[FEAT] 支持Cloudflare Work转发的https查询

[Error996]

Is your feature request related to a problem? Please describe.
目前不支持CloudFlare Worker的dns转发查询

Describe the solution you'd like
参考下面链接

https://nicelee.top/blog/2021/08/22/cloudflare-workers-doh-proxy/
https://github.com/IrineSistiana/cfdohpw

Describe alternatives you've considered
Null

Additional context
Null

[Error996]

因为目前outside dns的ip会被connection reset
而worker是cdn的ip

[LEXUGE]

https模块应该可以自己指定IP吧，我看不出搭建worker和正常的HTTPS连接有什么区别，应该是可以连接的？

如果IP是CDN的，那么证书也应该是对CDN有效的才是。

[Error996]

提示错误，主要是ip没法填。。。空着报错，填ping后的cdn ip吧还不行。。。

[Error996]

config:

---
verbosity: "debug"
address: 0.0.0.0:53
table:
  start:
    if: "qtype([AAAA])"
    then:
      # A list of actions is allowed here
      - blackhole
      # The next tag to go
      - end
    else:
      - dispatch
  dispatch:
    - query: domestic
    - check_secure
  check_secure:
    if: |
      geoip(codes: ["CN"])
    else:
      - query: secure
      - end

upstreams:
  114DNS:
    udp:
      addr: 114.114.114.114:53

  Ali:
    udp:
      addr: 223.6.6.6:53

  domestic:
    hybrid:
      - 114DNS
      - Ali

  cloudflare:
    https:
      uri: https://dns1.****.workers.dev/dns-query-****-just-get-out   //对应https://dns.google/dns-query
      ratelimit: 3000
      addr: 172.67.139.220   //cdn ip

  quad9:
    https:
      uri: https://dns2.****.workers.dev/dns-query-****-just-get-out  //对应https://cloudflare-dns.com/dns-query
      ratelimit: 3000
      addr: 104.21.65.24  //cdn ip

  secure:
    hybrid:
      - cloudflare
      - quad9

debug日志：

Using the config file specified: 123.yaml
2022-04-04T02:58:32.160Z INFO [dcompass] dcompass ready!
2022-04-04T02:58:32.572Z INFO [droute::router::table::rule] Domain "onedscolprduks02.uksouth.cloudapp.azure.com" doesn't match at rule `start`
2022-04-04T02:58:32.572Z INFO [droute::router::table::rule] rule `dispatch` starts with domain "onedscolprduks02.uksouth.cloudapp.azure.com"
2022-04-04T02:58:32.572Z INFO [droute::router::upstreams::upstream] querying with upstream: 114DNS
2022-04-04T02:58:32.572Z DEBUG [droute::router::upstreams::upstream::qhandle] got connection from pool; recycled 0 times
2022-04-04T02:58:32.572Z INFO [droute::router::upstreams::upstream] querying with upstream: Ali
2022-04-04T02:58:32.572Z DEBUG [droute::router::upstreams::upstream::qhandle] got connection from pool; recycled 0 times
2022-04-04T02:58:32.594Z INFO [droute::router::upstreams::upstream] query successfully completed.
2022-04-04T02:58:32.595Z INFO [droute::router::table::rule] rule `dispatch` ends with domain "onedscolprduks02.uksouth.cloudapp.azure.com"
2022-04-04T02:58:32.595Z INFO [droute::router::table::rule] Domain "onedscolprduks02.uksouth.cloudapp.azure.com" doesn't match at rule `check_secure`
2022-04-04T02:58:32.595Z INFO [droute::router::upstreams::upstream] querying with upstream: cloudflare
2022-04-04T02:58:32.595Z DEBUG [droute::router::upstreams::upstream::qhandle] got connection from pool; recycled 0 times
2022-04-04T02:58:32.595Z DEBUG [reqwest::connect] starting new connection: https://dns1.****.workers.dev/
2022-04-04T02:58:32.595Z INFO [droute::router::upstreams::upstream] querying with upstream: quad9
2022-04-04T02:58:32.595Z DEBUG [droute::router::upstreams::upstream::qhandle] got connection from pool; recycled 0 times
2022-04-04T02:58:32.595Z DEBUG [reqwest::connect] starting new connection: https://dns2.****.workers.dev/
2022-04-04T02:58:32.890Z DEBUG [rustls::client::hs] No cached session for DnsName(DnsName(DnsName("dns1.****.workers.dev")))
2022-04-04T02:58:32.890Z DEBUG [rustls::client::hs] Not resuming any session
2022-04-04T02:58:32.898Z DEBUG [rustls::client::hs] No cached session for DnsName(DnsName(DnsName("dns2.****.workers.dev")))
2022-04-04T02:58:32.898Z DEBUG [rustls::client::hs] Not resuming any session
2022-04-04T02:58:33.200Z ERROR [rustls::conn] TLS alert received: AlertMessagePayload {
    level: Fatal,
    description: HandshakeFailure,
}

[Error996]

应该是脚本中只接受application/dns-message类型,防止扫描器爬虫之类的

async function handleRequestPost(request, clientUrl) {
  if (request.headers.get('content-type') != 'application/dns-message') {
    return new Response('bad request header', { status: 400 });
  }
  const upstreamRequest = new Request(upstream, {
    method: 'POST',
    headers: {
      'accept': 'application/dns-message',
      'content-type': 'application/dns-message',
    },
    body: await request.arrayBuffer()
  });
  return await fetch(upstreamRequest);
}

但是droute/src/router/upstreams/upstream/qhandle/https.rs中，156行又定义了 .header("content-type", "application/dns-message")

我也不知道问题出在哪里了

[LEXUGE]

hmmmmm，似乎在TLS握手时就挂了，和 header 无关

[LEXUGE]

应该是默认不发送 SNI 所致
你可以尝试在每个upstream下填写 sni: true 试试

[Error996]

sni :true之后

2022-04-04T03:40:18.533Z DEBUG [reqwest::connect] starting new connection: https://dns2.****.workers.dev/
2022-04-04T03:40:18.833Z DEBUG [rustls::client::hs] No cached session for DnsName(DnsName(DnsName("dns1.****.workers.dev")))
2022-04-04T03:40:18.833Z DEBUG [rustls::client::hs] Not resuming any session
2022-04-04T03:40:19.138Z DEBUG [rustls::client::hs] Using ciphersuite Tls13(Tls13CipherSuite { suite: TLS13_AES_256_GCM_SHA384, bulk: Aes256Gcm })
2022-04-04T03:40:19.138Z DEBUG [rustls::client::tls13] Not resuming
2022-04-04T03:40:19.139Z DEBUG [rustls::client::tls13] TLS1.3 encrypted extensions: [ServerNameAck]
2022-04-04T03:40:19.139Z DEBUG [rustls::client::hs] ALPN protocol is None
2022-04-04T03:40:19.875Z DEBUG [rustls::client::hs] No cached session for DnsName(DnsName(DnsName("dns1.****.workers.dev")))
2022-04-04T03:40:19.875Z DEBUG [rustls::client::hs] Not resuming any session
2022-04-04T03:40:19.888Z DEBUG [rustls::client::hs] No cached session for DnsName(DnsName(DnsName("dns2.****.workers.dev")))
2022-04-04T03:40:19.889Z DEBUG [rustls::client::hs] Not resuming any session
2022-04-04T03:40:20.185Z DEBUG [rustls::client::hs] Using ciphersuite Tls13(Tls13CipherSuite { suite: TLS13_AES_256_GCM_SHA384, bulk: Aes256Gcm })
2022-04-04T03:40:20.185Z DEBUG [rustls::client::tls13] Not resuming
2022-04-04T03:40:20.186Z DEBUG [rustls::client::tls13] TLS1.3 encrypted extensions: [ServerNameAck]
2022-04-04T03:40:20.186Z DEBUG [rustls::client::hs] ALPN protocol is None
2022-04-04T03:40:20.218Z DEBUG [rustls::client::hs] Using ciphersuite Tls13(Tls13CipherSuite { suite: TLS13_AES_256_GCM_SHA384, bulk: Aes256Gcm })
2022-04-04T03:40:20.218Z DEBUG [rustls::client::tls13] Not resuming
2022-04-04T03:40:20.219Z DEBUG [rustls::client::tls13] TLS1.3 encrypted extensions: [ServerNameAck]
2022-04-04T03:40:20.219Z DEBUG [rustls::client::hs] ALPN protocol is None
2022-04-04T03:40:20.804Z DEBUG [rustls::client::tls13] Ticket saved
2022-04-04T03:40:20.804Z DEBUG [rustls::client::tls13] Ticket saved
2022-04-04T03:40:20.804Z DEBUG [reqwest::async_impl::client] response '404 Not Found' for https://dns1.****.workers.dev/dns-query-****-just-get-out
2022-04-04T03:40:20.804Z DEBUG [rustls::conn] Sending warning alert CloseNotify
2022-04-04T03:40:21.535Z WARN [droute::router] upstream encountered error: error sending request for url (https://dns2.****.workers.dev/dns-query-****-just-get-out): error trying to connect: operation timed out, returning SERVFAIL

[Error996]

能解析了倒是，但是反复这一段，一直提示，尤其是response '404 Not Found' for https://dns1.****.workers.dev/dns-query-****-just-get-out

对应脚本中

async function handleRequest(request) {
  const clientUrl = new URL(request.url);
  if (clientUrl.pathname != endpointPath) {
    return new Response('Hello World!', { status: 404 });
  }

要是ip能自动就好了，反正也得从223这种获取，不过目前优选ip反而更快。。。

[LEXUGE]

我不是很懂反复404出错是什么意思，有log吗。

手动IP的原因是为了保证能够bootstrap，不会依赖其他软件或者libc来获取所需的域名地址（因为没法保证这些来源获得的IP是不受污染的而且dcompass作为dns解析器却需要依赖其他的解析途径就不太合适）

[Error996]

#81 (comment)

循环出现，倒数第三行，有个404not found

我猜啊，和TLS1.3有关

[Error996]

实际不影响使用，强迫症只是~~~~

[LEXUGE]

我有空尝试复现修复一下