内置DNS导致域名泄漏问题 #3304

oule · 2025-02-07T15:57:49Z

各位好

我在客户端配置里使用DNS出站时遇到域名泄漏出来的问题，具体见下：

1.当我把v2ray客户端配置里的路由规则第一个去掉的时候，未出现dns泄漏，所有流量都走proxy了，但是v2ray不能cache域名解析结果了，日志：

2025/02/07 22:34:37 [Debug] transport/internet/udp: UDP original destination: udp:1.1.1.1:53
2025/02/07 22:34:37 [Debug] [3721074466] proxy/dokodemo: processing connection from: 192.168.192.101:45269
2025/02/07 22:34:37 [Info] [3721074466] proxy/dokodemo: received request for 192.168.192.101:45269
2025/02/07 22:34:37 [Warning] [3721074466] app/dispatcher: default route for udp:1.1.1.1:53
2025/02/07 22:34:37 [Info] [3721074466] transport/internet/websocket: creating connection to tcp:vps.server.nginx:443
2025/02/07 22:34:38 [Info] [3721074466] proxy/vless/outbound: tunneling request to udp:1.1.1.1:53 via vps.server.nginx:443

2.当不去掉客户端路由规则里的第一个规则时，域名解析结果可以缓存，但是dns泄漏了，因为我在网关上可以抓到去往8.8.4.4的包，日志：

2025/02/07 22:11:46 [Debug] transport/internet/udp: UDP original destination: udp:1.1.1.1:53
2025/02/07 22:11:46 [Debug] [2614643243] proxy/dokodemo: processing connection from: 192.168.192.101:33328
2025/02/07 22:11:46 [Info] [2614643243] proxy/dokodemo: received request for 192.168.192.101:33328
2025/02/07 22:11:46 [Info] [2614643243] app/dispatcher: taking detour [dns-out] for [udp:1.1.1.1:53]
2025/02/07 22:11:46 [Info] [2614643243] proxy/dns: handling DNS traffic to udp:1.1.1.1:53
2025/02/07 22:11:46 [Debug] app/dns: domain baidu.com will use DNS in order: [UDP:8.8.4.4:53] [TypeA]
2025/02/07 22:11:46 [Debug] app/dns: DNS cache is disabled. Querying IP for baidu.com at UDP:8.8.4.4:53
2025/02/07 22:11:46 [Debug] app/dns: UDP:8.8.4.4:53 querying DNS for: baidu.com.
2025/02/07 22:11:46 [Debug] transport/internet/udp: dispatch request to: udp:8.8.4.4:53
2025/02/07 22:11:46 [Info] transport/internet/udp: establishing new connection for udp:8.8.4.4:53
2025/02/07 22:11:46 [Info] app/dispatcher: taking detour [dns-out] for [udp:8.8.4.4:53]
2025/02/07 22:11:46 [Info] proxy/dns: handling DNS traffic to udp:8.8.4.4:53
2025/02/07 22:11:46 [Info] app/dns: UDP:8.8.4.4:53 got answer: baidu.com. TypeA -> [39.156.66.10 110.242.68.66] 157.135426ms
2025/02/07 22:11:46 [Debug] app/dns: UDP:8.8.4.4:53 updating IP records for domain:baidu.com.

而且没有出现proxy/vless/outbound: tunneling request to udp:8.8.4.4:53 via vps.server.nginx:443
网关抓包出现了8.8.4.4.53

22:17:21.948949 IP 192.168.192.101.55493 > 8.8.4.4.53: 7+ A? baidu.com. (27)
22:17:21.948949 IP 192.168.192.101.55493 > 8.8.4.4.53: 8+ AAAA? baidu.com. (27)
22:17:22.102754 IP 8.8.4.4.53 > 192.168.192.101.55493: 8 0/1/0 (70)
22:17:22.102785 IP 8.8.4.4.53 > 192.168.192.101.55493: 7 2/0/0 A 110.242.68.66, A 39.156.66.10 (59)

我看过《漫谈各种黑科技式 DNS 技术在代理环境中的应用》，里面有一句“6. 内置 DNS 发出的 DNS 请求会按路由规则走，因为 8.8.8.8 匹配了路由中的第一条规则，这个 DNS 请求的流量会走 proxy”，但是我的没有走proxy，而是发往网关了，百思不得其解，请帮我看下到底是哪里出了问题？
期望在使用内部DNS的情况下能缓存域名解析结果，而且内部DNS发出的DNS请求能按路由规则走，好控制走哪个outbound，而不是再泄漏出去，发送到网关。
非常感谢！

网络环境

局域网电脑(v2ray-5.12.1 client) ---> Linux网关(PPPoE) ---> Internet ---> vps(v2ray-5.12.1 server)

v2ray 服务器配置

{
    "inbounds": [
        {
            "listen": "127.0.0.1",
            "port": 1234,
            "protocol": "vless",
            "settings": {
                "clients": [
                    {
                        "id": "........",
                        "level": 0
                    }
                ],
                "decryption": "none"
            },
            "streamSettings": {
                "network": "ws",
                "wsSettings": {
                    "path": "/xxxxxxxxxxxxxx"
                }
            },
            "tag": "gfw"
        }
    ],
    "outbounds": [
        {
            "protocol": "freedom",
            "settings": {},
            "tag": "direct"
        }
    ]
}

客户端配置

{
  "dns": {
    "servers": [
      "8.8.4.4"
    ],
    "queryStrategy": "UseIP",
    "disableCache": true
  },
  "inbounds": [
    {
      "listen": "0.0.0.0",
      "port": 1081,
      "protocol": "dokodemo-door",
      "settings": {
        "network": "tcp,udp",
        "followRedirect": true
      },
      "streamSettings": {
        "sockopt": {
          "tproxy": "tproxy"
        }
      }
    }
  ],
  "outbounds": [
    {
      "tag": "proxy",
      "protocol": "vless",
      "settings": {
        "vnext": [
          {
            "address": "domain.com",
            "port": 443,
            "users": [
              {
                "encryption": "none",
                "id": "xxxxxxxxxxxxxxxx",
                "level": 0
              }
            ]
          }
        ]
      },
      "streamSettings": {
        "network": "ws",
        "security": "tls",
        "wsSettings": {
          "path": "/xxxxxxxxxxxxxxx"
        },
        "sockopt": {
          "mark": 255
        }
      }
    },
    {
      "tag": "direct",
      "protocol": "freedom",
      "streamSettings": {
        "sockopt": {
          "mark": 255
        }
      },
      "domainStrategy": "UseIP"
    },
    {
      "tag": "dns-out",
      "protocol": "dns",
      "streamSettings": {
        "sockopt": {
          "mark": 255
        }
      }
    }
  ],
  "routing": {
    "domainStrategy": "IPIfNonMatch",
    "rules": [
      {
        "type": "field",
        "port": 53,
        "network": "udp",
        "outboundTag": "dns-out"
      },
      {
        "type": "field",
        "ip": [
          "8.8.4.4"
        ],
        "outboundTag": "proxy"
      }
    ]
  }
}

客户端iptables配置

ip rule add fwmark 1 table 100 
ip route add local 0.0.0.0/0 dev lo table 100

iptables -t mangle -N V2RAY
iptables -t mangle -N V2RAY_MASK

iptables -t mangle -A PREROUTING -j V2RAY
iptables -t mangle -A OUTPUT -j V2RAY_MASK

iptables -t mangle -A V2RAY -d 127.0.0.1/32 -j RETURN
iptables -t mangle -A V2RAY -d 224.0.0.0/4 -j RETURN
iptables -t mangle -A V2RAY -d 255.255.255.255/32 -j RETURN
iptables -t mangle -A V2RAY -d 192.168.0.0/16 -p tcp -j RETURN
iptables -t mangle -A V2RAY -d 192.168.0.0/16 -p udp -m udp ! --dport 53 -j RETURN
iptables -t mangle -A V2RAY -m mark --mark 0xff -j RETURN
iptables -t mangle -A V2RAY -p udp -j TPROXY --on-port 1081 --on-ip 0.0.0.0 --tproxy-mark 0x1/0xffffffff
iptables -t mangle -A V2RAY -p tcp -j TPROXY --on-port 1081 --on-ip 0.0.0.0 --tproxy-mark 0x1/0xffffffff

iptables -t mangle -A V2RAY_MASK -d vpsip/32 -j RETURN
iptables -t mangle -A V2RAY_MASK -d 224.0.0.0/4 -j RETURN
iptables -t mangle -A V2RAY_MASK -d 255.255.255.255/32 -j RETURN
iptables -t mangle -A V2RAY_MASK -d 192.168.0.0/16 -p tcp -j RETURN
iptables -t mangle -A V2RAY_MASK -d 192.168.0.0/16 -p udp -m udp ! --dport 53 -j RETURN
iptables -t mangle -A V2RAY_MASK -m mark --mark 0xff -j RETURN
iptables -t mangle -A V2RAY_MASK -p udp -j MARK --set-xmark 0x1/0xffffffff
iptables -t mangle -A V2RAY_MASK -p tcp -j MARK --set-xmark 0x1/0xffffffff

客户端/etc/resolv.conf

nameserver 1.1.1.1

The text was updated successfully, but these errors were encountered:

Solvris · 2025-04-07T15:12:53Z

将routing的两条规则对调以下。第一种情况不匹配任何规则，所以使用了默认出站。第二种情况，2025/02/07 22:11:46 [Info] app/dispatcher: taking detour [dns-out] for [udp:8.8.4.4:53]显示发往8.8.4.4被第一条规则匹配而使用了dns-out(应该匹配第二条规则走proxy)。

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

内置DNS导致域名泄漏问题 #3304

内置DNS导致域名泄漏问题 #3304

oule commented Feb 7, 2025 •

edited

Loading

Solvris commented Apr 7, 2025

内置DNS导致域名泄漏问题 #3304

内置DNS导致域名泄漏问题 #3304

Comments

oule commented Feb 7, 2025 • edited Loading

各位好

1.当我把v2ray客户端配置里的路由规则第一个去掉的时候，未出现dns泄漏，所有流量都走proxy了，但是v2ray不能cache域名解析结果了，日志：

2.当不去掉客户端路由规则里的第一个规则时，域名解析结果可以缓存，但是dns泄漏了，因为我在网关上可以抓到去往8.8.4.4的包，日志：

网络环境

v2ray 服务器配置

客户端配置

客户端iptables配置

客户端/etc/resolv.conf

Solvris commented Apr 7, 2025

oule commented Feb 7, 2025 •

edited

Loading