-
Notifications
You must be signed in to change notification settings - Fork 4.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
DNS:特定环境下fakeIP失效问题 #4543
Comments
|
什么玩意 浏览器DOH解析出来的不是正常IP?正常IP直接过去了哪来被Xray污染的说法 而且fakedns你不override |
电脑网卡设阿里,chrome系浏览器默认开doh为阿里的 安卓手机系统设置默认开安全dns 一堆垃圾app有httpdps sdk 都会导致解析错误 @Fangliding 你不懂就不要乱评价 |
哦是GFW污染 你牵头说了个Xray污染搞混了 |
客户端发往Xray的数据包,IP在特定情况下就可能是错的,要么是CDN不友好,要么是被污染 照你这么说那还搞啥routeOnly直接删了得了,凡是能嗅探出来的,统统换成域名 你没考虑过换成域名需要多一次DNS解析吗 |
首先服务端解析域名开销很小 大概只有十几二十ms而且同样有缓存 |
本地xray解析域名,显然不会让节点xray产生dns缓存 routeOnly=true就是为了防止节点xray产生二次DNS请求 但显然它不完美,它没考虑到客户端(pc/phone)请求的IP或许不可信 |
我拿xray充当透明代理用没多久,配下来发现有这样那样的缺陷,显然它不够完美 这些改动不做行不行?不做当然不影响爬墙,总归能保证你打开Google 就像我提交的这个issues,如果不改,利用现有选项,强制把ip换成域名行不行? 我这几天提交的关于DNS的PR和issue都是为了解决这些历史遗留问题 只需要很小的改动,让它性能上有更好的表现 这些缺陷根源在于当初*ray系设计,出发点只是一个PC端软件 singbox作者 @nekohasekai 以前弄的 routeOnly 也是为了追求极致性能 至于配置选项太多的问题,完全可以更新官方example,针对每个用途给最佳指南 这些情景不是刁钻,是为了追求最佳体验不得不这么干,别人没发现是因为他们菜 |
Your problem is similar to my problem, and this problem has been solved. You want your domains be resolved only with trusted-built-in-dns, and use that IP in server too. /// Solution 1: (one name-to-ip convertor, but require redirect-socks-in/out) you should set routeOnly=false for main-inbound but set routeOnly=true for redirect-inbound and then use #4423 (comment), it means:
/// Solution 2: (no need for redirect-socks-in/out, but require name-to-ip convertor for each proxy) you can omit redirect-socks-in/out in Solution 1, but you need add name-to-ip convertor for each proxy, it means:
/// I also had another problem other than yours and that was that we have no control over "forceIP" and it can return any IP, so I added "allowUnexpectedIPs" to filter out my desired IPs. /// I know these are not elegant, but any other solution does not have the comprehensiveness of these solutions. |
不,所有的域都可能被污染,你的配置文件会导致所有的流量绕一圈,而不是某个域 要么尽可能屏蔽所有DOH和httpclient,这显然不可能 让xray强制把所有域重新解析一次是唯一办法。 |
i omit routing section in my solutions, because, you are free to do whatever you want with routing. I also think you still don't understand how "dialerProxy" works. if you want to force all domains to be re-parsed just add this rule to the top of routing-rules in solution 1:
|
不,我并不关心 透明代理 + realIp下,我的用例是最佳实践,因为减少了一次DNS解析,它具有最好的性能 因此它应该被重视,所以它应该享有一个独立的开关,直截了当地解决客户端DNS被污染问题 其它人没发现,单纯是因为他们菜 |
What does it have to do with transparent proxy?
|
This does exactly what "ignoreClientIp" does in #4423, also, if you don't like redirect, you can use solution 2, but you need to make some appropriate changes to the routing. |
我也觉得这样就行,如果客户端实际请求的 IP 不是 fake IP,那么变成哪个 IP 则是不一定的,只能无差别 AOE 开 sniff + override 不觉得有什么问题 |
如果你要把 sniff 出来的域名先本地覆写为 IP 再发给服务端 proxy,则是另一件事,感觉你总是搞混 #4497 (comment) 并且绝大多数场景下本地覆写域名为 IP 没什么好处,除非你要像 @patterniha 先在本地分流,也有 workaround #4423 (comment) |
also, there is no need for #4423 (comment) and redirect-socks, see solution 1 and solution 2 in #4543 (comment) |
@patterniha ?你这个 solution 2 把域名覆写为 IP 后不重新走一遍路由,怎么选择要不要走 worker proxy |
we have "IPifNonMatch"/"IPonDemand" ability in routing, So we have everything we need(IPs) in the first step routing. so we don't need second step. |
@patterniha 你的意思是共用 DNS cache 了,但非 AsIs 的弊端是影响了所有没在 geosite 里的域名, 不过共用 DNS cache 以免 routing 干 override 的脏活,确实可以有 |
yes, i also add "allowUnexpecteIPs" to prevent using different IP (in diffrenet range) in outbound and routing.
i don't understand exactly what you mean, we can put domain-need-rules on top of routing-rules, so it doesn't affect them. |
@patterniha 总之正如我之前所说,我以前总想搞个 NEXT 架构,把 feature 变成 node,用户自己串起来,更加直观,但是后来发现通过现有的 tag-match、dialer-proxy、socks-redirect-in 等能力也是可以做到“图灵完备”的,只是看起来绕一些,且有些性能上有折扣 但前段时间因为你这些奇奇怪怪的需求,我发现 NEXT 还不够,要弄个简易的 script 机制,把 feature 做成 API,用户自己写 if else,颗粒度更细,这就是 Xray 未来的方向,此外像这样的东西肯定做不进分享链接,必须要有 JSON 订阅机制, |
我们的沟通出现了障碍 我想要的始终是 IP替换为IP 如果原来是IP,允许xray选择不信任它,让xray重新解析此域,替换掉原IP |
|
@patterniha 还有对于 DNS, |
并且 |
@patterniha 我知道可以通过你说的那种配置做到替换所有,但我并不感兴趣 透明代理下,为了实现realip,同时避免二次解析dns增加的延迟 因此简单直接地把ip换ip是必要的操作 我都追求极限速度了,为什么要绕那么大一圈利用dialproxy呢? |
@Meo597 我觉得 ray 没直接的这个功能可能就是因为本地把域名覆写为 IP 很不优雅 但是我又觉得如果实在需要,加个这功能也不是不行,至于加在路由还是哪,还需要讨论一下 |
按我的需求来看,这玩意的目的就是要对所有域开AOE 所以这个开关必须是routeOnly=true时才可生效 因为客户端请求的任何一个域的IP都有可能被污染 至于outbound加肯定不行,会导致ip分流失效 |
要加这个功能就要能被最大程度复用,比如说同时覆盖 @patterniha 的需求 |
首先得达成共识: 对于@patterniha之前的那个需求 按照目前我自己的补丁,只有在客户端请求的是ip时,才允许替换 为了满足@patterniha的需求 我能想到的就这些 插个题外话:你是否有兴趣让reality和vless在fallback时,对这些连接限速? |
We already have this option, forceIPv4, forceIPv6, ForceIPv4v6, ForceIPv6v4 the It makes things simpler, but it is a very limiting option, it affects all domains. and it can be implemented with dialerProxy. also, it is not useful when the original address is domain. anyway, this is just an extra option and it can be added, It depends on your opinion. |
|
考虑到p的需求时,它的请求肯定是个域。 透明代理当然始终是ip |
所以要放路由或路由后 |
@Meo597 @patterniha 至于其它功能,先弄完这个“本地把域名覆写为 IP”再说,我是觉得这功能都两个人想要了,Xray 可以加 |
感谢 我要的是把IP覆写为IP 至于咋实现我没啥好主意了 outbound显然不行,导致ip rule失效 |
i think this the best, merge freedom-non-transport-dialer-proxy to the main-outbound. Although this is just a simplification option. |
first, you have to convert the IP to the domain, then to another IP, so we both want the same thing. we both need to convert the domain via "built-in-dns" |
The difference is that you want everything to be done in inbound, because i convert the domain to ip after routing, my solution has more flexibility, and also works for domain-original address. This is the whole thing |
没错,这是所有的分歧点 我需要的是在路由模块时,就已经是最终ip |
ok, just use solution 1, so you have final IP in routing, this works even if your original-address is domain. this is the complete config that you need: #4543 (comment) even if you only need trusted-IP in routing and don't need the domain just disable sniffing in redirect-inbound. (also, you can use solution 2, but with a little more complex routing) |
I think you didn't notice this. |
请相信,我完全明白你的配置的思路,很抱歉我没有尝试去配置他 但我认为如果流量要这样绕一圈的话,我宁愿选择fork xray,然后每次打自己的补丁 透明代理是高频使用的场景,无数的路由器中跑着xray |
ok, if you have a problem with redirecting just use solution 2. please give me your full json-configuration that using "ignoreClientIP", and i will give you exact same configuration without it, and just using dialerProxy. OK? or do you have problems with dialerProxy too? It doesn't do anything except pass the connection to another outbound after resolving its domain to ip, and no data is transferred. |
我有十几个xray节点,在不同的国家 说了八百遍了:dialerProxy不可接受,redirect-socks-out也不可接受 透明代理是重要的用途,是典型应用场景 请你先搞明白需求再说 |
这是预期行为不是 bug,routeOnly 需要保证 DNS 解析是准确的,不处理 DNS 被污染/无法劫持/不可信导致的问题。routeOnly 另外一个作用是不要让虚假的 SNI 作为目标地址导致无法连接,你的所谓修复会导致这个作用失效,且会再次把 UDP 弄坏。 |
这的确是预期行为,但是设计缺陷。 让UDP再次损坏的原理是什么? 此外os发给xray的包,什么情况下会有虚假SNI |
Use IPOnDemand / IPifNonMatch
This is another problem, you need node instead of json. So we need to merge freedom-dialer-proxy to outbounds. It means we need "targetDomainStrategy" option for outbounds. That is:
Which is equivalent to:
So it can converted to nodes and share. cc @RPRX @Fangliding |
@patterniha 你说的内容中国人看不懂 |
So @RPRX is not Chinese. @RPRX see #4543 (comment) |
扯了那么半天,你还是想把流量从outbound绕一圈,不管是freedom还是dialProxy |
The traffic does not go anywhere, dialerProxy only change the outbound in internal code. dialerProxy is just some code. also, targetDomainStrategy will not use dialerProxy, It's just equivalent to using dialerProxy. /// You need trusted-ip instead of domain/client-ip in routing and server. -> so for routing you need IPOnDemand/IPifNonMatch, |
我之前就说过了你根本没深度使用过透明代理和ip分流 IPOnDemand/IPifNonMatch导致路由匹配的ip不一定是出站的时候那个ip,根本不行 还有,分流不能光靠域名,你根本不知道sdwan是什么 说了半天你毛都不懂,你这人的消息我不会再回复,就这样 |
This is exactly why I added "allowUnexpectedIPs". /// I just say give me your config with "ignoreClientIP" and I'll give you the equivalent config with targetDomainStrategy/dialerProxy even with better performance. /// In addition, your solution affects all domains, and doesn't work when original address is domain. I have nothing else to say. |
我不得不澄清三点就是: 1.我的需求必须要影响所有域名,因为在我的需求场景下,所有域名都可能被污染。 2.在原始地址是域名时,它可以工作,但不是此issue提到的PR。 3.把IP or 域名替换为IP,路由规则会同时看到域名和唯一IP |
完整性要求
描述
细节:
fakeIP原理是Xray污染DNS,给客户端返回特定IP段
若客户端发往xray的IP因各种原因被修改,fakeIP即失效
详见代码
修复建议
入站时选择不相信客户端带来的ip,强行用xray的dns重解析一次,因为可命中缓存因此无开销
See demo: Meo597@d5b80c7
(此Demo是之前专为realIP修复,若确认fakeIP需要PR,我可再次修改)
重现方式
DNS被污染触发条件:
影响到Xray的条件(绕过fakeIP的逻辑):
实际不利影响:
因fakeIP失效,若远端xray节点没有sniff+destOverride+routeOnly=false
则目标网站仍被污染,导致访问失败
PS:透明代理+realIP同理
客户端配置
N/A
服务端配置
N/A
客户端日志
N/A
服务端日志
N/A
The text was updated successfully, but these errors were encountered: