Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Strange DNS configuration thing #2327

Open
4 of 5 tasks
DADA30000 opened this issue Nov 29, 2024 · 7 comments
Open
4 of 5 tasks

Strange DNS configuration thing #2327

DADA30000 opened this issue Nov 29, 2024 · 7 comments

Comments

@DADA30000
Copy link

Operating system

Linux

System version

NixOS unstable, Linux 6.12.1

Installation type

Original sing-box Command Line

If you are using a graphical client, please provide the version of the client.

No response

Version

1.11.0-beta.3 (also happens on 1.10.1)

Description

I have this configuration

{
  "log": {
    "level": "info"
  },
  "dns": {
    "servers": [
      {
        "tag": "dns-remote",
        "address": "local",
        "detour": "direct"
      }
    ]
  },
  "inbounds": [
    {
      "type": "tun",
      "tag": "tun-in",
      "interface_name": "tun0",
      "address": "172.19.0.1/28",
      "mtu": 9000,
      "auto_route": true,
      "stack": "system"
    }
  ],
  "outbounds": [
    {
      "type": "direct",
      "tag": "direct"
    }
  ],
  "endpoints": [
    {
      "system": true,
      "name": "wg0",
      "address": "10.8.1.3/32",
      "private_key": "nope",
      "type": "wireguard",
      "tag": "proxy",
      "peers": [
        {
          "address": "nope",
          "port": nope,
          "public_key": "nope",
          "pre_shared_key": "nope",
          "allowed_ips": [ "0.0.0.0/0", "::/0" ]
        }
      ]
    }
  ],
  "route": {
    "final": "direct",
    "auto_detect_interface": true,
    "rules": [
      {
        "action": "sniff"
      },
      {
        "process_path_regex": [
          "^.*(wget|git|electron|firefox|firefox-bin|nix|nix-index|flatpak|.flatpak-wrappe|.flatpak-wrapped|node)$"
        ],
        "outbound": "proxy"
      },
      {
        "domain_suffix": [
          "googlevideo.com",
          "youtu.be",
          "youtube.com",
          "ytimg.com",
          "ggpht.com"
        ],
        "outbound": "proxy"
      },
      {
        "port": 53,
        "process_name": [
          "anything in here, like really anything"
        ],
        "action": "hijack-dns"
      }
    ]
  }
}

and if I remove this part

{
        "port": 53,
        "process_name": [
          "anything in here, like really anything"
        ],
        "action": "hijack-dns"
      }

DNS stops working, like I can't resolve anything at all, and when I add this back, it works again, and I can't remove any part of this small snippet, if I remove that process_name part, it will also stop working, I can't find anything about this, why is this happening?
This was also happening on this configuration

{
  "log": {
    "level": "info"
  },
  "dns": {
    "servers": [
      {
        "tag": "dns-remote",
        "address": "8.8.8.8",
        "detour": "proxy"
      }
    ]
  },
  "inbounds": [
    {
      "type": "tun",
      "tag": "tun-in",
      "sniff": true,
      "interface_name": "tun0",
      "inet4_address": "172.19.0.1/28",
      "mtu": 9000,
      "auto_route": true,
      "stack": "system",
      "endpoint_independent_nat": false
    }
  ],
  "outbounds": [
    {
      "type": "socks",
      "tag": "proxy",
      "udp_fragment": true,
      "server": "127.0.0.1",
      "server_port": 2080
    },
    {
      "type": "direct",
      "tag": "direct"
    },
    {
      "type": "dns",
      "tag": "dns-out"
    }
  ],
  "route": {
    "final": "direct",
    "auto_detect_interface": true,
    "rules": [
      {
        "source_ip_cidr": [
          "127.0.0.1"
        ],
        "ip_cidr": [
          "127.0.0.1"
        ],
        "outbound": "direct"
      },
      {
        "process_path_regex": [
          "^.*(wget|git|electron|firefox|firefox-bin|nix|nix-index|flatpak|.flatpak-wrappe|.flatpak-wrapped|node)$"
        ],
        "outbound": "proxy"
      },
      {
        "domain_suffix": [
          "googlevideo.com",
          "youtu.be",
          "youtube.com",
          "ytimg.com",
          "ggpht.com"
        ],
        "outbound": "proxy"
      },
      {
        "source_ip_cidr": [
          "127.0.0.1"
        ],
        "ip_cidr": [
          "127.0.0.1"
        ],
        "outbound": "direct"
      },
      {
        "port": 53,
        "process_name": [
          "anything in here, like really anything"
        ],
        "outbound": "dns-out"
      }
    ]
  }
}

Reproduction

yeet

Logs

No response

Supporter

Integrity requirements

  • I confirm that I have read the documentation, understand the meaning of all the configuration items I wrote, and did not pile up seemingly useful options or default values.
  • I confirm that I have provided the server and client configuration files and process that can be reproduced locally, instead of a complicated client configuration file that has been stripped of sensitive data.
  • I confirm that I have provided the simplest configuration that can be used to reproduce the error I reported, instead of depending on remote servers, TUN, graphical interface clients, or other closed-source software.
  • I confirm that I have provided the complete configuration files and logs, rather than just providing parts I think are useful out of confidence in my own intelligence.
@devopg
Copy link

devopg commented Nov 29, 2024

u have in outbounds:

    {
      "tag": "dns-out",
      "type": "dns"
    }

u should add to route.rules:

 {
        "outbound": "dns-out",
        "protocol": "dns"
      },

then u can remove this:

{
        "port": 53,
        "process_name": [
          "anything in here, like really anything"
        ],
        "action": "hijack-dns"
      }

@DADA30000
Copy link
Author

u have in outbounds:

    {
      "tag": "dns-out",
      "type": "dns"
    }

u should add to route.rules:

 {
        "outbound": "dns-out",
        "protocol": "dns"
      },

then u can remove this:

{
        "port": 53,
        "process_name": [
          "anything in here, like really anything"
        ],
        "action": "hijack-dns"
      }

nope, that's not it, just tried this, and it still fails to resolve anything after removing that small snippet

@DADA30000
Copy link
Author

also I should mention, that removing absolutely every rule and setting final to proxy works, and no, this is not a solution or explanation to this problem, I still need rules

@nunu6689
Copy link

nunu6689 commented Dec 1, 2024

You should put hijack-dns at the top right after direct rule for private ips. Your processes in the process rule can also send a DNS query and they will be routed to proxy outbound hence they will not get hijacked.
Mine is like this with tun inbound and it's working fine.

    "rules": [
      {
        "ip_is_private": true,
        "outbound": "DIRECT"
      },
      {
        "port": 53,
        // "protocol": "dns", // available after sniff
        "action": "hijack-dns"
      },
      {
        "action": "sniff",
        "timeout": "1s"
      }
...

@DADA30000
Copy link
Author

You should put hijack-dns at the top right after direct rule for private ips. Your processes in the process rule can also send a DNS query and they will be routed to proxy outbound hence they will not get hijacked. Mine is like this with tun inbound and it's working fine.

    "rules": [
      {
        "ip_is_private": true,
        "outbound": "DIRECT"
      },
      {
        "port": 53,
        // "protocol": "dns", // available after sniff
        "action": "hijack-dns"
      },
      {
        "action": "sniff",
        "timeout": "1s"
      }
...

oh well, your snippet works, although I still don't quite understand why my problem was happening, could you explain if you know what was happening?

@DADA30000
Copy link
Author

You should put hijack-dns at the top right after direct rule for private ips. Your processes in the process rule can also send a DNS query and they will be routed to proxy outbound hence they will not get hijacked. Mine is like this with tun inbound and it's working fine.

    "rules": [
      {
        "ip_is_private": true,
        "outbound": "DIRECT"
      },
      {
        "port": 53,
        // "protocol": "dns", // available after sniff
        "action": "hijack-dns"
      },
      {
        "action": "sniff",
        "timeout": "1s"
      }
...

oh no, wait, it doesn't work, it doesn't route my traffic in my needed apps through proxy, here are my rules:

"route": {
    "final": "direct",
    "auto_detect_interface": true,
    "rules": [
      {
        "ip_is_private": true,
        "outbound": "direct"
      },
      {
        "port": 53,
        "action": "hijack-dns"
      },
      {
        "action": "sniff",
        "timeout": "1s"
      },
      {
        "process_path_regex": [
          "^.*(wget|git|electron|firefox|firefox-bin|nix|nix-index|flatpak|.flatpak-wrappe|.flatpak-wrapped|node)$"
        ],
        "outbound": "proxy"
      },
      {
        "domain_suffix": [
          "googlevideo.com",
          "youtu.be",
          "youtube.com",
          "ytimg.com",
          "ggpht.com"
        ],
        "outbound": "proxy"
      }
    ]
  },

@DADA30000
Copy link
Author

Oh well it works with domain rules, but it doesn't work with regex process paths with your snippet

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@devopg @DADA30000 @nunu6689