dae-prow[bot]
commented
4 days ago Thanks for opening this issue!
Closed marsjane closed 22 hours ago
dae-prow[bot]
commented
4 days ago Thanks for opening this issue!
mzz2017
commented
4 days ago 
marsjane
commented
4 days ago got it thanks! btw, some routing rules not effective can you help check? here is the log:
[Jun 25 15:30:15] TRACE Received UDP(DNS) 192.168.50.237:36385 <-> 192.168.50.1:53: kkkkk.abcde. A
[Jun 25 15:30:15] TRACE Request to DNS upstream question=[{Name:kkkkk.abcde. Qtype:1 Qclass:1}] upstream=udp://dns.alidns.com:53
[Jun 25 15:30:15] TRACE Choose DNS path choose=udp+4 ipversions=[4 6] l4protos=[udp] upstream=udp://dns.alidns.com:53 use=223.5.5.5:53
[Jun 25 15:30:15] TRACE Accept question=[{Name:kkkkk.abcde. Qtype:1 Qclass:1}] upstream=udp://dns.alidns.com:53
[Jun 25 15:30:15] INFO 192.168.50.237:36385 <-> 223.5.5.5:53 _qname=kkkkk.abcde. dialer=direct dscp=0 mac=48:21:0b:32:5f:4a network=udp4(DNS) outbound=direct pid=711 pname=tailscaled policy=fixed qtype=A
[Jun 25 15:30:15] TRACE Received UDP(DNS) 192.168.50.237:46950 <-> 192.168.50.1:53: kkkkk.abcde. AAAA
[Jun 25 15:30:15] TRACE Request to DNS upstream question=[{Name:kkkkk.abcde. Qtype:28 Qclass:1}] upstream=udp://dns.alidns.com:53
[Jun 25 15:30:15] TRACE Choose DNS path choose=udp+4 ipversions=[4 6] l4protos=[udp] upstream=udp://dns.alidns.com:53 use=223.5.5.5:53
[Jun 25 15:30:15] TRACE Accept question=[{Name:kkkkk.abcde. Qtype:28 Qclass:1}] upstream=udp://dns.alidns.com:53
[Jun 25 15:30:15] INFO 192.168.50.237:46950 <-> 223.5.5.5:53 _qname=kkkkk.abcde. dialer=direct dscp=0 mac=48:21:0b:32:5f:4a network=udp4(DNS) outbound=direct pid=711 pname=tailscaled policy=fixed qtype=AAAAI already add rule like:
domain(keyword:kkkkk) -> new_groupbut it seems not working, from the log it seems still go to direct, I tried to replace kkkkk as github, it can go to new_group when opening github, so the rule seems not working due to the special website kkkkk.abcde ? can you see the reason from the log?
marsjane
commented
4 days ago I even tried to put this rule at the top line of routing, still the same. For global settings I use the same as the example. so really confusing...
mzz2017
commented
4 days ago @marsjane This is dns; its target is 223.5.5.5. Write a rule in dns routing instead.
marsjane
commented
4 days ago emm it is a website... I did some more tests, can you help check the results?
What I do is adding the rule domain(keyword:gitlab) -> MYPROXY, the MYPROXY group only have one node MYPROXY_http, then I test to open http://gitlab.company and https://gitlab.com, basically I think the rule should let both of them go to MYPROXY_http node, however, when I test this, the https://gitlab.com do work as expected with the log:
[Jun 25 17:12:30] TRACE Accept question=[{Name:gitlab.com. Qtype:28 Qclass:1}] upstream=tcp+udp://dns.google.com:53
[Jun 25 17:12:30] INFO 192.168.50.237:42194 <-> 8.8.8.8:53 _qname=gitlab.com. dialer=香港标准 IEPL 中继 1 dscp=0 mac=48:21:0b:32:5f:4a network=tcp4(DNS) outbound=HK pid=711 pname=tailscaled policy=min_moving_avg qtype=AAAA
[Jun 25 17:12:30] TRACE Update DNS record cache _qname=gitlab.com. ans=gitlab.com.(AAAA): 2606:4700:90:0:f22e:fbec:5bed:a9b9 rcode=0
[Jun 25 17:12:30] DEBUG UDP(DNS) 192.168.50.237:60518 <-> Cache: gitlab.com. AAAA
[Jun 25 17:12:30] DEBUG Rewrite dial target to domain from=172.65.251.78:443 to=gitlab.com:443
[Jun 25 17:12:30] INFO 192.168.50.237:42566 <-> gitlab.com:443 dialer=MYPROXY_http dscp=0 ip=172.65.251.78:443 mac=48:21:0b:32:5f:4a network=tcp4 outbound=MYPROXY pid=0 pname=vivaldi-bin policy=fixed sniffed=gitlab.com
[Jun 25 17:12:30] TRACE Received UDP(DNS) 192.168.50.237:36159 <-> 192.168.50.1:53: gitlab.com. A
[Jun 25 17:12:30] DEBUG UDP(DNS) 192.168.50.237:36159 <-> Cache: gitlab.com. A
[Jun 25 17:12:30] TRACE Received UDP(DNS) 192.168.50.237:44712 <-> 192.168.50.1:53: gitlab.com. AAAA
[Jun 25 17:12:30] DEBUG UDP(DNS) 192.168.50.237:44712 <-> Cache: gitlab.com. AAAA
[Jun 25 17:12:30] DEBUG Rewrite dial target to domain from=172.65.251.78:443 to=gitlab.com:443
[Jun 25 17:12:30] INFO 192.168.50.237:42568 <-> gitlab.com:443 dialer=MYPROXY_http dscp=0 ip=172.65.251.78:443 mac=48:21:0b:32:5f:4a network=tcp4 outbound=MYPROXY pid=0 pname=vivaldi-bin policy=fixed sniffed=gitlab.com
[Jun 25 17:12:30] DEBUG Rewrite dial target to domain from=172.65.251.78:443 to=gitlab.com:443
[Jun 25 17:12:30] INFO 192.168.50.237:42582 <-> gitlab.com:443 dialer=MYPROXY_http dscp=0 ip=172.65.251.78:443 mac=48:21:0b:32:5f:4a network=tcp4 outbound=MYPROXY pid=0 pname=vivaldi-bin policy=fixed sniffed=gitlab.combut for the http://gitlab.company, which is my company intranet, it seems just ignore this rule, log as follows:
[Jun 25 17:11:00] TRACE Accept question=[{Name:gitlab.company. Qtype:1 Qclass:1}] upstream=tcp+udp://dns.google.com:53
[Jun 25 17:11:00] INFO 192.168.50.237:44861 <-> 8.8.8.8:53 _qname=gitlab.company. dialer=香港标准 IEPL 中继 1 dscp=0 mac=48:21:0b:32:5f:4a network=tcp4(DNS) outbound=HK pid=711 pname=tailscaled policy=min_moving_avg qtype=A
[Jun 25 17:11:00] TRACE Received UDP(DNS) 192.168.50.237:48329 <-> 192.168.50.1:53: gitlab.company. AAAA
[Jun 25 17:11:00] TRACE Request to DNS upstream question=[{Name:gitlab.company. Qtype:28 Qclass:1}] upstream=tcp+udp://dns.google.com:53
[Jun 25 17:11:00] TRACE Choose DNS path choose=tcp+4 ipversions=[4 6] l4protos=[udp tcp] upstream=tcp+udp://dns.google.com:53 use=8.8.8.8:53
[Jun 25 17:11:00] TRACE Received UDP(DNS) 192.168.50.237:43972 <-> 192.168.50.1:53: gzdata1.fc-smartserver.xyz. AAAA
[Jun 25 17:11:00] TRACE Received UDP(DNS) 192.168.50.237:42102 <-> 192.168.50.1:53: gzdata1.fc-smartserver.xyz. A
[Jun 25 17:11:00] DEBUG UDP(DNS) 192.168.50.237:43972 <-> Cache: gzdata1.fc-smartserver.xyz. AAAA
[Jun 25 17:11:00] DEBUG UDP(DNS) 192.168.50.237:42102 <-> Cache: gzdata1.fc-smartserver.xyz. A
[Jun 25 17:11:00] TRACE Accept question=[{Name:gitlab.company. Qtype:28 Qclass:1}] upstream=tcp+udp://dns.google.com:53
[Jun 25 17:11:00] INFO 192.168.50.237:48329 <-> 8.8.8.8:53 _qname=gitlab.company. dialer=香港标准 IEPL 中继 1 dscp=0 mac=48:21:0b:32:5f:4a network=tcp4(DNS) outbound=HK pid=711 pname=tailscaled policy=min_moving_avg qtype=AAAA
[Jun 25 17:11:00] DEBUG 192.168.50.237:39502 <-> 104.194.8.134:9993 dialer=香港标准 IEPL 中继 1 dscp=0 ip=104.194.8.134:9993 mac=48:21:0b:32:5f:4a network=udp4 outbound=HK pid=871 pname=zerotier-one policy=min_moving_avg sniffed=it ignore the rule then go to the fallback group which is my HK proxy
Could you help check which part is wrong here? Thank!
mzz2017
commented
3 days ago This seems a known problem fixed in #542. Try 0.7.0rc1 or main
marsjane
commented
3 days ago Thanks, but I just checked my version is 0.7.0rc1, and I also tried the git version: dae version unstable-0.7.0rc1.r3.g3fd2826 go runtime go1.22.4 linux/amd64 it still the same error, I put my config here, can you kindly help check:
global {
tproxy_port: 7888
tproxy_port_protect: true
pprof_port: 0
so_mark_from_dae: 0
log_level: debug
disable_waiting_network: false
enable_local_tcp_fast_redirect: false
wan_interface: auto
auto_config_kernel_parameter: true
tcp_check_url: 'http://cp.cloudflare.com,1.1.1.1,2606:4700:4700::1111'
tcp_check_http_method: HEAD
udp_check_dns: 'dns.google.com:53,8.8.8.8,2001:4860:4860::8888'
check_interval: 600s
check_tolerance: 50ms
dial_mode: domain
allow_insecure: false
sniffing_timeout: 100ms
tls_implementation: tls
utls_imitate: chrome_auto
}
subscription {
tk: ''
}
node {
CM_http: 'http://localhost:8843'
}
dns {
upstream {
alidns: 'udp://dns.alidns.com:53'
googledns: 'tcp+udp://dns.google.com:53'
}
routing {
request {
qname(geosite:cn) -> alidns
fallback: googledns
}
}
}
group {
HK {
filter: name(keyword:'香港标准')
policy: min_moving_avg
}
CM {
filter: name(CM_http)
policy: fixed(0)
}
}
routing {
domain(keyword:gitlab) -> CM
pname(NetworkManager) -> direct
dip(224.0.0.0/3, 'ff00::/8') -> direct
dip(geoip:private) -> direct
domain(keyword:company) -> CM
l4proto(udp) && dport(443) -> block
dip(geoip:cn) -> direct
domain(geosite:cn) -> direct
domain(geosite:category-ads) -> block
fallback: HK
}
so key is why the domain(keyword:company) -> CM not working. FYI these intranet is sth like http://*.company
mzz2017
commented
3 days ago I'll look into it.
marsjane
commented
3 days ago Thanks, because seems the domain(keyword:gitlab) -> CM also not working if it is http://gitlab.company
KuGouGo
commented
2 days ago Thanks, because seems the
domain(keyword:gitlab) -> CMalso not working if it ishttp://gitlab.company
试试加个空格 domain(keyword: company) -> CM
mzz2017
commented
2 days ago 这个看起来是 sniffed 为空,所以 routing 没有生效
marsjane
commented
2 days ago 刚刚试了一下加了空格:
routing {
### Preset rules.
# Network managers in localhost should be direct to avoid false negative network connectivity check when binding to
# WAN.
domain(keyword: company) -> CM
domain(keyword: gitlab) -> CM
......但是好像还是不行,我用curl -I 测试了一下,log更干净一些,发现了一些问题,这是完整的相关log对比:
# for gitlab.com
[Jun 26 19:32:00] TRACE Received UDP(DNS) 192.168.50.237:60363 <-> 192.168.50.1:53: gitlab.com. A
[Jun 26 19:32:00] TRACE Request to DNS upstream question=[{Name:gitlab.com. Qtype:1 Qclass:1}] upstream=tcp+udp://dns.google.com:53
[Jun 26 19:32:00] TRACE Choose DNS path choose=tcp+4 ipversions=[4 6] l4protos=[udp tcp] upstream=tcp+udp://dns.google.com:53 use=8.8.8.8:53
[Jun 26 19:32:00] TRACE Received UDP(DNS) 192.168.50.237:43772 <-> 192.168.50.1:53: gzdata1.fc-smartserver.xyz. AAAA
[Jun 26 19:32:00] TRACE Received UDP(DNS) 192.168.50.237:55744 <-> 192.168.50.1:53: gzdata1.fc-smartserver.xyz. A
[Jun 26 19:32:00] DEBUG UDP(DNS) 192.168.50.237:43772 <-> Cache: gzdata1.fc-smartserver.xyz. AAAA
[Jun 26 19:32:00] DEBUG UDP(DNS) 192.168.50.237:55744 <-> Cache: gzdata1.fc-smartserver.xyz. A
[Jun 26 19:32:00] TRACE Accept question=[{Name:gitlab.com. Qtype:1 Qclass:1}] upstream=tcp+udp://dns.google.com:53
[Jun 26 19:32:00] INFO 192.168.50.237:60363 <-> 8.8.8.8:53 _qname=gitlab.com. dialer=香港标准 IEPL 中继 5 dscp=0 mac=48:21:0b:32:5f:4a network=tcp4(DNS) outbound=HK pid=711 pname=tailscaled policy=min_moving_avg qtype=A
[Jun 26 19:32:00] TRACE Update DNS record cache _qname=gitlab.com. ans=gitlab.com.(A): 172.65.251.78 rcode=0
[Jun 26 19:32:00] TRACE Received UDP(DNS) 192.168.50.237:60777 <-> 192.168.50.1:53: gitlab.com. AAAA
[Jun 26 19:32:00] TRACE Request to DNS upstream question=[{Name:gitlab.com. Qtype:28 Qclass:1}] upstream=tcp+udp://dns.google.com:53
[Jun 26 19:32:00] TRACE Choose DNS path choose=tcp+4 ipversions=[4 6] l4protos=[udp tcp] upstream=tcp+udp://dns.google.com:53 use=8.8.8.8:53
[Jun 26 19:32:00] TRACE Received UDP(DNS) 192.168.50.237:34868 <-> 192.168.50.1:53: gzdata1.fc-smartserver.xyz. AAAA
[Jun 26 19:32:00] TRACE Received UDP(DNS) 192.168.50.237:34452 <-> 192.168.50.1:53: gzdata1.fc-smartserver.xyz. A
[Jun 26 19:32:00] DEBUG UDP(DNS) 192.168.50.237:34868 <-> Cache: gzdata1.fc-smartserver.xyz. AAAA
[Jun 26 19:32:00] DEBUG UDP(DNS) 192.168.50.237:34452 <-> Cache: gzdata1.fc-smartserver.xyz. A
[Jun 26 19:32:00] TRACE Accept question=[{Name:gitlab.com. Qtype:1 Qclass:1}] upstream=tcp+udp://dns.google.com:53
[Jun 26 19:32:00] INFO 192.168.50.237:60363 <-> 8.8.8.8:53 _qname=gitlab.com. dialer=香港标准 IEPL 中继 5 dscp=0 mac=48:21:0b:32:5f:4a network=tcp4(DNS) outbound=HK pid=711 pname=tailscaled policy=min_moving_avg qtype=A
[Jun 26 19:32:00] TRACE Update DNS record cache _qname=gitlab.com. ans=gitlab.com.(A): 172.65.251.78 rcode=0
[Jun 26 19:32:00] TRACE Received UDP(DNS) 192.168.50.237:60777 <-> 192.168.50.1:53: gitlab.com. AAAA
[Jun 26 19:32:00] TRACE Request to DNS upstream question=[{Name:gitlab.com. Qtype:28 Qclass:1}] upstream=tcp+udp://dns.google.com:53
[Jun 26 19:32:00] TRACE Choose DNS path choose=tcp+4 ipversions=[4 6] l4protos=[udp tcp] upstream=tcp+udp://dns.google.com:53 use=8.8.8.8:53
[Jun 26 19:32:00] TRACE Received UDP(DNS) 192.168.50.237:34868 <-> 192.168.50.1:53: gzdata1.fc-smartserver.xyz. AAAA
[Jun 26 19:32:00] TRACE Received UDP(DNS) 192.168.50.237:34452 <-> 192.168.50.1:53: gzdata1.fc-smartserver.xyz. A
[Jun 26 19:32:00] DEBUG UDP(DNS) 192.168.50.237:34868 <-> Cache: gzdata1.fc-smartserver.xyz. AAAA
[Jun 26 19:32:00] DEBUG UDP(DNS) 192.168.50.237:34452 <-> Cache: gzdata1.fc-smartserver.xyz. A
[Jun 26 19:32:00] TRACE Accept question=[{Name:gitlab.com. Qtype:28 Qclass:1}] upstream=tcp+udp://dns.google.com:53
[Jun 26 19:32:00] INFO 192.168.50.237:60777 <-> 8.8.8.8:53 _qname=gitlab.com. dialer=香港标准 IEPL 中继 5 dscp=0 mac=48:21:0b:32:5f:4a network=tcp4(DNS) outbound=HK pid=711 pname=tailscaled policy=min_moving_avg qtype=AAAA
[Jun 26 19:32:00] TRACE Update DNS record cache _qname=gitlab.com. ans=gitlab.com.(AAAA): 2606:4700:90:0:f22e:fbec:5bed:a9b9 rcode=0
[Jun 26 19:32:00] DEBUG Rewrite dial target to domain from=172.65.251.78:80 to=gitlab.com:80
[Jun 26 19:32:00] INFO 192.168.50.237:42338 <-> gitlab.com:80 dialer=CM_http dscp=0 ip=172.65.251.78:80 mac=48:21:0b:32:5f:4a network=tcp4 outbound=CM pid=0 pname=curl policy=fixed sniffed=gitlab.com
# for gitlab.company
[Jun 26 19:33:08] TRACE Received UDP(DNS) 192.168.50.237:45882 <-> 192.168.50.1:53: gitlab.company. A
[Jun 26 19:33:08] TRACE Request to DNS upstream question=[{Name:gitlab.company. Qtype:1 Qclass:1}] upstream=tcp+udp://dns.google.com:53
[Jun 26 19:33:08] TRACE Choose DNS path choose=tcp+4 ipversions=[4 6] l4protos=[udp tcp] upstream=tcp+udp://dns.google.com:53 use=8.8.8.8:53
[Jun 26 19:33:08] TRACE Received UDP(DNS) 192.168.50.237:60972 <-> 192.168.50.1:53: gzdata1.fc-smartserver.xyz. A
[Jun 26 19:33:08] TRACE Received UDP(DNS) 192.168.50.237:57314 <-> 192.168.50.1:53: gzdata1.fc-smartserver.xyz. AAAA
[Jun 26 19:33:08] DEBUG UDP(DNS) 192.168.50.237:60972 <-> Cache: gzdata1.fc-smartserver.xyz. A
[Jun 26 19:33:08] DEBUG UDP(DNS) 192.168.50.237:57314 <-> Cache: gzdata1.fc-smartserver.xyz. AAAA
[Jun 26 19:33:08] TRACE Accept question=[{Name:gitlab.company. Qtype:1 Qclass:1}] upstream=tcp+udp://dns.google.com:53
[Jun 26 19:33:08] INFO 192.168.50.237:45882 <-> 8.8.8.8:53 _qname=gitlab.company. dialer=香港标准 IEPL 中继 5 dscp=0 mac=48:21:0b:32:5f:4a network=tcp4(DNS) outbound=HK pid=711 pname=tailscaled policy=min_moving_avg qtype=A
[Jun 26 19:33:08] TRACE Received UDP(DNS) 192.168.50.237:52284 <-> 192.168.50.1:53: gitlab.company. AAAA
[Jun 26 19:33:08] TRACE Request to DNS upstream question=[{Name:gitlab.company. Qtype:28 Qclass:1}] upstream=tcp+udp://dns.google.com:53
[Jun 26 19:33:08] TRACE Choose DNS path choose=tcp+4 ipversions=[4 6] l4protos=[udp tcp] upstream=tcp+udp://dns.google.com:53 use=8.8.8.8:53
[Jun 26 19:33:08] TRACE Received UDP(DNS) 192.168.50.237:55406 <-> 192.168.50.1:53: gzdata1.fc-smartserver.xyz. AAAA
[Jun 26 19:33:08] TRACE Received UDP(DNS) 192.168.50.237:54051 <-> 192.168.50.1:53: gzdata1.fc-smartserver.xyz. A
[Jun 26 19:33:08] DEBUG UDP(DNS) 192.168.50.237:55406 <-> Cache: gzdata1.fc-smartserver.xyz. AAAA
[Jun 26 19:33:08] DEBUG UDP(DNS) 192.168.50.237:54051 <-> Cache: gzdata1.fc-smartserver.xyz. A
[Jun 26 19:33:08] TRACE Accept question=[{Name:gitlab.company. Qtype:28 Qclass:1}] upstream=tcp+udp://dns.google.com:53
[Jun 26 19:33:08] INFO 192.168.50.237:52284 <-> 8.8.8.8:53 _qname=gitlab.company. dialer=香港标准 IEPL 中继 5 dscp=0 mac=48:21:0b:32:5f:4a network=tcp4(DNS) outbound=HK pid=711 pname=tailscaled policy=min_moving_avg qtype=AAAA对 gitlab.com, 有三行很不一样:
[Jun 26 19:32:00] TRACE Update DNS record cache _qname=gitlab.com. ans=gitlab.com.(A): 172.65.251.78 rcode=0
[Jun 26 19:32:00] TRACE Update DNS record cache _qname=gitlab.com. ans=gitlab.com.(A): 172.65.251.78 rcode=0
[Jun 26 19:32:00] TRACE Update DNS record cache _qname=gitlab.com. ans=gitlab.com.(AAAA): 2606:4700:90:0:f22e:fbec:5bed:a9b9 rcode=0
[Jun 26 19:32:00] DEBUG Rewrite dial target to domain from=172.65.251.78:80 to=gitlab.com:80这之后就成功应用到了那个CM了:
[Jun 26 19:32:00] INFO 192.168.50.237:42338 <-> gitlab.com:80 dialer=CM_http dscp=0 ip=172.65.251.78:80 mac=48:21:0b:32:5f:4a network=tcp4 outbound=CM pid=0 pname=curl policy=fixed sniffed=gitlab.com但是 gitlab.company,没有 TRACE Update相关的 log, 能看出来什么问题么?
marsjane
commented
2 days ago 这个看起来是 sniffed 为空,所以 routing 没有生效
哦哦哦那这个应该怎么弄啊?
mzz2017
commented
2 days ago 看起来并没有“Update DNS record cache _qname=gitlab.company” 相关的字样,猜测这个域名应该交给一个内网 dns 才能解析出结果,你可以添加一个可以解析该域名的 dns upstream,对这个域名转发到该 dns 进行查询
marsjane
commented
2 days ago 感觉是这样了!以前在别的工具里面我用的这个是没问题的:
default-nameserver:
- 223.5.5.5
nameserver:
- tls://8.8.4.4
- tls://1.1.1.1
nameserver-policy:
"geosite:cn,private":
- https://doh.pub/dns-query
- https://dns.alidns.com/dns-query这个不知道怎么转换过来呢 我看tls和https似乎都还不支持?我试了一下用tcp+udp://223.5.5.5:53,然后加了个条件,确实走了这个DNS,但是好像也没解析出来:
[Jun 26 22:26:45] INFO 192.168.50.237:42647 <-> 223.5.5.5:53 _qname=gitlab.company. dialer=direct dscp=0 mac=48:21:0b:32:5f:4a network=udp4(DNS) outbound=direct pid=711 pname=tailscaled policy=fixed qtype=A
[Jun 26 22:26:45] TRACE Received UDP(DNS) 192.168.50.237:42466 <-> 192.168.50.1:53: gitlab.company. AAAA
[Jun 26 22:26:45] TRACE Request to DNS upstream question=[{Name:gitlab.company. Qtype:28 Qclass:1}] upstream=tcp+udp://223.5.5.5:53
[Jun 26 22:26:45] TRACE Choose DNS path choose=udp+4 ipversions=[4] l4protos=[udp tcp] upstream=tcp+udp://223.5.5.5:53 use=223.5.5.5:53
[Jun 26 22:26:45] TRACE Accept question=[{Name:gitlab.company. Qtype:28 Qclass:1}] upstream=tcp+udp://223.5.5.5:53
[Jun 26 22:26:45] INFO 192.168.50.237:42466 <-> 223.5.5.5:53 _qname=gitlab.company. dialer=direct dscp=0 mac=48:21:0b:32:5f:4a network=udp4(DNS) outbound=direct pid=711 pname=tailscaled policy=fixed qtype=AAAA
TRAC[0042] sniffUdp error="sniffing error: not applicable" from="192.168.50.237:39502" to="50.7.252.138:9993"这方面我着实不太懂,有没有什么建议的dns upstream呀?
mzz2017
commented
2 days ago @marsjane dns routing 里用 qname(suffix:gitlab.company)->asis
marsjane
commented
2 days ago asis需要定义么?我目前加的是ali: 'tcp+udp://223.5.5.5:53' qname(keyword:company) -> ali
mzz2017
commented
2 days ago @marsjane 不用定义。asis就是请求的时候用什么就用什么,上述就是去用 192.168.50.1:53,你可以验证 dig gitlab.company @192.168.50.1 看看有没有结果
mzz2017
commented
2 days ago @marsjane 在 dae 关闭的情况下 dig 测试
marsjane
commented
2 days ago 这个dig确实没问题,我按照你说的试了,确实它走的是192.168.50.1:53,但是好像依旧没有结果==
[Jun 26 22:47:19] TRACE Received UDP(DNS) 192.168.50.237:33241 <-> 192.168.50.1:53: gitlab.company.
[Jun 26 22:47:19] TRACE Request to DNS upstream question=[{Name:gitlab.company. Qtype:1 Qclass:1}] upstream=asis
[Jun 26 22:47:19] TRACE Choose DNS path choose=udp+4 ipversions=[4] l4protos=[udp] upstream=udp://192.168.50.1:53 use=192.168.50.1:53
[Jun 26 22:47:19] TRACE Accept question=[{Name:gitlab.company. Qtype:1 Qclass:1}] upstream=asis
[Jun 26 22:47:19] INFO 192.168.50.237:33241 <-> 192.168.50.1:53 _qname=gitlab.company. dialer=direct dscp=0 mac=48:21:0b:32:5f:4a network=udp4(DNS) outbound=direct pid=711 pname=tailscaled policy=fixed qtype=A
[Jun 26 22:47:19] TRACE Received UDP(DNS) 192.168.50.237:52313 <-> 192.168.50.1:53: gitlab.company. AAAA
[Jun 26 22:47:19] TRACE Request to DNS upstream question=[{Name:gitlab.company. Qtype:28 Qclass:1}] upstream=asis
[Jun 26 22:47:19] TRACE Choose DNS path choose=udp+4 ipversions=[4] l4protos=[udp] upstream=udp://192.168.50.1:53 use=192.168.50.1:53
[Jun 26 22:47:19] TRACE Accept question=[{Name:gitlab.company. Qtype:28 Qclass:1}] upstream=asis
[Jun 26 22:47:19] INFO 192.168.50.237:52313 <-> 192.168.50.1:53 _qname=gitlab.company. dialer=direct dscp=0 mac=48:21:0b:32:5f:4a network=udp4(DNS) outbound=direct pid=711 pname=tailscaled policy=fixed qtype=AAAA
[Jun 26 22:47:19] TRACE Update DNS record cache _qname=gitlab.company. ans= rcode=0为啥dig可以这里又不可以了呢
marsjane
commented
2 days ago 好像是update DNS record cache有了但是还是没有Rewrite dial target to domain,反正我curl -I 的命令显示的是curl: (6) Could not resolve host: gitlab.company
linglilongyi
commented
2 days ago 这个update DNS record cache里面没有answer,所以问题应该在192.168.50.1上?
marsjane
commented
2 days ago 这个update DNS record cache里面没有answer,所以问题应该在192.168.50.1上?
那还有什么方式可以不用这个192.168.50.1么?为啥我上面提到的别的软件的那种设置是可以的?不知道那个是通过什么dns完成的
linglilongyi
commented
2 days ago 我的理解是,不管你用不用192.168.50.1,你都需要有一个可以解析公司内网域名的dns服务(器)。
但是你表示在 dae 关闭的情况下 dig 测试 这个dig确实没问题,应该意味着192.168.50.1可以将.company的域名进行解析。
其次我有留意到pname是tailscaled zerotier-one,DNS qurey是要依赖zeroNS之类的?如果需要依赖别的进程进行dns,可能要避免被dae劫持,可能需要在dae的routing里面给pname(ZeroNSD ) -> must_direct(不清楚具体pname),可能需要寻求相关软件社区的帮助。
希望能帮到你。
mzz2017
commented
2 days ago 我收到了你的邮件,看起来手动 dig 也是没有 a/aaaa 记录的,http 代理可以是因为直接发送了域名到远端。 在 fakeip 的场景下这个问题可能会被规避,这可能是你的 clash 可以使用的原因。 现在首先要解决你无法解析域名的问题,这大概率是因为你的域名在内网域名服务器上,你可以如下操作:
marsjane
commented
2 days ago 好的,多谢两位,我试一下!话说如何看公司dns ip啊,我去内部机器上看了/etc/resolv.conf,里面是nameserver 127.0.0.53
linglilongyi
commented
2 days ago 好的,多谢两位,我试一下!话说如何看公司dns ip啊,我去内部机器上看了
/etc/resolv.conf,里面是nameserver 127.0.0.53
在内部机器 nslookup .company域名
marsjane
commented
2 days ago Server: 127.0.0.53
Address: 127.0.0.53#53
Non-authoritative answer:
gitlab.company canonical name = xxxxx.company.
Name: xxxxxxx
Address: 10.202.***.***然后我就用了cm: 'tcp+udp://10.202.***.***:53',但是看log好像不能这么写?
[Jun 27 14:30:09] TRACE Choose DNS path choose=udp+4 ipversions=[4] l4protos=[udp tcp] upstream=tcp+udp://10.202.***.***:53 use=10.202.***.***:53
[Jun 27 14:30:09] WARN handlePkt: failed to dial '10.202.***.***:53': unknown network unsupported tunnel typeDNS server在【Server: 127.0.0.53】,下面的addr是解析出来gitlab.company的ip。
看起来域名解析是写在操作机器的/etc/hosts上?
marsjane
commented
2 days ago 我看了自己的机器,它的/etc/hosts里面是没有的,但是实际上这个node其实是有中转,我也不太确定会不会在中转机器上,但是这个部分我就没有access了,所以这种情况现在还有啥别的办法么?有没有办法对这个域名用类似clash的做法啊?
mzz2017
commented
2 days ago @marsjane 直接 tcpdump -i any dst port 53 -n 然后新开个终端 nslookup 看看目标地址是多少(有可能有缓存,等缓存结束之后再测)
mzz2017
commented
2 days ago @marsjane 另一个方法是 lsof -i:53 看看监听 53 的进程是谁,找到对应的配置文件看看上游 dns 是多少
marsjane
commented
2 days ago tcpdump我似乎没有权限执行 我不是管理员,那个lsod -i :53我跑了一下 啥输出也没有,感觉不知道是不是也是权限不足所以看不到
mzz2017
commented
1 day ago @marsjane 1. 问问公司 dns 服务器是多少
mzz2017
commented
1 day ago @marsjane 哦对了,127.0.0.53也没关系,可以直接当成 upstream xxxx: 'udp://127.0.0.53:53'
marsjane
commented
1 day ago 'udp://127.0.0.53:53', 以及nmcli device show | grep IP4.DNS输出的,还有for ns in $(dig +short NS gitlab.company); do dig +short A $ns; done输出出来的我全试了一遍,都不行==感觉可能我这个场景也比较奇怪吧,也许比较难搞
mzz2017
commented
1 day ago @marsjane 你要按照上面我说的那几个步骤,不能单加个 upstream。 使用 127.0.0.53 并要通过代理转发才行,为了避免这个直连,所以路由里这个 dip 规则要很靠前
marsjane
commented
1 day ago 我目前这么设置的对不:
cm: 'udp://127.0.0.53:53'
qname(keyword:company) -> cm
# 放在了第一行
dip(127.0.0.53) -> CM
domain(keyword: company) -> CM然后它的报错是:
[Jun 27 23:10:06] TRACE Choose DNS path choose=udp+4 ipversions=[4] l4protos=[udp] upstream=udp://127.0.0.53:53 use=127.0.0.53:53
[Jun 27 23:10:06] WARN handlePkt: failed to dial '127.0.0.53:53': unknown network unsupported tunnel type不过我也确实没看到127.0.0.53走我这个CM节点的log,好像dip(127.0.0.53) -> CM也确实没有生效?
marsjane
commented
1 day ago @mzz2017 所以为啥dip(127.0.0.53) -> CM这个没有生效呢?我感觉你说的方法确实合理 就是不知道为啥127.0.0.53的时候没有调用过去, 感觉这个报错failed to dial '127.0.0.53:53': unknown network unsupported tunnel type就是这个原因吧?
mzz2017
commented
1 day ago 发一下比较全的配置?
marsjane
commented
1 day ago global {
tproxy_port: 7888
tproxy_port_protect: true
pprof_port: 0
so_mark_from_dae: 0
log_level: trace
disable_waiting_network: false
enable_local_tcp_fast_redirect: false
wan_interface: auto
auto_config_kernel_parameter: true
tcp_check_url: 'http://cp.cloudflare.com,1.1.1.1,2606:4700:4700::1111'
tcp_check_http_method: HEAD
udp_check_dns: 'dns.google.com:53,8.8.8.8,2001:4860:4860::8888'
check_interval: 600s
check_tolerance: 50ms
dial_mode: domain
allow_insecure: false
sniffing_timeout: 100ms
tls_implementation: tls
utls_imitate: chrome_auto
}
# Subscriptions defined here will be resolved as nodes and merged as a part of the global node pool.
# Support to give the subscription a tag, and filter nodes from a given subscription in the group section.
subscription {
# Add your subscription links here.
aa: ''
}
# Nodes defined here will be merged as a part of the global node pool.
node {
CM_http: 'http://127.0.0.1:8843'
}
# See https://github.com/daeuniverse/dae/blob/main/docs/en/configuration/dns.md for full examples.
dns {
upstream {
cm: 'udp://127.0.0.53:53'
alidns: 'udp://dns.alidns.com:53'
googledns: 'tcp+udp://dns.google.com:53'
}
routing {
# According to the request of dns query, decide to use which DNS upstream.
# Match rules from top to bottom.
request {
# Lookup China mainland domains using alidns, otherwise googledns.
qname(keyword:company) -> cm
qname(geosite:cn) -> alidns
# fallback is also called default.
fallback: googledns
}
}
}
# Node group (outbound).
group {
HK {
# No filter. Use all nodes.
# Randomly select a node from the group for every connection.
#policy: random
# Select the first node from the group for every connection.
#policy: fixed(0)
# Select the node with min last latency from the group for every connection.
#policy: min
# Select the node with min moving average of latencies from the group for every connection.
filter: name(keyword:'香港标准')
policy: min_moving_avg
}
CM {
filter: name(CM_http)
policy: fixed(0)
}
}
# See https://github.com/daeuniverse/dae/blob/main/docs/en/configuration/routing.md for full examples.
routing {
### Preset rules.
# Network managers in localhost should be direct to avoid false negative network connectivity check when binding to
# WAN.
dip(127.0.0.53) -> CM
domain(keyword: company) -> CM
domain(keyword: gitlab) -> CM
pname(NetworkManager) -> direct
# Put it in the front to prevent broadcast, multicast and other packets that should be sent to the LAN from being
# forwarded by the proxy.
# "dip" means destination IP.
dip(224.0.0.0/3, 'ff00::/8') -> direct
# This line allows you to access private addresses directly instead of via your proxy. If you really want to access
# private addresses in your proxy host network, modify the below line.
dip(geoip:private) -> direct
### Write your rules below.
# Disable h3 because it usually consumes too much cpu/mem resources.
l4proto(udp) && dport(443) -> block
dip(geoip:cn) -> direct
domain(geosite:cn) -> direct
domain(geosite:category-ads) -> block
fallback: HK
}
xmapst
commented
1 day ago global { tproxy_port: 7888 tproxy_port_protect: true pprof_port: 0 so_mark_from_dae: 0 log_level: trace disable_waiting_network: false enable_local_tcp_fast_redirect: false wan_interface: auto auto_config_kernel_parameter: true tcp_check_url: 'http://cp.cloudflare.com,1.1.1.1,2606:4700:4700::1111' tcp_check_http_method: HEAD udp_check_dns: 'dns.google.com:53,8.8.8.8,2001:4860:4860::8888' check_interval: 600s check_tolerance: 50ms dial_mode: domain allow_insecure: false sniffing_timeout: 100ms tls_implementation: tls utls_imitate: chrome_auto } # Subscriptions defined here will be resolved as nodes and merged as a part of the global node pool. # Support to give the subscription a tag, and filter nodes from a given subscription in the group section. subscription { # Add your subscription links here. aa: '' } # Nodes defined here will be merged as a part of the global node pool. node { CM_http: 'http://127.0.0.1:8843' } # See https://github.com/daeuniverse/dae/blob/main/docs/en/configuration/dns.md for full examples. dns { upstream { cm: 'udp://127.0.0.53:53' alidns: 'udp://dns.alidns.com:53' googledns: 'tcp+udp://dns.google.com:53' } routing { # According to the request of dns query, decide to use which DNS upstream. # Match rules from top to bottom. request { # Lookup China mainland domains using alidns, otherwise googledns. qname(keyword:company) -> cm qname(geosite:cn) -> alidns # fallback is also called default. fallback: googledns } } } # Node group (outbound). group { HK { # No filter. Use all nodes. # Randomly select a node from the group for every connection. #policy: random # Select the first node from the group for every connection. #policy: fixed(0) # Select the node with min last latency from the group for every connection. #policy: min # Select the node with min moving average of latencies from the group for every connection. filter: name(keyword:'香港标准') policy: min_moving_avg } CM { filter: name(CM_http) policy: fixed(0) } } # See https://github.com/daeuniverse/dae/blob/main/docs/en/configuration/routing.md for full examples. routing { ### Preset rules. # Network managers in localhost should be direct to avoid false negative network connectivity check when binding to # WAN. dip(127.0.0.53) -> CM domain(keyword: company) -> CM domain(keyword: gitlab) -> CM pname(NetworkManager) -> direct # Put it in the front to prevent broadcast, multicast and other packets that should be sent to the LAN from being # forwarded by the proxy. # "dip" means destination IP. dip(224.0.0.0/3, 'ff00::/8') -> direct # This line allows you to access private addresses directly instead of via your proxy. If you really want to access # private addresses in your proxy host network, modify the below line. dip(geoip:private) -> direct ### Write your rules below. # Disable h3 because it usually consumes too much cpu/mem resources. l4proto(udp) && dport(443) -> block dip(geoip:cn) -> direct domain(geosite:cn) -> direct domain(geosite:category-ads) -> block fallback: HK }
pname(NetworkManager) -> direct 改成 pname(NetworkManager,systemd-resolved) -> direct 试试
因为127.0.0.53:53是systemd-resolved
marsjane
commented
1 day ago 啊试了一下,还是一样的报错WARN handlePkt: failed to dial '127.0.0.53:53': unknown network unsupported tunnel type
mzz2017
commented
1 day ago @marsjane 感觉没什么问题,我得抽空复现一下
marsjane
commented
1 day ago 谢谢!
mzz2017
commented
1 day ago @marsjane 你的 node 是 http 的,不支持 udp,有两个解决方案:
marsjane
commented
22 hours ago 啊tcp可以了!多谢!!
IceCodeNew
commented
21 hours ago 好巧,我也是遇到了节点为 https proxy 时,dns 设置 udp 会报错的情况,没想到刚过来搜 issue 就找到解决方案了哈哈
marsjane
commented
20 hours ago 那属实缘分,感谢 @mzz2017 和其他几位不厌其烦帮忙debug!期待一下 #567
Greetings
No response
Feature Request
Hi,thanks for this great work, I've been going through most of the documentation and plan to migrate to dae. However, I have several questions: 1) I didn't find clear explanations about the config positions for dae in the doc. For arch, the config position seem to be
/etc/dae? Is it possible to put it under other place, like~/.config/dae? 2) if only under/etc/dae, which permission should it be? As I want to add several new files to use the separated configuration as shown in https://github.com/daeuniverse/dae/discussions/81#discussioncomment-7974496 Is it necessary to dosudo chmod -R 0640 /etc/dae? I just wonder is there any config file permission requirement for dae to run. Can you help clarify these?Use Cases
other places for config files separated configuration
Potential Benefits
clear understanding about config location and permission requirements