dns_resolver",
        "address": "223.5.5.5",
        "strategy": "ipv4_only",
        "detour": "direct"
      },
      {
        "tag": "dns_fakeip",
        "address": "fakeip",
        "strategy": "ipv4_only"
      }
    ],
    "rules": [
      {
        "outbound": "any",
        "server": "dns_resolver"
      },
      {
        "domain_suffix": [
          "mcdn.bilivideo.cn",
          "szbdyd.com"
        ],
        "domain_regex": [
          "cn-[a-zA-Z0-9-]+\\.bilivideo\\.com",
          "[a-zA-Z0-9-]+-pcdn-[a-zA-Z0-9-]+\\.biliapi\\.net"
        ],
        "rule_set": "geosite-category-ads-all",
        "server": "dns_success",
        "disable_cache": true
      },
      {
        "query_type": [
          "A",
          "AAAA"
        ],
        "server": "dns_fakeip"
      },
      {
        "query_type": "CNAME",
        "server": "dns_proxy"
      },
      {
        "query_type": [
          "A",
          "AAAA",
          "CNAME"
        ],
        "invert": true,
        "server": "dns_refused",
        "disable_cache": true
      }
    ],
    "final": "dns_direct",
    "fakeip": {
      "enabled": true,
      "inet4_range": "198.18.0.0/15",
      "inet6_range": "fc00::/18"
    },
    "independent_cache": true
  }

ipleak.net测试结果： 7c373fc3-67ac-4853-947a-f3ac146341e7

chika0801 commented 9 months ago

原配置中本来就是用的 "final": "dns_direct", 去这些网站检测露，是我预期的结果。

你修改后的配置我看了，变成了

      {
        "query_type": [
          "A",
          "AAAA"
        ],
        "server": "dns_fakeip"
      },
      {
        "query_type": "CNAME",
        "server": "dns_proxy"
      },
      {
        "query_type": [
          "A",
          "AAAA",
          "CNAME"
        ],
        "invert": true,
        "server": "dns_refused",
        "disable_cache": true
      }
    ],
    "final": "dns_direct",

你读下逻辑，DNS查询请求不会最后落到 "final": "dns_direct",

前面意思是A AAAA 全用fakeip，CNAME用PROXY查，剩下类型BLOCK。你去检测网站当然没国内DNS。

chika0801 commented 9 months ago

local_dns.json

remote_dns.json

其实配置文件名，就指出了DNS到底有谁查。至于懂不懂远程查和本地查，DNS泄露不，喜欢看XXX视频的人肯定喜欢，故意这样设计的。

with_fakeip 是自用版本的配置。

chika0801 / sing-box-examples

Tun/config_client_android_local_dns_with_fakeip.json配置存在DNS泄露，猜测为DNS ruleset规则导致的 #88