search

daeuniverse / dae

eBPF-based Linux high-performance transparent proxy solution.
GNU Affero General Public License v3.0
3.27k stars 202 forks source link

[Bug Report] DNS 响应的判断中,IPv4 地址疑似会命中 IPv6 规则 #332

Closed EkkoG closed 1 year ago

EkkoG commented 1 year ago

Checks

Current Behavior

    response {
        # Trusted upstream. Always accept its result.
        upstream(googledns) -> accept
        # Possibly polluted, re-lookup using googledns.
      ip("::/128","::1/128","::ffff:0:0/96","::ffff:0:0:0/96","64:ff9b::/96","64:ff9b:1::/48","100::/64","2001:0000::/32","2001:20::/28","2001:db8::/32","2002::/16","fc00::/7","ff00::/8") -> googledns

        ip(geoip:private) -> googledns
        # fallback is also called default.
        fallback: accept
    }

使用上面规则时,会有很多国内域名命中那条 IP 规则最后走了 Google DNS,比如

time="Sep 14 13:21:12" level=trace msg="Request to DNS upstream" question=[{data.bilibili.com. 1 1}] upstream="udp://116.116.116.116:53" time="Sep 14 13:21:12" level=trace msg="Change DNS upstream and resend" last_upstream="udp://116.116.116.116:53" next_upstream="tcp+udp://8.8.8.8:53" question=[{data.bilibili.com. 1 1}] time="Sep 14 13:21:12" level=info msg="192.168.33.223:60757 <-> 8.8.8.8:53" _qname=data.bilibili.com. dialer="1.🇭🇰 HKG 05" dscp=0 mac="2a:50:2b:4a:e8:b2" network="udp4(DNS)" outbound=proxy pid=0 pname= policy=min_moving_avg qtype=A time="Sep 14 13:21:12" level=trace msg="Update

增加一个条件,限制为 AAAA 记录后,正常,不会出现匹配到 IP 规则并走 Google DNS 的情况了

    response {
        # Trusted upstream. Always accept its result.
        upstream(googledns) -> accept
        # Possibly polluted, re-lookup using googledns.
      qtype(AAAA) && ip("::/128","::1/128","::ffff:0:0/96","::ffff:0:0:0/96","64:ff9b::/96","64:ff9b:1::/48","100::/64","2001:0000::/32","2001:20::/28","2001:db8::/32","2002::/16","fc00::/7","ff00::/8") -> googledns

        ip(geoip:private) -> googledns
        # fallback is also called default.
        fallback: accept
    }

所以怀疑是有 IPv4 地址命中了上方的 IP 规则导致的

Expected Behavior

IPv4 不匹配 IPv6 地址

Steps to Reproduce

使用上方配置即可

Environment

Anything else?

No response

dae-prow[bot] commented 1 year ago

Thanks for opening this issue!

piyoki commented 1 year ago

Has it been resolved yet?

leslieqwq commented 1 year ago

请问在加在哪里可以解决?

EkkoG commented 1 year ago

Has it been resolved yet?

@yqlbu 因为没有记录当时的完整配置,只能大概回忆一下,现在用这份配置重新测了一下,没有发现这个现象,不过当时的 IPv6 配置和现在的不一样,而且当时会下发一个 IPv6 DNS,不知道这有没有关系,暂时关闭了,再观察吧

upstream {
    # Value can be scheme://host:port, where the scheme can be tcp/udp/tcp+udp.
    # If host is a domain and has both IPv4 and IPv6 record, dae will automatically choose
    # IPv4 or IPv6 to use according to group policy (such as min latency policy).
    # Please make sure DNS traffic will go through and be forwarded by dae, which is REQUIRED for domain routing.
    # If dial_mode is "ip", the upstream DNS answer SHOULD NOT be polluted, so domestic public DNS is not recommended.

    alidns: 'udp://dns.alidns.com:53'
    tencent: 'udp://119.29.29.29:53'
    googledns: 'tcp+udp://8.8.8.8:53'
    ispdns: 'udp://116.116.116.116'
}
routing {
    # According to the request of dns query, decide to use which DNS upstream.
    # Match rules from top to bottom.
    request {
        # fallback is also called default.
        fallback: ispdns
    }
    # According to the response of dns query, decide to accept or re-lookup using another DNS upstream.
    # Match rules from top to bottom.
    response {
        # Trusted upstream. Always accept its result.
        upstream(googledns) -> accept
        # Possibly polluted, re-lookup using googledns.
      ip("::/128","::1/128","::ffff:0:0/96","::ffff:0:0:0/96","64:ff9b::/96","64:ff9b:1::/48","100::/64","2001:0000::/32","2001:20::/28","2001:db8::/32","2002::/16","fc00::/7","ff00::/8") -> googledns

        ip(geoip:private) -> googledns
        # fallback is also called default.
        fallback: accept
    }
}
wmjlxl commented 4 months ago

我想顺便问问 dae 的 设置中,如何自定义 域名的 IP? 例如我想 自定义 apple.com 的 ip 为 2.2.2.2 ?