Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

client_subnet has no effect in dns rule #1752

Closed
4 of 5 tasks
bottob opened this issue May 10, 2024 · 0 comments
Closed
4 of 5 tasks

client_subnet has no effect in dns rule #1752

bottob opened this issue May 10, 2024 · 0 comments

Comments

@bottob
Copy link

bottob commented May 10, 2024

Operating system

Linux

System version

Arch with kernel 5.15

Installation type

Original sing-box Command Line

If you are using a graphical client, please provide the version of the client.

No response

Version

sing-box version 1.9.0-rc.16

Environment: go1.22.2 linux/amd64
Tags: with_gvisor,with_quic,with_dhcp,with_wireguard,with_ech,with_utls,with_reality_server,with_acme,with_clash_api
Revision: 619aad076c730b90621b6008640fe4983a0cf0e6
CGO: disabled

Description

Set client_subnet in single dns rule as the official guide documented has no effect. See the reproduction for details.

Reproduction

Config with client_subnet set in dns rule:

{
  "log": { "level": "debug" },
  "dns": {
    "servers": [
      {
        "tag": "google",
        "address": "https://dns.google/dns-query", // proxied through local tproxy
        "address_resolver": "local"
      },
      { "tag": "nxdomain", "address": "RCode://success" },
      { "tag": "local", "address": "local" }
    ],
    "rules": [
      {
        "type": "logical",
        "mode": "and",
        "rules": [
          { "domain": "open.e.kuaishou.com" },
          { "ip_cidr": ["0.0.0.0/0"] }
        ],
        "server": "google",
        "client_subnet": "114.114.114.114"
      }
    ],
    "final": "nxdomain"
  },
  "inbounds": [
    {
      "tag": "dns-in",
      "type": "direct",
      "listen": "::",
      "listen_port": 7966,
      "sniff": true
    }
  ],
  "outbounds": [
    {
      "type": "direct",
      "tag": "direct"
    },
    {
      "type": "dns",
      "tag": "dns-out"
    }
  ],
  "route": {
    "final": "direct",
    "rules": [
      {
        "inbound": "dns-in",
        "outbound": "dns-out"
      }
    ]
  }
}

> nslookup -port=7966 open.e.kuaishou.com 127.0.0.1:

Server:         127.0.0.1
Address:        127.0.0.1#7966

Non-authoritative answer:
open.e.kuaishou.com     canonical name = adjs-default-scd.e.kuaishou.com.
adjs-default-scd.e.kuaishou.com canonical name = adjs-oversea-scd.xiangtaiyun.com.
Name:   adjs-oversea-scd.xiangtaiyun.com
Address: 221.178.101.118

The resolved IP is provided for overseas use, which is unexpected.

In comparison, if client_subnet is set in dns server:

{
  "log": { "level": "debug" },
  "dns": {
    "servers": [
      {
        "tag": "google",
        "address": "https://dns.google/dns-query",
        "address_resolver": "local",
        "client_subnet": "114.114.114.114"
      },
      { "tag": "nxdomain", "address": "RCode://success" },
      { "tag": "local", "address": "local" }
    ],
    "rules": [
      {
        "type": "logical",
        "mode": "and",
        "rules": [
          { "domain": "open.e.kuaishou.com" },
          { "ip_cidr": ["0.0.0.0/0"] }
        ],
        "server": "google"
      }
    ],
    "final": "nxdomain"
  },
  "inbounds": [
    {
      "tag": "dns-in",
      "type": "direct",
      "listen": "::",
      "listen_port": 7966,
      "sniff": true
    }
  ],
  "outbounds": [
    {
      "type": "direct",
      "tag": "direct"
    },
    {
      "type": "dns",
      "tag": "dns-out"
    }
  ],
  "route": {
    "final": "direct",
    "rules": [
      {
        "inbound": "dns-in",
        "outbound": "dns-out"
      }
    ]
  }
}

> nslookup -port=7966 open.e.kuaishou.com 127.0.0.1:

Server:         127.0.0.1
Address:        127.0.0.1#7966

Non-authoritative answer:
open.e.kuaishou.com     canonical name = adjs-default-scd.e.kuaishou.com.
adjs-default-scd.e.kuaishou.com canonical name = multi-az-ad.kuaishou.com.
Name:   multi-az-ad.kuaishou.com
Address: 103.102.202.42
Name:   multi-az-ad.kuaishou.com
Address: 103.102.202.74
Name:   multi-az-ad.kuaishou.com
Address: 103.102.202.80
Name:   multi-az-ad.kuaishou.com
Address: 103.102.202.151

This time the ip is correctly resolved to cn region.

Logs

No response

Supporter

Integrity requirements

  • I confirm that I have read the documentation, understand the meaning of all the configuration items I wrote, and did not pile up seemingly useful options or default values.
  • I confirm that I have provided the server and client configuration files and process that can be reproduced locally, instead of a complicated client configuration file that has been stripped of sensitive data.
  • I confirm that I have provided the simplest configuration that can be used to reproduce the error I reported, instead of depending on remote servers, TUN, graphical interface clients, or other closed-source software.
  • I confirm that I have provided the complete configuration files and logs, rather than just providing parts I think are useful out of confidence in my own intelligence.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@bottob