执行 test.sh 提示失败DNS hijack

[kiss2u]

在提交之前，请确认

• 我已经尝试搜索过Issue和看过参数说明，但没有找到相关问题。
• 我正在使用最新的docker镜像版本（可以尝试docker pull sliamb/paopaodns:latest后重新创建容器）。

脚本自检日志

### == debug.sh : docker exec -it paopaodns sh ==
-> debug start `1708316131`

[INFO] images build time : 2024-02-15 15:59:32 UTC
[OK]DATA_writeable
[OK]DATA_readable
[INFO] NETWORK
*********************************************************************************

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1000
    inet 127.0.0.1/8 scope host lo
8: eth0@if9: <BROADCAST,MULTICAST,UP,LOWER_UP,M-DOWN> mtu 1500 qdisc noqueue state UP
    inet 172.20.0.2/16 brd 172.20.255.255 scope global eth0
default via 172.20.0.1 dev eth0
172.20.0.0/16 dev eth0 scope link  src 172.20.0.2
PING 223.5.5.5 (223.5.5.5): 56 data bytes
64 bytes from 223.5.5.5: seq=0 ttl=118 time=7.945 ms

--- 223.5.5.5 ping statistics ---
1 packets transmitted, 1 packets received, 0% packet loss
round-trip min/avg/max = 7.945/7.945/7.945 ms
PING 119.29.29.29 (119.29.29.29): 56 data bytes
64 bytes from 119.29.29.29: seq=0 ttl=53 time=18.506 ms

--- 119.29.29.29 ping statistics ---
1 packets transmitted, 1 packets received, 0% packet loss
round-trip min/avg/max = 18.506/18.506/18.506 ms
Server:         223.5.5.5
Address:        223.5.5.5#53

Non-authoritative answer:
www.taobao.com  canonical name = www.taobao.com.danuoyi.tbcache.com.
Name:   www.taobao.com.danuoyi.tbcache.com
Address: 223.111.230.174
Name:   www.taobao.com.danuoyi.tbcache.com
Address: 223.111.230.173
Name:   www.taobao.com.danuoyi.tbcache.com
Address: 2409:8c20:5223:108:3::3d1
Name:   www.taobao.com.danuoyi.tbcache.com
Address: 2409:8c20:5223:108:3::3d2

Server:         119.29.29.29
Address:        119.29.29.29#53

Non-authoritative answer:
www.qq.com      canonical name = ins-r23tsuuf.ias.tencent-cloud.net.
Name:   ins-r23tsuuf.ias.tencent-cloud.net
Address: 183.194.238.19
Name:   ins-r23tsuuf.ias.tencent-cloud.net
Address: 183.194.238.117
Name:   ins-r23tsuuf.ias.tencent-cloud.net
Address: 2409:8c1e:75b0:1121::15
Name:   ins-r23tsuuf.ias.tencent-cloud.net
Address: 2409:8c1e:75b0:1120::27

*********************************************************************************

[INFO] ENV
*********************************************************************************

====ENV TEST====
[OK]DATA_writeable-
[OK]DATA_readable-
MEM:220m 450m 500000 750mb
prefPC:68
CORES:-2-
POWCORES:-2-
ulimit :-1048576-
FDLIM :-4096-
TZ:-Asia/Shanghai-
UPDATE:-weekly-
DNS_SERVERNAME:-PaoPaoDNS,ppdns.local-
SERVER_IP:-192.168.1.102-
ETHIP:-172.20.0.2-
DNSPORT:-53-
SOCKS5:-192.168.1.3:1080-
CNAUTO:-yes-
IPV6:-no-
CNFALL:-yes-
CUSTOM_FORWARD:-192.168.1.103:53-
AUTO_FORWARD:-yes-
AUTO_FORWARD_CHECK:-yes-
USE_MARK_DATA:-yes-
RULES_TTL:-0-
CUSTOM_FORWARD_TTL:-0-
SHUFFLE:-no-
CN_TRACKER:-yes-
USE_HOSTS:-no-
HTTP_FILE:-yes-
SAFEMODE:-no-
QUERY_TIME:-2000ms-
ADDINFO:-no-
PLATFORM:-Linux c84afa8de956 5.4.203-1-pve #1 SMP PVE 5.4.203-1 (Fri, 26 Aug 2022 14:43:35 +0200) x86_64 Linux-
====ENV TEST====
mosdns kkkgo/mosdns:231210.1
*********************************************************************************

[INFO] PS
*********************************************************************************

PID   USER     TIME  COMMAND
    1 root      0:00 {init.sh} /bin/sh /usr/sbin/init.sh
   13 root      0:00 crond
   44 root      0:00 redis-server unixsocket:/tmp/redis.sock
  165 root      0:00 dnscrypt-proxy -config /data/dnscrypt-resolvers/dnscrypt.toml
  166 root      0:00 dnscrypt-proxy -config /data/dnscrypt-resolvers/dnscrypt_socks.toml
  187 root      0:00 unbound -c /tmp/unbound_forward.conf -p
  197 root      0:00 {watch_list.sh} /bin/sh /usr/sbin/watch_list.sh
  202 root      0:00 tail -f /dev/null
  210 root      0:00 unbound -c /tmp/unbound_raw.conf -p
  716 root      0:00 mosdns start -d /data -c /tmp/mosdns.yaml
  755 root      0:00 inotifywait -e modify,delete /etc/unbound/named.cache /data/Country-only-cn-private.mmdb /data/force_cn_list.txt /data/force_nocn_list.txt /data/custom_env.ini /data/global_mark.dat /data/trackerslist.txt /data/force_forward_list.txt
  758 root      0:00 {debug.sh} /bin/sh /usr/sbin/debug.sh
  778 root      0:00 ps -ef
*********************************************************************************

[INFO] TOP
*********************************************************************************

CPU:  28% usr  14% sys   0% nic  57% idle   0% io   0% irq   0% sirq
  PID  PPID USER     STAT   VSZ %VSZ CPU %CPU COMMAND
  210     1 root     S    1219m  15%   1   0% unbound -c /tmp/unbound_raw.conf -
  165     1 root     S    1211m  15%   1   0% dnscrypt-proxy -config /data/dnscr
  716   197 root     S    1210m  15%   0   0% mosdns start -d /data -c /tmp/mosd
  166     1 root     S    1210m  15%   0   0% dnscrypt-proxy -config /data/dnscr
   44     1 root     S    22412   0%   1   0% redis-server unixsocket:/tmp/redis
  187     1 root     S    20256   0%   0   0% unbound -c /tmp/unbound_forward.co
  197     1 root     S     1704   0%   1   0% {watch_list.sh} /bin/sh /usr/sbin/
    1     0 root     S     1624   0%   0   0% {init.sh} /bin/sh /usr/sbin/init.s
  758     0 root     S     1620   0%   1   0% {debug.sh} /bin/sh /usr/sbin/debug
  779   758 root     R     1616   0%   0   0% top -n1
  202     1 root     S     1608   0%   0   0% tail -f /dev/null
  780   758 root     S     1604   0%   1   0% grep %
  755   197 root     S     1064   0%   0   0% inotifywait -e modify,delete /etc/
   13     1 root     S      852   0%   0   0% crond
*********************************************************************************

[INFO] REDIS
*********************************************************************************

used_memory_human:1.15M
used_memory_rss_human:4.35M
used_memory_peak_human:1.15M
total_system_memory_human:7.75G
used_memory_lua_human:31.00K
used_memory_vm_total_human:63.00K
used_memory_scripts_human:181B
maxmemory_human:750.00M
0
*********************************************************************************

[TEST] IP ROUTE
*********************************************************************************

CN IP URL:
39.185.xx.xx
-
39.185.xx.xx
--
39.185.xx.xx
CN RAW-IP URL:
39.185.xx.xx
------------------
Non-CN IP URL:
39.185.xx.xx
-
--
Non-CN RAW-IP URL:
39.185.xx.xx
-
39.185.xx.xx
--
39.185.xx.xx
---
39.185.xx.xx
------------------
IP INFO:
39.185.xx.xx
CN,XXX,Zhejiang
ASN560xx/China Mobile
HTTP/1.1
Mozilla/5.0 Gecko/20100101 Firefox/120.0 https://github.com/kkkgo/PaoPaoDNSAsia/Shanghai Time: 2/19/2024, 12:15:44 PM
[INFO] force_cn_list
domain:whoami.ds.akahelp.net
domain:whoami.03k.org
MOSDNS WHOAMI :
akahelp: "ns" "2620:0:xxx::xx"
"ecs" "39.185.xx.0/24/24"
"ip" "39.185.xx.xx"
03k: UNBOUND WHOAMI:
akahelp: 03k: *********************************************************************************

[TEST] HIJACK
*********************************************************************************

ins-r23tsuuf.ias.tencent-cloud.net.
183.194.238.19
183.194.238.117
"ns" "112.13.73.132"
HIJACK 127.0.0.1 = 127.0.0.1
*********************************************************************************

[TEST] DIG-CN [taobao]
*********************************************************************************

MOSDNS CN:
www.taobao.com.danuoyi.tbcache.com.
223.111.230.174
223.111.230.173
UNBOUND CN:
[TEST] DIG-NOCN [youtube]
MOSDNS NOCN:
7.0.0.20
DNSCRYPT-UNBOUND NOCN:
youtube-ui.l.google.com.
172.217.160.110
172.217.163.46
DNSCRYPT NOCN:
youtube-ui.l.google.com.
172.217.163.46
142.251.42.238
DNSCRYPT-SOCKS5 NOCN:
;; communications error to 127.0.0.1#5303: timed out
;; no servers could be reached

*********************************************************************************

CUSTOM_FORWARD TEST [youtube]:
7.0.0.20
CUSTOM_FORWARD TEST [taobao]:
7.0.0.11
*********************************************************************************

[TEST] DUAL CN [IPv6=YES will have aaaa,taobao]
*********************************************************************************

[TEST] DUAL NOCN [IPv6=YES will block aaaa,youtube]
[TEST] ONLY6 [IPv6=only6 will block aaaa if a ok]
checkipv6.synology.com : ip6.03k.org : 6.ipw.cn :
*********************************************************************************

[info] ALL TEST FINISH.

-> debug end `1708316150`

问题描述和复现步骤

执行 docker exec paopaodns test.sh 时提示出错：

---

-> test start 1708316004

yy[DNS hijack]127.0.0.1[DNS hijack]"ns" "112.13.73.132"yCN-5301 failed:yyyNOCN-5301 failed:yy
[INFO] TEST FAIL.

-> test end 1708316010

---

但，部分 dns 功能正常，debug 信息已上传。

[kkkgo]

DNS hijack是DNS劫持。
你的网络存在劫持，在[TEST] HIJACK测试中不通过。

参考#83 (comment)

[kiss2u]

搞定了，十分感谢。
主路由是 RouterOS，默认防火墙规则中存在非 DNS 列表中的 53 口请求会被劫持，把PaoPaoDNS地址写进 DNS 列表即可，或者直接删除 相关 53端口的NAT命令。
希望能给到后来人一个解决思路。

[kkkgo]

另外一提是你测试里面还有CN-5301 failed:，这是递归失败，原因可能是你经过了本地路由器多层nat。

[kkkgo]

不太理解你网络拓扑，如果你的wg是用来出站的话，直接写个yaml配置塞ppgw就是了。

[kiss2u]

我其实是达到这样一个需求，利用公网ipv6设置wg回家，顺道科学一下。现在第一步wg回家搞定了，科学的话，之前我是利用ros把来自wg的流量全走OpenWrt了。不过那样的话有两个问题，第一个就是dns泄露依旧无法解决，第二点就是科学是科学了，但访问国内网站异常缓慢。所以我看了ppdns和ppgw的资料，想在这方便有所提升。

[kkkgo]

那你正常回家就好了，DNS也设置成ppdns就好了。跟内网一样，命中fakeip网段就分流到ppgw了，不懂wg需要额外调啥。

[kkkgo]

不讨论ROS，就说你主路由下面挂了一个linux虚拟机，网卡接口是eth0，主路由也做好了fakeip静态路由。wg配置就很简单：
sysctl.conf开启路由转发；

[interface]
listenport=12345
privatekey=....
address=192.168.200.1/24
PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -A FORWARD -o wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE;sysctl -p
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -D FORWARD -o wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 
 -j MASQUERADE

然后你主路由映射端口到这个虚拟机的12345就好了……
客户端只要DNS设置成内网的ppdns就完事了。或者虚拟机本身转发一下DNS也行。

zerotier类似的设置就更简单。

[kiss2u]

感谢大佬指点，我再研究研究。。。