Closed triggered96 closed 1 year ago
我似乎知道了,udp用于dns解析。但似乎解析出来的是
root@Debian9:~# dig @127.0.0.1 -p1088 www.youtube.com
; <<>> DiG 9.10.3-P4-Debian <<>> @127.0.0.1 -p1088 www.youtube.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 41189
;; flags: qr; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;www.youtube.com. IN A
;; ANSWER SECTION:
www.youtube.com. 60 IN A 100.64.0.2
;; Query time: 0 msec
;; SERVER: 127.0.0.1#1088(127.0.0.1)
;; WHEN: Sat Dec 24 14:01:37 UTC 2022
;; MSG SIZE rcvd: 64
如果采取dnsmasq,则
; <<>> DiG 9.10.3-P4-Debian <<>> @127.0.0.1 -p5337 www.youtube.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 11735
;; flags: qr rd ra; QUERY: 1, ANSWER: 13, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;www.youtube.com. IN A
;; ANSWER SECTION:
www.youtube.com. 600 IN CNAME youtube-ui.l.google.com.
youtube-ui.l.google.com. 600 IN A 142.250.189.206
youtube-ui.l.google.com. 600 IN A 172.217.164.110
youtube-ui.l.google.com. 600 IN A 142.250.191.78
youtube-ui.l.google.com. 600 IN A 142.251.32.46
youtube-ui.l.google.com. 600 IN A 142.250.189.174
youtube-ui.l.google.com. 600 IN A 142.251.46.238
youtube-ui.l.google.com. 600 IN A 142.250.191.46
youtube-ui.l.google.com. 600 IN A 142.251.46.206
youtube-ui.l.google.com. 600 IN A 142.251.46.174
youtube-ui.l.google.com. 600 IN A 142.250.189.238
youtube-ui.l.google.com. 600 IN A 142.251.214.142
youtube-ui.l.google.com. 600 IN A 142.250.72.206
这个相当于FakeDNS
Also activates a DNS resolver on the same UDP port. Similar iptables
rules can redirect DNS queries to this resolver. The resolver returns
artificial addresses that are translated back to the original domain
names in proxy requests and then resolved remotely.
The artificial results are not saved for privacy, so restarting the
resolver may cause downstream to cache stale results.
要配合iptables重定向udp端口或者dnsmasq转发使用。好处是可以避免解析DNS的1-RTT延迟,坏处是缓存的解析结果不一致容易造成故障。现在已经不推荐了,但是暂时也不打算删除。100.64.0.0/10是https://en.wikipedia.org/wiki/Reserved_IP_addresses 里面感觉比较合理的一段。
这个相当于FakeDNS
Also activates a DNS resolver on the same UDP port. Similar iptables rules can redirect DNS queries to this resolver. The resolver returns artificial addresses that are translated back to the original domain names in proxy requests and then resolved remotely. The artificial results are not saved for privacy, so restarting the resolver may cause downstream to cache stale results.
要配合iptables重定向udp端口或者dnsmasq转发使用。好处是可以避免解析DNS的1-RTT延迟,坏处是缓存的解析结果不一致容易造成故障。现在已经不推荐了,但是暂时也不打算删除。100.64.0.0/10是https://en.wikipedia.org/wiki/Reserved_IP_addresses 里面感觉比较合理的一段。
把DNS緩存關閉好像沒遇過問題。
為什麼會不推薦?我覺得挺好用的。透過代理解析DNS很常都是走TCP,實際使用解析速度很常會超過一秒。 還要為了ios把type 65的DNS解析擋掉。 如果用fakedns,iptables只要處理 -d 100.64.0.0/10,有時連ipset都不用裝。 用下來fakedns是最簡單最直覺的方案。
找了好多代理只有v2ray跟naiveproxy有附fakedns。 也找不到類似純socks轉接fakedns+redir的工具。 有時候為了用tuic或hysteria,接v2ray當fakedns+redir 轉接 socks的工具用。
不推荐的原因是fake解析结果因为重启或者应用程序内部缓存原因造成问题时很难诊断,而且多级缓存真实解析结果可以大部分避免性能问题
请教 -d 100.64.0.0/10 具体要怎么写呢
在naive的redir下,会开启一个udp同tcp一样的端口。比如:
同时我看也看到了 --resolver-range=配置项,但为什么是100.64.0.0/10? 还有就是https://github.com/klzgrad/naiveproxy/blob/master/src/net/tools/naive/redirect_resolver.cc 似乎在redir也似乎没有太多的运作,基本都走 https://github.com/klzgrad/naiveproxy/blob/master/src/net/tools/naive/naive_connection.cc#L246-L247