search

klzgrad / naiveproxy

Make a fortune quietly
BSD 3-Clause "New" or "Revised" License
6.64k stars 882 forks source link

关于resolver-range的使用 #436

Closed triggered96 closed 1 year ago

triggered96 commented 1 year ago

在naive的redir下,会开启一个udp同tcp一样的端口。比如:

naive   572427 root   15u  IPv4 253848209      0t0  TCP *:1088 (LISTEN)
naive   572427 root   16u  IPv4 253848210      0t0  UDP *:1088

同时我看也看到了 --resolver-range=配置项,但为什么是100.64.0.0/10? 还有就是https://github.com/klzgrad/naiveproxy/blob/master/src/net/tools/naive/redirect_resolver.cc 似乎在redir也似乎没有太多的运作,基本都走 https://github.com/klzgrad/naiveproxy/blob/master/src/net/tools/naive/naive_connection.cc#L246-L247

IPEndPoint ipe;
if (ipe.FromSockAddr(dst.addr, dst.addr_len)) {
    const auto& addr = ipe.address();
        auto name = resolver_->FindNameByAddress(addr);
        if (!name.empty()) {
          origin = HostPortPair(name, ipe.port());
L246      } else if (!resolver_->IsInResolvedRange(addr)) {
L247          origin = HostPortPair::FromIPEndPoint(ipe);
        } else {
          LOG(ERROR) << "Connection " << id_ << " to unresolved name for "
                     << addr.ToString();
          return ERR_ADDRESS_INVALID;
    }
}
void RedirectResolver::DoRead() {
  for (;;) {
    int rv = socket_->RecvFrom(
        buffer_.get(), kUdpReadBufferSize, &recv_address_,
        base::BindOnce(&RedirectResolver::OnRecv, base::Unretained(this)));
    if (rv == ERR_IO_PENDING) 
      return;              // 基本都在这就return掉了。 后面的rv = HandleReadResult(rv);不执行
    rv = HandleReadResult(rv);
    if (rv == ERR_IO_PENDING)
      return;
    if (rv < 0) {
      LOG(INFO) << "DoRead: ignoring error " << rv;
    }
  }
}
  --resolver-range=CIDR

    Uses this range in the builtin resolver. Default: 100.64.0.0/10.
triggered96 commented 1 year ago

我似乎知道了,udp用于dns解析。但似乎解析出来的是

root@Debian9:~# dig @127.0.0.1 -p1088 www.youtube.com

; <<>> DiG 9.10.3-P4-Debian <<>> @127.0.0.1 -p1088 www.youtube.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 41189
;; flags: qr; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;www.youtube.com.       IN  A

;; ANSWER SECTION:
www.youtube.com.    60  IN  A   100.64.0.2

;; Query time: 0 msec
;; SERVER: 127.0.0.1#1088(127.0.0.1)
;; WHEN: Sat Dec 24 14:01:37 UTC 2022
;; MSG SIZE  rcvd: 64

如果采取dnsmasq,则

; <<>> DiG 9.10.3-P4-Debian <<>> @127.0.0.1 -p5337 www.youtube.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 11735
;; flags: qr rd ra; QUERY: 1, ANSWER: 13, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;www.youtube.com.       IN  A

;; ANSWER SECTION:
www.youtube.com.    600 IN  CNAME   youtube-ui.l.google.com.
youtube-ui.l.google.com. 600    IN  A   142.250.189.206
youtube-ui.l.google.com. 600    IN  A   172.217.164.110
youtube-ui.l.google.com. 600    IN  A   142.250.191.78
youtube-ui.l.google.com. 600    IN  A   142.251.32.46
youtube-ui.l.google.com. 600    IN  A   142.250.189.174
youtube-ui.l.google.com. 600    IN  A   142.251.46.238
youtube-ui.l.google.com. 600    IN  A   142.250.191.46
youtube-ui.l.google.com. 600    IN  A   142.251.46.206
youtube-ui.l.google.com. 600    IN  A   142.251.46.174
youtube-ui.l.google.com. 600    IN  A   142.250.189.238
youtube-ui.l.google.com. 600    IN  A   142.251.214.142
youtube-ui.l.google.com. 600    IN  A   142.250.72.206
klzgrad commented 1 year ago

这个相当于FakeDNS

      Also activates a DNS resolver on the same UDP port. Similar iptables
      rules can redirect DNS queries to this resolver. The resolver returns
      artificial addresses that are translated back to the original domain
      names in proxy requests and then resolved remotely.

      The artificial results are not saved for privacy, so restarting the
      resolver may cause downstream to cache stale results.

要配合iptables重定向udp端口或者dnsmasq转发使用。好处是可以避免解析DNS的1-RTT延迟,坏处是缓存的解析结果不一致容易造成故障。现在已经不推荐了,但是暂时也不打算删除。100.64.0.0/10是https://en.wikipedia.org/wiki/Reserved_IP_addresses 里面感觉比较合理的一段。

xgmq commented 1 year ago

这个相当于FakeDNS

      Also activates a DNS resolver on the same UDP port. Similar iptables
      rules can redirect DNS queries to this resolver. The resolver returns
      artificial addresses that are translated back to the original domain
      names in proxy requests and then resolved remotely.

      The artificial results are not saved for privacy, so restarting the
      resolver may cause downstream to cache stale results.

要配合iptables重定向udp端口或者dnsmasq转发使用。好处是可以避免解析DNS的1-RTT延迟,坏处是缓存的解析结果不一致容易造成故障。现在已经不推荐了,但是暂时也不打算删除。100.64.0.0/10是https://en.wikipedia.org/wiki/Reserved_IP_addresses 里面感觉比较合理的一段。

把DNS緩存關閉好像沒遇過問題。

為什麼會不推薦?我覺得挺好用的。透過代理解析DNS很常都是走TCP,實際使用解析速度很常會超過一秒。 還要為了ios把type 65的DNS解析擋掉。 如果用fakedns,iptables只要處理 -d 100.64.0.0/10,有時連ipset都不用裝。 用下來fakedns是最簡單最直覺的方案。

找了好多代理只有v2ray跟naiveproxy有附fakedns。 也找不到類似純socks轉接fakedns+redir的工具。 有時候為了用tuic或hysteria,接v2ray當fakedns+redir 轉接 socks的工具用。

klzgrad commented 1 year ago

不推荐的原因是fake解析结果因为重启或者应用程序内部缓存原因造成问题时很难诊断,而且多级缓存真实解析结果可以大部分避免性能问题

82kg commented 1 year ago

请教 -d 100.64.0.0/10 具体要怎么写呢