search

shawn1m / overture

A customized DNS relay server
MIT License
1.8k stars 284 forks source link

Alternative DNS问题 #66

Closed xia-i closed 7 years ago

xia-i commented 7 years ago

AlternativeDNS设置53 TCP端口,无法正常工作, 比如说 "Address": "208.67.222.222:53", "Protocol": "tcp", 这样是不会返回结果 而PrimaryDNS却正常

xia-i commented 7 years ago

修正问题:是被污染域名走TCP53会出这个问题,没污染的正常

shawn1m commented 7 years ago

你可以用 dig 命令测试,我测试并没有问题:

$dig www.google.com @208.67.222.222 +tcp

; <<>> DiG 9.9.7-P3 <<>> www.google.com @208.67.222.222 +tcp
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 52804
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 16384
;; QUESTION SECTION:
;www.google.com.            IN  A

;; ANSWER SECTION:
www.google.com.     293 IN  A   172.217.11.164

;; Query time: 828 msec
;; SERVER: 208.67.222.222#53(208.67.222.222)
;; WHEN: Fri Nov 10 14:33:04 CST 2017
;; MSG SIZE  rcvd: 59
shawn1m commented 7 years ago

我猜测应该是你规则设置上可能存在问题。

xia-i commented 7 years ago

我是说overture的config.json内配置 TCP53端口,被污染的域名解析不了,没被污染的正常

shawn1m commented 7 years ago

一般情况下,如果是走 TCP 53 的话,不存在有些域名无法解析有些域名可以解析的情况,所以我猜测是你规则设置上存在问题。还有,你可以使用-v 获取相关的 log,目前来看无法断定出现你所描述问题的原因。

xia-i commented 7 years ago

time="2017-11-10T14:52:14+08:00" level=debug msg="Question from 115...: ;....in-addr.arpa.\tIN\t PTR" time="2017-11-10T14:52:14+08:00" level=debug msg="Domain match fail, try to use primary DNS" time="2017-11-10T14:52:14+08:00" level=debug msg="Question from 115...: ;www.google.com.\tIN\t A" time="2017-11-10T14:52:14+08:00" level=debug msg="Domain match fail, try to use primary DNS" time="2017-11-10T14:52:14+08:00" level=debug msg="Answer from DNSPOD: www.google.com.\t251\tIN\tA\t31.13.65.17" time="2017-11-10T14:52:14+08:00" level=debug msg="Try to match response ip address with IP network" time="2017-11-10T14:52:14+08:00" level=debug msg="IP network match fail, finally use alternative DNS" time="2017-11-10T14:52:14+08:00" level=debug msg="OpenDNS Fail: Response message is nil, maybe timeout, please check your query or dns configuration" time="2017-11-10T14:52:16+08:00" level=debug msg="Question from 115...: ;www.google.com.\tIN\t AAAA" time="2017-11-10T14:52:16+08:00" level=debug msg="Domain match fail, try to use primary DNS" time="2017-11-10T14:52:16+08:00" level=debug msg="Question from 115...: ;www.google.com.\tIN\t A" time="2017-11-10T14:52:16+08:00" level=debug msg="Domain match fail, try to use primary DNS" time="2017-11-10T14:52:16+08:00" level=debug msg="Answer from DNSPOD: www.google.com.\t249\tIN\tA\t31.13.65.17" time="2017-11-10T14:52:16+08:00" level=debug msg="Try to match response ip address with IP network" time="2017-11-10T14:52:16+08:00" level=debug msg="IP network match fail, finally use alternative DNS" time="2017-11-10T14:52:17+08:00" level=debug msg="OpenDNS Fail: Response message is nil, maybe timeout, please check your query or dns configuration" time="2017-11-10T14:52:18+08:00" level=debug msg="Question from 115...*: ;www.google.com.\tIN\t AAAA" time="2017-11-10T14:52:18+08:00" level=debug msg="Domain match fail, try to use primary DNS"

shawn1m commented 7 years ago

那你用 dig 命令测试 dig www.google.com @208.67.222.222 +tcp 也无法返回结果?

xia-i commented 7 years ago

我想这应该是GFW的干扰,nslookup和dig直接请求208.67.222.222 tcp可以返回正确结果,所以才提交问题给你

shawn1m commented 7 years ago

你能给我看看你的配置文件么?

xia-i commented 7 years ago

{ "BindAddress": ":53", "PrimaryDNS": [ { "Name": "DNSPOD", "Address": "119.29.29.29:53", "Protocol": "udp", "SOCKS5Address": "", "Timeout": 6, "EDNSClientSubnet": { "Policy": "auto", "ExternalIP": "" } }

], "AlternativeDNS": [ { "Name": "OpenDNS", "Address": "208.67.222.222:53", "Protocol": "tcp", "SOCKS5Address": "", "Timeout": 6, "EDNSClientSubnet": { "Policy": "Disable", "ExternalIP": "" } }

], "OnlyPrimaryDNS": false, "RedirectIPv6Record": false, "IPNetworkFile": "./ip_network_sample", "DomainFile": "./domain_sample", "DomainBase64Decode": true, "HostsFile": "./hosts_sample", "MinimumTTL": 1800, "CacheSize" : 14400, "RejectQtype": [255] }

shawn1m commented 7 years ago

使用你的配置文件在我的环境下没有问题,我甚至把 domainfile 清空了。这样看起来很可能是你网络环境的问题。

DEBU[0001] Question: ;www.google.com.   IN   A
DEBU[0001] Domain match fail, try to use primary DNS
DEBU[0001] DNSPOD Answer: www.google.com.   4   IN  A   31.13.84.1
DEBU[0001] Try to match response ip address with IP network
DEBU[0001] IP network match fail, finally use alternative DNS
DEBU[0001] OpenDNS Answer: www.google.com.  300 IN  A   172.217.11.164
DEBU[0001] Cached: www.google.com. 1
xia-i commented 7 years ago

我是说tcp,不是udp,你这个是udp返回的污染结果 "Address": "208.67.222.222:53", "Protocol": "tcp",

shawn1m commented 7 years ago

你从哪里看出来我是用 udp 的?我完全使用的是你提供的配置文件。

DEBU[0001] OpenDNS Answer: www.google.com.  300 IN  A   172.217.11.164

只有使用 tcp 才有可能拿到这个地址,这是 google 的地址,overture 最后也是采用这个地址返回给客户端。

xia-i commented 7 years ago

好吧,是我看错了 我这里是windows下测试tcp53无法返回,443和5353完全正常

shawn1m commented 7 years ago

如果443和5353都完全正常的话,那基本可以归结为网络环境的影响了,可能你的运营商对53有一些照顾。。。

xia-i commented 7 years ago

腾讯云 阿里云 家里测试都是这样 只有被污染的域名才会出现这个问题,正常的域名都可以返回结果 我是用Overture 1.3.6rc2版本的

shawn1m commented 7 years ago

那就先放在这里吧,我的环境没法重现。

xia-i commented 7 years ago

原因被我找到了,TCP下dns查询的数据包也被GFW拦截了,抓包了下,实际结果是返回了,只是应用上已经判断连接断开,windows的nslookup能返回结果

xia-i commented 7 years ago

正常是收到了数据,再断开连接 被污染域名是在连接被GFW断开后,才收到了服务器发来的数据

xia-i commented 7 years ago

tcp查询分包发送,就能避免断开连接

shawn1m commented 7 years ago

overture 目前是基于 mikeg/dns 包实现的,对 tcp 查询的分包发送涉及到对依赖包的修改,不是 overture 这一层能直接做到的,重新实现的话比较麻烦。加之 overture 未来旨在利用一些标准协议来完成自定义的分流,并没有针对传输层特殊情况进行特殊处理的打算,这不是 overture 的开发方向。 我想你可以找一些其他的能够分包发送的 DNS 软件作为 overture 的上游解决这个问题。