[BUG] doh 下 proxy 不工作

[rampageX]

Describe the bug 发生了什么 国内现在基本屏蔽了热门的几个境外 DoH 服务器，所以尝试使用代理.

To Reproduce 如何重现 doh 部分配置如下：

      sni: false
      uri: https://dns.cloudflare.com/dns-query
      addr: 1.0.0.1
      proxy: socks5://@127.0.0.1:7575

Debug 调试信息

Dig 查询返回空值，dcompass 调试信息：

2021-08-04 02:51:03,413 INFO [droute::router::table::rule::matchers::geoip] The IP `199.96.62.17` has ISO country code `US`
2021-08-04 02:51:03,413 INFO [droute::router::table::rule] Domain "t66y.com" doesn't match at rule `check_secure`
2021-08-04 02:51:03,413 INFO [droute::router::upstreams::upstream] querying with upstream: cisco
2021-08-04 02:51:03,413 DEBUG [reqwest::connect] starting new connection: https://dns.cloudflare.com/
2021-08-04 02:51:03,414 DEBUG [reqwest::connect] proxy(socks5://127.0.0.1:7575) intercepts 'https://dns.cloudflare.com/'
2021-08-04 02:51:03,443 DEBUG [rustls::client::hs] No cached session for DNSNameRef("dns.cloudflare.com")
2021-08-04 02:51:03,444 DEBUG [rustls::client::hs] Not resuming any session
2021-08-04 02:51:06,415 WARN [droute::router] Upstream encountered error: error sending request for url (https://dns.cloudflare.com/dns-query): error trying to connect: operation timed out, returning SERVFAIL
2021-08-04 02:51:06,415 INFO [dcompass::worker] Response completed. Sent back to 192.168.2.1:60091 successfully.
2021-08-04 02:52:33,360 DEBUG [rustls::session] Sending warning alert CloseNotify

确认 socks5 代理肯定是工作正常的，也更换过 google, cisco 等 DoH 服务器都一样。

[LEXUGE]

有代理日志吗？ 首先应该是 cloudflare-dns.com 吧，不过这个不重要？ 看了日志只是单纯的timeout了，代理也正常被intercept了。 你可以尝试用 curl 手动发送请求来确认代理是正确的 https://developers.cloudflare.com/1.1.1.1/dns-over-https/wireformat

此外，代理本身有使用域名吗？如果使用了域名且 dcompass 本身为 DNS，那就套娃了

[LEXUGE]

如果单纯只是解决屏蔽的话，可以尝试使用一些别的非常规 IP, 比如 cloudflare-dns.com 的 104.16.249.249 和 dns.quad9.net 的 149.112.112.112 在带有 SNI 的情况下，任何的 Cloudflare CDN 的 IP 都可以被拿来连接

[rampageX]

@LEXUGE （代理 A 192.168.2.20 为与 dcompass 同在 N1 盒子上的 ss 代理，代理 B 192.168.2.8 为局域网一台 PC 上的 ss 代理），均可以通过过 curl 的测试：

echo -n 'q80BAAABAAAAAAAAA3d3dwdleGFtcGxlA2NvbQAAAQAB' | base64 -d | curl -qs -x socks5://192.168.2.20:7575 -H 'content-type: application/dns-message' --data-binary @- https://cloudflare-dns.com/dns-query -o - |
hexdump
0000000 cdab 8081 0100 0100 0000 0000 7703 7777
0000010 6507 6178 706d 656c 6303 6d6f 0000 0001
0000020 c001 000c 0001 0001 2c01 0032 5d04 d8b8
0000030 0022
0000031

curl -qs -x socks5://192.168.2.20:7575 -H 'accept: application/dns-message' -v 'https://cloudflare-dns.com/dns-query?dns=q80BAAABAAAAAAAAA3d3dwdleGFtcGxlA2NvbQAAAQAB' | hexdump
*   Trying 192.168.2.20:7575...
* SOCKS5 connect to IPv4 104.16.249.249:443 (locally resolved)
* SOCKS5 request granted.
* Connected to 192.168.2.20 (192.168.2.20) port 7575 (#0)
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: none
* ALPN, offering h2
* ALPN, offering http/1.1
* ALPN, server accepted to use h2
* SSL connection using TLSv1.3 / TLS13-AES128-GCM-SHA256
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0xa1940)
> GET /dns-query?dns=q80BAAABAAAAAAAAA3d3dwdleGFtcGxlA2NvbQAAAQAB HTTP/2
> Host: cloudflare-dns.com
> user-agent: curl/7.70.0
> accept: application/dns-message
>
* Connection state changed (MAX_CONCURRENT_STREAMS == 256)!
< HTTP/2 200
< date: Wed, 04 Aug 2021 04:42:57 GMT
< content-type: application/dns-message
< content-length: 49
< access-control-allow-origin: *
< expect-ct: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
< server: cloudflare
< cf-ray: 67951f3e68c621be-HKG
<
{ [49 bytes data]
* Connection #0 to host 192.168.2.20 left intact
0000000 cdab 8081 0100 0100 0000 0000 7703 7777
0000010 6507 6178 706d 656c 6303 6d6f 0000 0001
0000020 c001 000c 0001 0001 2901 0094 5d04 d8b8
0000030 0022
0000031

echo -n 'q80BAAABAAAAAAAAA3d3dwdleGFtcGxlA2NvbQAAAQAB' | base64 -d | curl -qs -x socks5://192.168.2.8:7171 -H 'content-type: application/dns-message' --data-binary @- https://cloudflare-dns.com/dns-query -o - | h
exdump
0000000 cdab 8081 0100 0100 0000 0000 7703 7777
0000010 6507 6178 706d 656c 6303 6d6f 0000 0001
0000020 c001 000c 0001 0001 4d01 008b 5d04 d8b8
0000030 0022
0000031

目前测试结果：

1. 开启 SNI sni: true, 使用你给的 IP 104.16.249.249, 不使用代理，可以解析；
2. 关闭 SNI，IP 用 1.0.0.1，使用代理 A, 解析失败，使用代理 B，解析成功。

套娃现象应该不存在，因为是在测试 dcompass，主 DNS 为 dnsmasq 并发向多个上游查询。

[LEXUGE]

如果是这样我更倾向于代理环境的问题 你能尝试在有代理的电脑上使用dcompass 测试吗？排除路由器可能的一些iptables rule的影响（虽然应该没影响）

[rampageX]

在 PC 上运行 dcompass 测试，则 A, B 代理都可以。。。

2021-08-04 14:56:14,742 DEBUG [reqwest::connect] starting new connection: https://cloudflare-dns.com/
2021-08-04 14:56:14,743 DEBUG [reqwest::connect] proxy(socks5://192.168.2.20:7575) intercepts 'https://cloudflare-dns.com/'
2021-08-04 14:56:14,758 DEBUG [rustls::client::hs] No cached session for DNSNameRef("cloudflare-dns.com")
2021-08-04 14:56:14,759 DEBUG [rustls::client::hs] Not resuming any session
2021-08-04 14:56:14,836 DEBUG [rustls::client::hs] Using ciphersuite TLS13_CHACHA20_POLY1305_SHA256
2021-08-04 14:56:14,837 DEBUG [rustls::client::tls13] Not resuming
2021-08-04 14:56:14,839 DEBUG [rustls::client::tls13] TLS1.3 encrypted extensions: []
2021-08-04 14:56:14,841 DEBUG [rustls::client::hs] ALPN protocol is None
2021-08-04 14:56:14,872 DEBUG [rustls::client::tls13] Ticket saved
2021-08-04 14:56:14,872 DEBUG [rustls::client::tls13] Ticket saved
2021-08-04 14:56:14,873 DEBUG [reqwest::async_impl::client] response '200 OK' for https://cloudflare-dns.com/dns-query
2021-08-04 14:56:14,874 INFO [droute::router::upstreams::upstream] query successfully completed.
2021-08-04 14:56:14,875 INFO [droute::router::table] Domain "wsj.com" has finished routing
2021-08-04 14:56:14,875 INFO [dcompass::worker] Response completed. Sent back to 127.0.0.1:51025 successfully.