New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Bug?] 客户端配置中服务器地址若为域名,且 DNS 配置为使用加密服务器,就无法建立到服务器的连接 #455
Comments
最为简单的修复建议是扩展预定义的加密 DNS 服务,希望能考虑增加以下服务:
不过我个人是希望能恢复支持 dns 的隐藏配置啦。支持拿 IP 作 CN 的 TLS 证书很贵,所以会大大限制可用的加密 DNS 服务范围。而国内前段时间才对 Quad9, NextDNS 之类的加密 DNS 服务做过封锁,所以我担心这些扩展的预定义服务未来都会失效。 |
The Quad9 and Cloudflare DNS servers that you mentioned could be set by Did you realize that you have missed a
|
Oh, you want EDNS support. Hmm. I think trust-dns haven't supported it yet. |
我以为这些预定义的加密 DNS 服务都是请求的
因此我才会用到隐藏配置,因为我看它的结构里同时指明了加密 DNS 服务器的 IP 地址,我期待它能解决这个问题。
|
错误日志:
配置文件: {
"local_address": "127.0.0.1",
"local_port": 55555555,
"servers": [
{
"address": "example.com",
"port": 666666666,
"method": "chacha20-ietf-poly1305",
"password": "*****************************************",
"plugin": "",
"plugin_opts": ""
}
],
"dns": {
"domain": "security.cloudflare-dns.com",
"name_servers": [
{ "socket_addr": "1.1.1.2", "protocol": "https" },
{ "socket_addr": "1.1.1.2", "protocol": "tls" },
{ "socket_addr": "1.0.0.2", "protocol": "https" },
{ "socket_addr": "1.0.0.2", "protocol": "tls" }
]
},
"mode": "tcp_only",
"ipv6_first": false
} |
This comment has been minimized.
This comment has been minimized.
The following config should work: "dns": {
"name_servers": [
{
"socket_addr": "1.1.1.2:443",
"protocol": "https",
"tls_dns_name": "security.cloudflare-dns.com"
},
{
"socket_addr": "1.1.1.2:853",
"protocol": "tls",
"tls_dns_name": "security.cloudflare-dns.com"
},
{
"socket_addr": "1.0.0.2:443",
"protocol": "https",
"tls_dns_name": "security.cloudflare-dns.com"
},
{
"socket_addr": "1.0.0.2:853",
"protocol": "tls",
"tls_dns_name": "security.cloudflare-dns.com"
}
]
} This is exactly the same as the way how |
问题解决了,感谢耐心回答! |
清除 DNS 缓存以后测试了一下配置里用预定义的 |
I haven't test any of it before. :P . Try to use |
嗯,确定了,即便是使用隐藏配置以后也没能解决问题。如果系统中不存在 ss 服务器的域名解析缓存,就一直无法建立连接。 {
"local_address": "127.0.0.1",
"local_port": 555555555,
"servers": [
{
"address": "example.com",
"port": 6666666,
"method": "chacha20-ietf-poly1305",
"password": "*****************************",
"plugin": "",
"plugin_opts": ""
},
{
"address": "v6ddns.example.com",
"port": 6666666,
"method": "chacha20-ietf-poly1305",
"password": "*****************************",
"plugin": "",
"plugin_opts": ""
},
{
"disabled": true,
"address": "666.666.666.666",
"port": 77777777777,
"method": "chacha20-ietf-poly1305",
"password": "*****************************",
"plugin": "",
"plugin_opts": ""
}
],
"dns": {
"name_servers": [
{
"socket_addr": "1.1.1.2:443",
"protocol": "https",
"tls_dns_name": "security.cloudflare-dns.com"
},
{
"socket_addr": "1.1.1.2:853",
"protocol": "tls",
"tls_dns_name": "security.cloudflare-dns.com"
},
{
"socket_addr": "1.0.0.2:443",
"protocol": "https",
"tls_dns_name": "security.cloudflare-dns.com"
},
{
"socket_addr": "1.0.0.2:853",
"protocol": "tls",
"tls_dns_name": "security.cloudflare-dns.com"
}
]
},
"mode": "tcp_only",
"ipv6_first": false
} ACL:
|
It doesn't related to ACL. |
dns
模块的功能需求
It works perfectly with |
感谢建议,我观察了 我没有实际用 trust-dns 的经验,不知道有没有可能调整一下这里的逻辑,改成并发向配置的多个 DNS 服务器进行请求呢? |
Interesting. |
Default to |
那说明我对错误日志的解读可能有些问题。但确实一开始我看到的消息都是说 TCP Connecting to 1.1.1.2:443,然后一堆延迟超时;接着是 TCP Connecting to 1.1.1.2:853,一堆延迟超时。最后才看到 TCP Connecting to 1.0.0.2:443 。 |
总之从配置里删去 1.1.1.2 的条目后,客户端程序一上线就能和 ss 服务器建立连接了。 |
That means it was trying to connect |
嗯,不过没有同时向 1.1.1.2 和 1.0.0.2 发起请求,在这个场景下就非常不好了。 |
大概是从 68d315e 这个 commit 起,之前介绍的 隐藏配置 失效了。
我想要解决的问题是,当客户端配置里服务器地址写成域名的时候,dns 部分不能设置加密 DNS 服务器,否则会导致无法连接。
我想这个问题多半是因为预定义的加密 DNS 服务器有一个 bootstrap 的过程(拿到加密 DNS 服务器本身域名指向的 IP 地址),然后这个解析请求是要经过代理的,导致死循环。
为了解决这个问题,可以改为使用支持以 IP 作域名的加密 DNS 服务,或者设法预先把加密 DNS 服务器对应的 IP 写进配置。这两种办法都需要用到上述的隐藏配置。
在基于目前最新的 commit 46a51c8 编译的客户端上,使用隐藏配置的错误日志如下:
配置文件如下:
The text was updated successfully, but these errors were encountered: