Can't connect properly after turning on private DNS feature on Android 10+ - Githubissues

shadowsocks / shadowsocks-android

A shadowsocks client for Android

Other

35.07k stars 11.58k forks source link

Can't connect properly after turning on private DNS feature on Android 10+ #2524

Open marierose147 opened 4 years ago

marierose147 commented 4 years ago

Describe the bug After turning on Android's private DNS feature, it cannot connect properly.

To Reproduce Steps to reproduce the behavior:

Turn on the private DNS function inside the Android system settings, set the DNS server to dns.google.
Set the profile to use custom rules.
Only google.com and its subdomains are configured in the custom rules.
After initiating the connection, it was not possible to successfully connect to google.com.

Expected behavior Successfully connected to google.com.

Screenshots Screenshot_20200511-102952_Shadowsocks

Smartphone (please complete the following information):

Android version: Android 10 with OneUI 2.1
Device: Samsung Galaxy S10
Version: v5.1.0
Last version that did not exhibit the issue: v5.0.6

Configuration

[x] IPv4 server address
[ ] IPv6 server address
[x] Client IPv4 availability
[ ] Client IPv6 availability
Encrypt method: xchacha20-ietf-poly1305
Route
- [ ] All
- [ ] Bypass LAN
- [ ] Bypass China
- [ ] Bypass LAN & China
- [ ] GFW List
- [ ] China List
- [x] Custom rules
[ ] IPv6 route
[x] Apps VPN mode
- [ ] Bypass mode
Remote DNS: 1dot1dot1dot1.cloudflare-dns.com
[x] DNS over UDP
Plugin configuration (if applicable):
[ ] Auto Connect
[x] TCP Fast Open
If you're not using VPN mode, please supply more details here:

Additional context

This problem exists whether the Remote DNS feature is turned on or off.
There is a problem only in custom rule mode, global mode works fine.
With Android's private DNS feature turned off, you can connect properly.
This problem exists whether the DNS server is set to dns.google, 1dot1dot1dot1.cloudflare-dns.com, dns.quad9.net or dns.alidns.com.

Mygod commented 4 years ago

Ooh interesting. Looks like something is failing, which is causing sslocal to bypass the connection.

Mygod commented 4 years ago

@madeye Apparently on Android 10, if private DNS is enabled, it will be used even for VPN connections (as opposed to not on Android 9). It was working in v5.0.x because shadowsocks-libev was using sni_parser to force redirect traffic.

Mygod commented 4 years ago

https://issuetracker.google.com/issues/141674015#comment6

Mygod commented 4 years ago

For now, either turn off private DNS, or add IP blocks to be proxied to custom rules as well. Adding back sni_parser does not sound like a desirable thing to do.

madeye commented 4 years ago

I think the behavior is expected, if the ACL doesn't include the rules for that private DNS, we should not proxy it.

Mygod commented 4 years ago

The issue is that no matter what ACL is, the system will not use our DNS relay other than resolving private DNS hostname...

Mygod commented 4 years ago

For now, let's see if Google is willing to implement any changes to private DNS with VPN. If not, we might need to do some nasty changes.

terrytw commented 3 years ago

It's been 5 months and by the looks of it, Google is not willing to do anything about it. It's even described as a bug in Android 9 which was "fixed in Android 10". IMHO there is no way they change it back.

Mygod commented 5 months ago

This might be related but you cannot connect if the server is a domain name and private DNS is enabled. It looks like private DNS resolving is broken with bound network.