search

lifenjoiner / dnsforwarder

A DNS utility with unique features.
GNU General Public License v3.0
19 stars 9 forks source link

被UDP IPv6请求时是否会返回端口信息? #11

Closed w311ang closed 2 years ago

w311ang commented 2 years ago

我用iptables把53端口重定向到了dnsforwarder出现了如下错误,而在被IPv4 UDP请求时是正常的

$ dig +notcp wew.google.com fdc3:b357:6fa0::1
;; reply from unexpected source: fdc3:b357:6fa0::1#534, expected fdc3:b357:6fa0::1#53
DNSforwarder mainly by holmium. Version 6.4.1 . License : GPL v3.
Time of compilation : Sep 21 2022 05:10:23.

Please run `dnsforwarder -p' if something goes wrong.

Configure File : /tmp/dnsforwarder-bplan.conf

Oct 03 15:44:10 [INFO] New session.
Oct 03 15:44:10 [INFO] UDP interface [::]:534 opened.
Oct 03 15:44:10 [INFO] Setting DisabledType succeeded.
Oct 03 15:44:10 [INFO] Loading DisabledDomain completed.
Oct 03 15:44:10 [INFO] Loading DisabledList completed.
Oct 03 15:44:10 [INFO] Loading Server Groups completed.
Oct 03 15:44:10 [INFO] Loading GroupFile(s) completed.
Oct 03 15:44:10 [INFO] Loading Configuration completed.
Oct 03 15:44:12 [U][fdc3:b357:6fa0:0:b157:1362:62fb:897d][IPv6 Address][datarouter.ol.epicgames.com] : 79 bytes
   Canonical Name:datarouter-weighted.ol.epicgames.com
Oct 03 15:44:12 [U][fdc3:b357:6fa0:0:b157:1362:62fb:897d][IPv4 Address][datarouter.ol.epicgames.com] : 207 bytes
   Canonical Name:datarouter-weighted.ol.epicgames.com
   IPv4 Address:44.210.200.163
   IPv4 Address:44.193.187.51
   IPv4 Address:3.226.59.55
   IPv4 Address:52.86.145.224
   IPv4 Address:3.210.52.38
   IPv4 Address:44.197.13.91
   IPv4 Address:34.197.156.210
   IPv4 Address:54.208.233.187
Oct 03 15:44:12 [U][0:0:0:0:0:ffff:c0a8:27e][IPv6 Address][datarouter.ol.epicgames.com] : 161 bytes
   Canonical Name:datarouter-weighted.ol.epicgames.com
   (SOA)primary name server:ns-1364.awsdns-42.org
   (SOA)responsible mail addr:awsdns-hostmaster.amazon.com
   (SOA)serial:1
   (SOA)refresh:7200
   (SOA)retry:900
   (SOA)expire:1209600
   (SOA)default TTL:86400
Oct 03 15:44:12 [U][0:0:0:0:0:ffff:c0a8:27e][IPv4 Address][datarouter.ol.epicgames.com] : 207 bytes
   Canonical Name:datarouter-weighted.ol.epicgames.com
   IPv4 Address:35.168.142.30
   IPv4 Address:54.173.235.236
   IPv4 Address:44.196.6.117
   IPv4 Address:3.221.39.137
   IPv4 Address:34.196.241.108
   IPv4 Address:54.173.155.67
   IPv4 Address:107.22.223.163
   IPv4 Address:3.91.141.121
Oct 03 15:44:13 [U][fdc3:b357:6fa0:0:b157:1362:62fb:897d][IPv4 Address][telemetry-in.battle.net] : 57 bytes
   IPv4 Address:24.105.29.76
Oct 03 15:44:13 [U][0:0:0:0:0:ffff:c0a8:27e][IPv4 Address][telemetry-in.battle.net] : 57 bytes
   IPv4 Address:24.105.29.76
Oct 03 15:44:14 [U][fdc3:b357:6fa0:0:6891:b1eb:b9a7:1054][IPv4 Address][wew.google.com] : 82 bytes
   (SOA)primary name server:ns1.google.com
   (SOA)responsible mail addr:dns-admin.google.com
   (SOA)serial:478222697
   (SOA)refresh:900
   (SOA)retry:900
   (SOA)expire:1800
   (SOA)default TTL:60
Oct 03 15:44:15 [U][fdc3:b357:6fa0:0:d17d:751a:fcc6:b895][IPv6 Address][configserver.hicloud.com] : 115 bytes
   (SOA)primary name server:ns3.dnsv5.com
   (SOA)responsible mail addr:enterprise3dnsadmin.dnspod.com
   (SOA)serial:1664359162
   (SOA)refresh:3600
   (SOA)retry:180
   (SOA)expire:1209600
   (SOA)default TTL:180
Oct 03 15:44:17 [U][fdc3:b357:6fa0:0:d17d:751a:fcc6:b895][IPv6 Address][configserver.hicloud.com] : 42 bytes
   Nothing.
Oct 03 15:44:19 [U][fdc3:b357:6fa0:0:6891:b1eb:b9a7:1054][IPv4 Address][wew.google.com] : 121 bytes
   (SOA)primary name server:ns1.google.com
   (SOA)responsible mail addr:dns-admin.google.com
   (SOA)serial:478222697
   (SOA)refresh:900
   (SOA)retry:900
   (SOA)expire:1800
   (SOA)default TTL:60
   Unparsable type:41
Oct 03 15:44:22 [U][0:0:0:0:0:ffff:c0a8:2d7][IPv4 Address][sz-cm1-kl.hinetwork.tw] : 56 bytes
   IPv4 Address:212.90.100.36
Oct 03 15:44:22 [U][fdc3:b357:6fa0:0:d17d:751a:fcc6:b895][IPv4 Address][configserver.hicloud.com] : 138 bytes
   IPv4 Address:117.78.15.173
   IPv4 Address:49.4.47.102
   IPv4 Address:117.78.15.180
   IPv4 Address:118.194.33.188
   IPv4 Address:49.4.33.128
   IPv4 Address:49.4.18.241
Oct 03 15:44:22 [U][fdc3:b357:6fa0:0:258c:88ec:5793:1182][IPv4 Address][scss.adobesc.com] : 111 bytes
   Canonical Name:acp-ss.adobe.io
   IPv4 Address:54.168.215.59
   IPv4 Address:52.192.157.45
   IPv4 Address:35.73.141.179
Oct 03 15:44:22 [U][fdc3:b357:6fa0:0:258c:88ec:5793:1182][IPv6 Address][scss.adobesc.com] : 63 bytes
   Canonical Name:acp-ss.adobe.io
Oct 03 15:44:22 [C][0:0:0:0:0:ffff:c0a8:2d7][IPv4 Address][scss.adobesc.com] : 111 bytes
   Canonical Name:acp-ss.adobe.io
   IPv4 Address:35.73.141.179
   IPv4 Address:52.192.157.45
   IPv4 Address:54.168.215.59
Oct 03 15:44:22 [U][0:0:0:0:0:ffff:c0a8:2d7][IPv6 Address][scss.adobesc.com] : 63 bytes
   Canonical Name:acp-ss.adobe.io
Oct 03 15:44:23 [U][fdc3:b357:6fa0:0:258c:88ec:5793:1182][IPv4 Address][acp-ss-ue1.adobe.io] : 101 bytes
   IPv4 Address:34.193.227.236
   IPv4 Address:18.207.85.246
   IPv4 Address:107.22.247.231
   IPv4 Address:54.144.73.197
Oct 03 15:44:23 [U][fdc3:b357:6fa0:0:258c:88ec:5793:1182][IPv6 Address][acp-ss-ue1.adobe.io] : 133 bytes
   (SOA)primary name server:ns-1159.awsdns-16.org
   (SOA)responsible mail addr:awsdns-hostmaster.amazon.com
   (SOA)serial:1
   (SOA)refresh:7200
   (SOA)retry:900
   (SOA)expire:1209600
   (SOA)default TTL:86400
   Unparsable type:41
Oct 03 15:44:23 [C][0:0:0:0:0:ffff:c0a8:2d7][IPv4 Address][acp-ss-ue1.adobe.io] : 101 bytes
   IPv4 Address:54.144.73.197
   IPv4 Address:107.22.247.231
   IPv4 Address:18.207.85.246
   IPv4 Address:34.193.227.236
Oct 03 15:44:23 [U][0:0:0:0:0:ffff:c0a8:2d7][IPv6 Address][acp-ss-ue1.adobe.io] : 37 bytes   Nothing.
Oct 03 15:44:24 [U][fdc3:b357:6fa0:0:258c:88ec:5793:1182][IPv4 Address][www.googleapis.com] : 116 bytes
   IPv4 Address:172.217.160.106
   IPv4 Address:172.217.160.74
   IPv4 Address:142.251.43.10
   IPv4 Address:142.251.42.234
   IPv4 Address:172.217.163.42
Oct 03 15:44:24 [U][fdc3:b357:6fa0:0:258c:88ec:5793:1182][IPv6 Address][www.googleapis.com] : 93 bytes
   (SOA)primary name server:ns1.google.com
   (SOA)responsible mail addr:dns-admin.google.com
   (SOA)serial:478222697
   (SOA)refresh:900
   (SOA)retry:900
   (SOA)expire:1800
   (SOA)default TTL:60
Oct 03 15:44:24 [C][0:0:0:0:0:ffff:c0a8:2d7][IPv4 Address][www.googleapis.com] : 116 bytes   IPv4 Address:172.217.163.42
   IPv4 Address:142.251.42.234
   IPv4 Address:142.251.43.10
   IPv4 Address:172.217.160.74
   IPv4 Address:172.217.160.106
Oct 03 15:44:24 [U][0:0:0:0:0:ffff:c0a8:2d7][IPv6 Address][www.googleapis.com] : 36 bytes
   Nothing.
Oct 03 15:44:24 [U][fdc3:b357:6fa0:0:258c:88ec:5793:1182][IPv4 Address][cc-api-data.adobe.io] : 86 bytes
   IPv4 Address:35.76.214.141
   IPv4 Address:52.194.101.114
   IPv4 Address:35.74.166.74
Oct 03 15:44:24 [U][fdc3:b357:6fa0:0:258c:88ec:5793:1182][IPv6 Address][cc-api-data.adobe.io] : 134 bytes
   (SOA)primary name server:ns-1159.awsdns-16.org
   (SOA)responsible mail addr:awsdns-hostmaster.amazon.com
   (SOA)serial:1
   (SOA)refresh:7200
   (SOA)retry:900
   (SOA)expire:1209600
   (SOA)default TTL:86400
   Unparsable type:41
Oct 03 15:44:24 [C][0:0:0:0:0:ffff:c0a8:2d7][IPv4 Address][cc-api-data.adobe.io] : 86 bytes
   IPv4 Address:35.74.166.74
   IPv4 Address:52.194.101.114
   IPv4 Address:35.76.214.141
Oct 03 15:44:24 [U][0:0:0:0:0:ffff:c0a8:2d7][IPv6 Address][cc-api-data.adobe.io] : 38 bytes
   Nothing.
Oct 03 15:44:24 [U][fdc3:b357:6fa0:0:258c:88ec:5793:1182][IPv4 Address][ss-prod-ue1-notif-46.aws.adobess.com] : 102 bytes
   IPv4 Address:100.25.1.151
   IPv4 Address:18.235.198.157
   IPv4 Address:34.197.92.238
Oct 03 15:44:24 [U][fdc3:b357:6fa0:0:258c:88ec:5793:1182][IPv6 Address][ss-prod-ue1-notif-46.aws.adobess.com] : 138 bytes
   (SOA)primary name server:ns-1676.awsdns-17.co.uk
   (SOA)responsible mail addr:awsdns-hostmaster.amazon.com
   (SOA)serial:1
   (SOA)refresh:7200
   (SOA)retry:900
   (SOA)expire:1209600
   (SOA)default TTL:86400
Oct 03 15:44:24 [C][0:0:0:0:0:ffff:c0a8:2d7][IPv4 Address][ss-prod-ue1-notif-46.aws.adobess.com] : 102 bytes
   IPv4 Address:34.197.92.238
   IPv4 Address:18.235.198.157
   IPv4 Address:100.25.1.151
Oct 03 15:44:24 [U][0:0:0:0:0:ffff:c0a8:2d7][IPv6 Address][ss-prod-ue1-notif-46.aws.adobess.com] : 138 bytes
   (SOA)primary name server:ns-1676.awsdns-17.co.uk
   (SOA)responsible mail addr:awsdns-hostmaster.amazon.com
   (SOA)serial:1
   (SOA)refresh:7200
   (SOA)retry:900
   (SOA)expire:1209600
   (SOA)default TTL:86400
Oct 03 15:44:24 [U][fdc3:b357:6fa0:0:6891:b1eb:b9a7:1054][IPv4 Address][wew.google.com] : 82 bytes
   (SOA)primary name server:ns1.google.com
   (SOA)responsible mail addr:dns-admin.google.com
   (SOA)serial:478222697
   (SOA)refresh:900
   (SOA)retry:900
   (SOA)expire:1800
   (SOA)default TTL:60
Oct 03 15:44:28 [U][0:0:0:0:0:ffff:c0a8:2d7][IPv4 Address][frp.runz.tk] : 45 bytes
   IPv4 Address:45.125.46.117
Oct 03 15:44:31 [U][fdc3:b357:6fa0:0:b157:1362:62fb:897d][IPv4 Address][wpad.lan] : 101 bytes
   (SOA)primary name server:a.root-servers.net
   (SOA)responsible mail addr:nstld.verisign-grs.com
   (SOA)serial:2022100300
   (SOA)refresh:1800
   (SOA)retry:900
   (SOA)expire:604800
   (SOA)default TTL:86400
Oct 03 15:44:31 [U][fdc3:b357:6fa0:0:b157:1362:62fb:897d][IPv6 Address][wpad.lan] : 101 bytes
   (SOA)primary name server:a.root-servers.net
   (SOA)responsible mail addr:nstld.verisign-grs.com
   (SOA)serial:2022100300
   (SOA)refresh:1800
   (SOA)retry:900
   (SOA)expire:604800
   (SOA)default TTL:86400
Oct 03 15:44:32 [U][0:0:0:0:0:ffff:c0a8:27e][IPv6 Address][wpad.lan] : 101 bytes
   (SOA)primary name server:a.root-servers.net
   (SOA)responsible mail addr:nstld.verisign-grs.com
   (SOA)serial:2022100300
   (SOA)refresh:1800
   (SOA)retry:900
   (SOA)expire:604800
   (SOA)default TTL:86400
Oct 03 15:44:32 [U][0:0:0:0:0:ffff:c0a8:27e][IPv4 Address][wpad.lan] : 101 bytes
   (SOA)primary name server:a.root-servers.net
   (SOA)responsible mail addr:nstld.verisign-grs.com
   (SOA)serial:2022100300
   (SOA)refresh:1800
   (SOA)retry:900
   (SOA)expire:604800
   (SOA)default TTL:86400

在请求时dnsforwarder也有反应,所以应该是重定向成功了,我觉得跟这个有点雷同https://github.com/coredns/coredns/issues/3097

w311ang commented 2 years ago

如果能解决的话,我希望能提供一点捐赠,谢谢作者了

lifenjoiner commented 2 years ago

应用层(DNS)管不了网络层/传输层(IP/TCP/UDP)。

感觉问题应该是iptables的使用,你应该仔细研究一下…… 非 Linux 用户,对这个也不大熟悉。

w311ang commented 2 years ago

猜测一下是不是再套一个portfwd又可以解决问题,我发现套个tcp2udp之后请求IPv6 TCP又是正常的,因为是老版不知道新版tcplocal是不是也是正常的 你是维护者,我想知道是不是dnsforwarder针对ipv6 udp的响应中包含了自己监听的端口号

w311ang commented 2 years ago

猜测证实,的确是由dnsforwarder返回的端口号 Screenshot_2022-10-03-21-45-01-89_2665fb67b16260a8d818298cef8dc107

w311ang commented 2 years ago

有意思的是,经iptables重定向请求其他互联网上dns源port又变成了53 Screenshot_2022-10-03-22-02-19-26_2665fb67b16260a8d818298cef8dc107 验证一下经过了dnsforwarder Screenshot_2022-10-03-22-20-18-48_3d419158bad5872c40592a6c9956e692

lifenjoiner commented 2 years ago

是不是dnsforwarder针对ipv6 udp的响应中包含了自己监听的端口号

并不是这么工作的。 DNS 应答内容本身并不包含这些,并且是谁请求的就返回给谁。至于,使用的 IP 和端口,都是由网络驱动自动记录的。 显然的,你这里监听使用的端口 534,系统没道理说用的 53。至于怎么 534 变成 53,应该是 iptables 的工作。 这里就是 iptables 在中间没有按预期工作。。。

lifenjoiner commented 2 years ago

不熟悉 iptables,纯粹猜测一下:重定向如果完整的转移了原始的 IP 协议包,那在这里就不合适,这里期望的是一个类似代理的 IP 协议 payload 的转发;或者应该换个其它使用方式。

w311ang commented 2 years ago

我用dns2tcp试了一下也是一样的,不应该是dnsforwarder的问题

w311ang commented 2 years ago

IP_TRANSPARENT似乎可以解决这个问题 https://www.jianshu.com/p/046190a511b3 https://powerdns.org/tproxydoc/tproxy.md.html https://github.com/LiamHaworth/go-tproxy https://www.ichenfu.com/2019/04/09/istio-inbond-interception-and-linux-transparent-proxy/

lifenjoiner commented 2 years ago

你方向搞错了。这不是 DNS 软件的问题,也不是 DNS 软件该做的事。

打个比方吧: 有线上专卖店-53、专卖店-534、买家-dig。dig 向 53 下了单,但是,平台小二-iptables 强行(姑且认为这是它的合法权利)把它转给了 534。534 照收件地址发了货。收到货的 dig 较真儿,发现发货人的邮局不是 53 的,提出了异议。 那么,你觉得问题在哪儿,应该怎么解决?

  1. dig 异议的点能否证实货是假的?它该提出异议吗?
  2. 534 应该按什么收件地址发货?事实上,它知道的,只有订单上的收件地址,是否是从别的地方转来的,它并不知道。
  3. 534 发出的货要贴谁的牌子?它要用哪个邮局发货?
  4. 534 的发货邮局要盖 53 所在邮局的邮戳吗?
  5. 经过上面的思考,你应该明白,很明显是应为 iptables 做事不严密导致的问题,也只有它才知道整个事情的全貌、能疏通解决问题。

其实,最直接的,是想办法直接用 53 端口。实在没办法非要中转,也要保证 iptables 做好双向的中间人工作。

w311ang commented 2 years ago

改了个example,按预期可以接受TPROXY并发往指定IP端口并给客户端伪装成是目标IP端口返回的数据 https://github.com/w311ang/ipportfwd