CNAME doesn't follow domain-rules

zonyitoo commented 1 month ago

需求应用场景

api.pinterest.com 被劫持了，于是使用 domain-rule 来让它使用海外可信DNS来解析：

domain-rules /pinterest.com/ -nameserver oversea -ipset #4:gfwlist,#6:gfwlist6 -speed-check-mode none

但是 api.pinterest.com 有部分海外 DNS 解析时会返回 CNAME ，CNAME 的域名没有在 domain-rules 中导致还是被劫持。

以下是前置的 dnsmasq 的日志，实际域名由 smartdns 解析

Sat May 25 02:03:52 2024 daemon.info dnsmasq[1]: query[A] api.pinterest.com from 240e:3b7:3222:fbb0:1db8:bf3:8e23:6efb
Sat May 25 02:03:52 2024 daemon.info dnsmasq[1]: forwarded api.pinterest.com to 127.0.0.1#6051
Sat May 25 02:03:52 2024 daemon.info dnsmasq[1]: query[AAAA] api.pinterest.com from 240e:3b7:3222:fbb0:1db8:bf3:8e23:6efb
Sat May 25 02:03:52 2024 daemon.info dnsmasq[1]: forwarded api.pinterest.com to 127.0.0.1#6051
Sat May 25 02:03:52 2024 daemon.info dnsmasq[1]: reply api.pinterest.com is <CNAME>
Sat May 25 02:03:52 2024 daemon.info dnsmasq[1]: reply prod.pinterest.global.map.fastly.net is 151.101.192.84
Sat May 25 02:03:52 2024 daemon.info dnsmasq[1]: reply prod.pinterest.global.map.fastly.net is 23.54.56.217
Sat May 25 02:03:52 2024 daemon.info dnsmasq[1]: reply prod.pinterest.global.map.fastly.net is 151.101.64.84
Sat May 25 02:03:52 2024 daemon.info dnsmasq[1]: reply prod.pinterest.global.map.fastly.net is 151.101.0.84
Sat May 25 02:03:52 2024 daemon.info dnsmasq[1]: reply prod.pinterest.global.map.fastly.net is 151.101.128.84
Sat May 25 02:03:52 2024 daemon.info dnsmasq[1]: reply dualstack.pinterest.map.fastly.net is 23.193.119.210
Sat May 25 02:03:52 2024 daemon.info dnsmasq[1]: reply dualstack.pinterest.map.fastly.net is 23.193.119.203
Sat May 25 02:03:52 2024 daemon.info dnsmasq[1]: reply dualstack.pinterest.map.fastly.net is 172.64.149.192
Sat May 25 02:03:52 2024 daemon.info dnsmasq[1]: reply dualstack.pinterest.map.fastly.net is 146.75.112.84
Sat May 25 02:03:52 2024 daemon.info dnsmasq[1]: reply dualstack.pinterest.map.fastly.net is 151.101.228.84
Sat May 25 02:03:52 2024 daemon.info dnsmasq[1]: reply dualstack.pinterest.map.fastly.net is 104.18.38.64
Sat May 25 02:03:52 2024 daemon.info dnsmasq[1]: reply dualstack.pinterest.map.fastly.net is 2606:4700:4400::ac40:95c0
Sat May 25 02:03:52 2024 daemon.info dnsmasq[1]: reply dualstack.pinterest.map.fastly.net is 2a04:4e42:1a::84
Sat May 25 02:03:52 2024 daemon.info dnsmasq[1]: reply dualstack.pinterest.map.fastly.net is 2600:140b:1e00:11::17db:aa27
Sat May 25 02:03:52 2024 daemon.info dnsmasq[1]: reply dualstack.pinterest.map.fastly.net is 2600:140b:1e00:11::17db:aa1c
Sat May 25 02:03:52 2024 daemon.info dnsmasq[1]: reply dualstack.pinterest.map.fastly.net is 2606:4700:4400::6812:2640
Sat May 25 02:03:52 2024 daemon.info dnsmasq[1]: reply api.pinterest.com is NODATA-IPv6
Sat May 25 02:03:52 2024 daemon.info dnsmasq[1]: query[AAAA] prod.pinterest.global.map.fastly.net from 240e:3b7:3222:fbb0:1db8:bf3:8e23:6efb
Sat May 25 02:03:52 2024 daemon.info dnsmasq[1]: forwarded prod.pinterest.global.map.fastly.net to 127.0.0.1#6051
Sat May 25 02:03:52 2024 daemon.info dnsmasq[1]: reply prod.pinterest.global.map.fastly.net is 2a03:2880:f126:83:face:b00c:0:25de
Sat May 25 02:03:52 2024 daemon.info dnsmasq[1]: reply prod.pinterest.global.map.fastly.net is 2a03:2880:f12c:183:face:b00c:0:25de
Sat May 25 02:03:52 2024 daemon.info dnsmasq[1]: reply prod.pinterest.global.map.fastly.net is 2a03:2880:f11b:83:face:b00c:0:25de
Sat May 25 02:03:52 2024 daemon.info dnsmasq[1]: query[A] trk.pinterest.com from 240e:3b7:3222:fbb0:1db8:bf3:8e23:6efb
Sat May 25 02:03:52 2024 daemon.info dnsmasq[1]: forwarded trk.pinterest.com to 127.0.0.1#6051
Sat May 25 02:03:52 2024 daemon.info dnsmasq[1]: query[AAAA] trk.pinterest.com from 240e:3b7:3222:fbb0:1db8:bf3:8e23:6efb
Sat May 25 02:03:52 2024 daemon.info dnsmasq[1]: forwarded trk.pinterest.com to 127.0.0.1#6051
Sat May 25 02:03:52 2024 daemon.info dnsmasq[1]: reply trk.pinterest.com is <CNAME>
Sat May 25 02:03:52 2024 daemon.info dnsmasq[1]: reply trk.pinterest.com is <CNAME>
Sat May 25 02:04:52 2024 daemon.info dnsmasq[1]: query[A] api.pinterest.com from 240e:3b7:3222:fbb0:1db8:bf3:8e23:6efb
Sat May 25 02:04:52 2024 daemon.info dnsmasq[1]: forwarded api.pinterest.com to 127.0.0.1#6051
Sat May 25 02:04:52 2024 daemon.info dnsmasq[1]: reply api.pinterest.com is <CNAME>
Sat May 25 02:04:52 2024 daemon.info dnsmasq[1]: reply prod.pinterest.global.map.fastly.net is 151.101.192.84
Sat May 25 02:04:52 2024 daemon.info dnsmasq[1]: reply prod.pinterest.global.map.fastly.net is 23.54.56.217
Sat May 25 02:04:52 2024 daemon.info dnsmasq[1]: reply prod.pinterest.global.map.fastly.net is 151.101.64.84
Sat May 25 02:04:52 2024 daemon.info dnsmasq[1]: reply prod.pinterest.global.map.fastly.net is 151.101.0.84
Sat May 25 02:04:52 2024 daemon.info dnsmasq[1]: reply prod.pinterest.global.map.fastly.net is 151.101.128.84
Sat May 25 02:04:52 2024 daemon.info dnsmasq[1]: query[AAAA] prod.pinterest.global.map.fastly.net from 240e:3b7:3222:fbb0:1db8:bf3:8e23:6efb
Sat May 25 02:04:52 2024 daemon.info dnsmasq[1]: forwarded prod.pinterest.global.map.fastly.net to 127.0.0.1#6051
Sat May 25 02:04:52 2024 daemon.info dnsmasq[1]: reply prod.pinterest.global.map.fastly.net is 2a03:2880:f10f:83:face:b00c:0:25de
Sat May 25 02:04:52 2024 daemon.info dnsmasq[1]: reply prod.pinterest.global.map.fastly.net is 2a03:2880:f126:83:face:b00c:0:25de
Sat May 25 02:06:05 2024 daemon.info dnsmasq[1]: query[AAAA] trk.pinterest.com from 240e:3b7:3222:fbb0:1db8:bf3:8e23:6efb
Sat May 25 02:06:05 2024 daemon.info dnsmasq[1]: forwarded trk.pinterest.com to 127.0.0.1#6051
Sat May 25 02:06:05 2024 daemon.info dnsmasq[1]: query[A] trk.pinterest.com from 240e:3b7:3222:fbb0:1db8:bf3:8e23:6efb
Sat May 25 02:06:05 2024 daemon.info dnsmasq[1]: forwarded trk.pinterest.com to 127.0.0.1#6051
Sat May 25 02:06:05 2024 daemon.info dnsmasq[1]: reply trk.pinterest.com is <CNAME>
Sat May 25 02:06:05 2024 daemon.info dnsmasq[1]: reply trk.pinterest.com is <CNAME>
Sat May 25 02:06:05 2024 daemon.info dnsmasq[1]: query[HTTPS] assets.pinterest.com from 240e:3b7:3222:fbb0:1db8:bf3:8e23:6efb
Sat May 25 02:06:05 2024 daemon.info dnsmasq[1]: forwarded assets.pinterest.com to 127.0.0.1#6051
Sat May 25 02:06:05 2024 daemon.info dnsmasq[1]: query[AAAA] assets.pinterest.com from 240e:3b7:3222:fbb0:1db8:bf3:8e23:6efb
Sat May 25 02:06:05 2024 daemon.info dnsmasq[1]: forwarded assets.pinterest.com to 127.0.0.1#6051
Sat May 25 02:06:05 2024 daemon.info dnsmasq[1]: query[A] assets.pinterest.com from 240e:3b7:3222:fbb0:1db8:bf3:8e23:6efb
Sat May 25 02:06:05 2024 daemon.info dnsmasq[1]: forwarded assets.pinterest.com to 127.0.0.1#6051
Sat May 25 02:06:05 2024 daemon.info dnsmasq[1]: reply assets.pinterest.com is NODATA
Sat May 25 02:06:05 2024 daemon.info dnsmasq[1]: reply assets.pinterest.com is <CNAME>
Sat May 25 02:06:05 2024 daemon.info dnsmasq[1]: reply dualstack.pinterest.map.fastly.net is 151.101.228.84
Sat May 25 02:06:05 2024 daemon.info dnsmasq[1]: query[HTTPS] dualstack.pinterest.map.fastly.net from 240e:3b7:3222:fbb0:1db8:bf3:8e23:6efb
Sat May 25 02:06:05 2024 daemon.info dnsmasq[1]: forwarded dualstack.pinterest.map.fastly.net to 127.0.0.1#6051
Sat May 25 02:06:05 2024 daemon.info dnsmasq[1]: reply dualstack.pinterest.map.fastly.net is NODATA
Sat May 25 02:06:05 2024 daemon.info dnsmasq[1]: reply assets.pinterest.com is <CNAME>
Sat May 25 02:06:05 2024 daemon.info dnsmasq[1]: query[AAAA] dualstack.pinterest.map.fastly.net from 240e:3b7:3222:fbb0:1db8:bf3:8e23:6efb
Sat May 25 02:06:05 2024 daemon.info dnsmasq[1]: forwarded dualstack.pinterest.map.fastly.net to 127.0.0.1#6051
Sat May 25 02:06:05 2024 daemon.info dnsmasq[1]: reply dualstack.pinterest.map.fastly.net is 2a03:2880:f10a:83:face:b00c:0:25de
Sat May 25 02:06:21 2024 daemon.info dnsmasq[1]: query[HTTPS] api-pinterest-com-eip-akadns-net.pinterest.com from 240e:3b7:3222:fbb0:1db8:bf3:8e23:6efb
Sat May 25 02:06:21 2024 daemon.info dnsmasq[1]: forwarded api-pinterest-com-eip-akadns-net.pinterest.com to 127.0.0.1#6051
Sat May 25 02:06:21 2024 daemon.info dnsmasq[1]: reply api-pinterest-com-eip-akadns-net.pinterest.com is NODATA
Sat May 25 02:06:21 2024 daemon.info dnsmasq[1]: query[AAAA] api-pinterest-com-eip-akadns-net.pinterest.com from 240e:3b7:3222:fbb0:1db8:bf3:8e23:6efb
Sat May 25 02:06:21 2024 daemon.info dnsmasq[1]: forwarded api-pinterest-com-eip-akadns-net.pinterest.com to 127.0.0.1#6051
Sat May 25 02:06:21 2024 daemon.info dnsmasq[1]: query[A] api-pinterest-com-eip-akadns-net.pinterest.com from 240e:3b7:3222:fbb0:1db8:bf3:8e23:6efb
Sat May 25 02:06:21 2024 daemon.info dnsmasq[1]: forwarded api-pinterest-com-eip-akadns-net.pinterest.com to 127.0.0.1#6051
Sat May 25 02:06:22 2024 daemon.info dnsmasq[1]: reply api-pinterest-com-eip-akadns-net.pinterest.com is NODATA-IPv6
Sat May 25 02:06:22 2024 daemon.info dnsmasq[1]: reply api-pinterest-com-eip-akadns-net.pinterest.com is <CNAME>
Sat May 25 02:06:22 2024 daemon.info dnsmasq[1]: reply eip-tata.api.pinterest.com.akahost.net is 23.40.100.37
Sat May 25 02:06:22 2024 daemon.info dnsmasq[1]: query[HTTPS] eip-tata.api.pinterest.com.akahost.net from 240e:3b7:3222:fbb0:1db8:bf3:8e23:6efb
Sat May 25 02:06:22 2024 daemon.info dnsmasq[1]: forwarded eip-tata.api.pinterest.com.akahost.net to 127.0.0.1#6051
Sat May 25 02:06:22 2024 daemon.info dnsmasq[1]: query[AAAA] eip-tata.api.pinterest.com.akahost.net from 240e:3b7:3222:fbb0:1db8:bf3:8e23:6efb
Sat May 25 02:06:22 2024 daemon.info dnsmasq[1]: forwarded eip-tata.api.pinterest.com.akahost.net to 127.0.0.1#6051
Sat May 25 02:06:22 2024 daemon.info dnsmasq[1]: reply eip-tata.api.pinterest.com.akahost.net is NODATA
Sat May 25 02:06:22 2024 daemon.info dnsmasq[1]: reply eip-tata.api.pinterest.com.akahost.net is NODATA-IPv6

api.pinterest.com 是没有 AAAA Records 的，从上面日志可以看出是那几个 fastly.net 的域名返回了 AAAA Records ，被劫持。

建议的方案

若主查询的域名有 domain-rules ，CNAME 的域名应同样应用其 domain-rules

设备信息

设备信息（CPU，厂家） R4S
固件信息 OpenWRT 18.06

PikuZheng commented 1 month ago

对于smartdns，一个域名查询出cname后，其cname递归查询时也是遵循主域名规则的。这里没有问题。

你说的情况发生在smartdns下级不是终端用户而是另一个dns服务器的情形。根据rfc规范，dns服务器会发起两次查询。第一次查询A记录。若上游返回CNAME和A记录，第二次应使用CNAME再次查询AAAA记录。但终端用户查询时会查询A+AAAA记录，便不会出现第二次使用CNAME查询的情形。

对于上述问题有几个解决方案。一是将CNAME对应的域名也写入域名规则。二是smartdns直接对终端用户使用，中间不要有其他dns服务器做转发。三是配置 force-no-CNAME yes 使smartdns在应答时不返回cname（这不符合规范，参考#1648）

zonyitoo commented 1 month ago

force-no-CNAME yes 应该是比较好的选择

如果不直接连 dnsmasq ，那么 .lan 域名的解析就有问题，目前对这些域名有依赖
把 CNAME 对应的域名写入规则，发现问题之后确实是这样做，但不可靠，写不完
把 dnsmasq 设置为无缓存，相当于直接透传，应该问题不大

PikuZheng commented 1 month ago

如果不直接连 dnsmasq ，那么 .lan 域名的解析就有问题，目前对这些域名有依赖

配个上游组单独给.lan

我自己是用第二种方法，感觉也就是那几组分布式加速服务器，fastly，akamai之类的

zonyitoo commented 1 month ago

实际上在OpenWRT的使用场景，dnsmasq -> smartdns 可以视为一个整体，不往上传递 CNAME ，对应用来讲没有问题。一个个加白不够一劳永逸，把fastly整个都加了又太过暴力

pymumu / smartdns

CNAME doesn't follow domain-rules #1743