search

xiaorouji / openwrt-passwall

7.21k stars 2.65k forks source link

UDP代理53DNS端口不起作用 #2047

Closed w311ang closed 2 years ago

w311ang commented 2 years ago

描述bug(必填)

UDP代理53DNS端口不起作用,仍然直连

复现步骤(必填)

  1. 通过链接导入不可用节点ss://Y2hhY2hhMjAtaWV0Zi1wb2x5MTMwNTpwYXNzd29yZA@example.com:1080
  2. 高级设置udp仅代理53端口
  3. 打开主开关,UDP代理选择该节点
  4. cmd运行nslookup google.com 8.8.8.8
  5. cmd很快得到被劫持结果

你想要实现的目的(必填)

dns查询nslookup超时,证明成功代理

日志信息(必填!)

2022-07-24 14:14:54: 成功解析【导入】节点数量: 1
2022-07-24 14:14:56: 删除相关防火墙规则完成。
2022-07-24 14:15:01: 清空并关闭相关程序和缓存完成。
2022-07-24 14:15:02: 运行完成!

2022-07-24 14:15:29: 删除相关防火墙规则完成。
2022-07-24 14:15:33: 清空并关闭相关程序和缓存完成。
2022-07-24 14:15:34: TCP节点没有选择或为空,不代理TCP。
2022-07-24 14:15:34: UDP节点:[example.com:1080]example.com:1080,监听端口:1051
2022-07-24 14:15:34: 过滤服务配置:准备接管域名解析...
2022-07-24 14:15:34:   - 域名解析:dns2tcp + 使用(TCP节点)解析域名...
2022-07-24 14:15:34:   * 请确认上游 DNS 支持 TCP 查询,如非直连地址,确保 TCP 代理打开,并且已经正确转发!
2022-07-24 14:15:34:   | - (chinadns-ng) 最高支持4级域名过滤...
2022-07-24 14:15:35:   | - [0](chinadns-ng) 代理域名表合并到防火墙域名表
2022-07-24 14:15:35:   | - [0](chinadns-ng) 域名白名单合并到中国域名表
2022-07-24 14:15:35:   + 过滤服务:ChinaDNS-NG(:15354):国内DNS:192.168.1.1,可信DNS:127.0.0.1#15353
2022-07-24 14:15:36:   - 节点列表中的域名(vpsiplist):192.168.1.1
2022-07-24 14:15:36:   - 域名白名单(whitelist):192.168.1.1
2022-07-24 14:15:36:   - 节点订阅域名(blacklist):127.0.0.1#15353
2022-07-24 14:15:36:   - 代理域名表(blacklist):127.0.0.1#15353
2022-07-24 14:15:39:   - 防火墙域名表(gfwlist):默认
2022-07-24 14:15:58:   - 中国域名表(chnroute):默认
2022-07-24 14:16:25: 开始加载防火墙规则...
2022-07-24 14:16:30: 加入负载均衡的节点到ipset[vpsiplist]直连完成
2022-07-24 14:16:30: 加入所有节点到ipset[vpsiplist]直连完成
2022-07-24 14:16:32:   - [0],屏蔽代理UDP 端口:80,443
2022-07-24 14:16:32: 加载路由器自身 UDP 代理...
2022-07-24 14:16:33: UDP默认代理:使用UDP节点[example.com:1080] [中国列表以外](TPROXY:1051)代理所有端口
2022-07-24 14:16:33: 防火墙规则加载完成!
2022-07-24 14:16:38: 重启 dnsmasq 服务
2022-07-24 14:16:38: 运行完成!

udp日志

2022-07-24 13:33:51 INFO: initializing ciphers... chacha20-ietf-poly1305
2022-07-24 13:33:52 INFO: listening at 0.0.0.0:1051
2022-07-24 13:33:52 INFO: UDP relay enabled
2022-07-24 13:33:52 INFO: udp port reuse enabled
2022-07-24 13:33:52 INFO: TCP relay disabled
2022-07-24 13:33:52 INFO: running from root user

截图

~ $ nslookup google.com 8.8.8.8
Server:         8.8.8.8
Address:        8.8.8.8#53

Non-authoritative answer:
Name:   google.com
Address: 8.7.198.46

系统相关信息(必填)

passwall版本:4.55-1

其他相关信息

若是代理udp全部端口,测试nat类型是Blocked说明其他端口应该没问题,log也记录了udp请求,但53端口代理仍不起作用

2022-07-24 13:55:09 INFO: initializing ciphers... chacha20-ietf-poly1305
2022-07-24 13:55:10 INFO: listening at 0.0.0.0:1051
2022-07-24 13:55:10 INFO: UDP relay enabled
2022-07-24 13:55:10 INFO: udp port reuse enabled
2022-07-24 13:55:10 INFO: TCP relay disabled
2022-07-24 13:55:10 INFO: running from root user
2022-07-24 13:55:35 INFO: [udp] server receive a packet
2022-07-24 13:55:35 INFO: [1051] [udp] cache miss: 75.2.81.221:3478 <-> 192.168.2.245:54320
2022-07-24 13:55:35 INFO: [udp] server receive a packet
2022-07-24 13:55:35 INFO: [1051] [udp] cache hit: 216.93.246.18:3478 <-> 192.168.2.245:54320
2022-07-24 13:55:36 INFO: [udp] server receive a packet
2022-07-24 13:55:36 INFO: [1051] [udp] cache hit: 77.72.169.212:3478 <-> 192.168.2.245:54320
2022-07-24 13:55:37 INFO: [udp] server receive a packet
2022-07-24 13:55:37 INFO: [1051] [udp] cache hit: 99.83.248.67:3478 <-> 192.168.2.245:54320
2022-07-24 13:55:37 INFO: [udp] server receive a packet
2022-07-24 13:55:37 INFO: [1051] [udp] cache hit: 77.72.169.211:3478 <-> 192.168.2.245:54320
2022-07-24 13:56:37 INFO: [udp] connection timeout
2022-07-24 13:56:37 INFO: [udp] one connection freed
2022-07-24 13:56:47 INFO: [udp] server receive a packet
2022-07-24 13:56:47 INFO: [1051] [udp] cache miss: 116.203.151.74:123 <-> 192.168.1.4:45721

路由器本身是代理udp成功了,当nslookup国外dns时会超时

github-actions[bot] commented 2 years ago

@w311ang: hello! :wave:

This issue is being automatically closed because it does not follow the issue template.

w311ang commented 2 years ago

可能有关 https://github.com/xiaorouji/openwrt-passwall/blob/0d455764d4c10b30051a42f32c5552d6759a875c/luci-app-passwall/root/usr/share/passwall/iptables.sh#L832-L835

w311ang commented 2 years ago

/var/etc/passwall.include删掉含--dport 53 -j RETURN的两行再重启防火墙可解,但每次passwall重启都要再操作

sed -i '/--dport 53 -j RETURN/d' /var/etc/passwall.include
fw3 reload

应该有关,不知道有什么作用 https://github.com/xiaorouji/openwrt-passwall/blob/0d455764d4c10b30051a42f32c5552d6759a875c/luci-app-passwall/root/usr/share/passwall/iptables.sh#L1209-L1210 编译的时候直接扬了就不用每次重启都重复操作了

github-actions[bot] commented 2 years ago

Stale Issue