如何解决使用非默认 outbound DNS 似乎就无法按预期解析的情况? (配置错误) #4056

lslqtz · 2024-11-24T09:18:30Z

lslqtz
Nov 24, 2024

最近引入了一个 DNS 解锁服务用于解锁 ChatGPT, 但我之前一直在对全部流量使用 Cloudflare Warp (Wireguard), 因此, 需要针对部分域名使用 DNS 解锁服务及直接出站相关域名.

在配置 OpenAI 相关域名走直连出站时, 似乎没有使用到 DNS 解锁. 但如果不直连出站, 就可以进行 DNS 解锁 (目前的 DNS 解锁服务商似乎并无对 SNI 代理的入站 IP 进行限制, 但这是一个不确定因素).

服务器是仅 IPv4 的网络, 以下是有关的具体配置文件, 核心是被注释掉的那一部分, 如果注释它, DNS 解锁服务就能正常使用 (没有注释时, 使用 Cloudflare trace 查看 IP 是服务器自身的 IP 地址, 意为没有成功利用 DNS 解锁服务).

按我的理解, 域名进到 Xray 后由于匹配到 routing 规则, 应该交由 direct 出站, 又由于 domainStrategy: ForceIP, 应该使用 DNS 解锁服务解析并以这个 IP 出站. 从日志来看, from {clientIP}:35744 accepted tcp:chatgpt.com:443 [direct] 似乎并没有解析为 IP, 这是哪里配置出了疏漏吗?

入站 Sniffing 已禁用.

谢谢!

(另外刚刚发现 domainStrategy: ForceIP 的情况会导致 Wireguard 尝试使用网络不支持的 IPv6 去连接, 并获得大量 sendto: network is unreachable 错误)

English Ver (Translated by Google)

Recently, a DNS unlocking service was introduced to unlock ChatGPT, but I have been using Cloudflare Warp (Wireguard) for all traffic, so it is necessary to use the DNS unlocking service and direct outbound related domain names for some domain names.

When configuring OpenAI-related domain names to go directly outbound, DNS unlocking does not seem to be used. But if you do not go directly outbound, you can do DNS unlocking (current DNS unlocking service providers do not seem to restrict the inbound IP of SNI proxy, but this is an uncertain factor).

The server is an IPv4-only network. The following are the specific configuration files. The core is the commented-out part. If it is commented, the DNS unlocking service can be used normally (when there is no comment, use Cloudflare trace to check that the IP is the server's own IP address, which means that the DNS unlocking service has not been successfully used).

As I understand it, after the domain name enters Xray, it should be handed over to direct outbound because it matches the routing rule, and because of domainStrategy: ForceIP, it should be resolved using the DNS unlocking service and outbound with this IP. From the log, from {clientIP}:35744 accepted tcp:chatgpt.com:443 [direct] It doesn't seem to be resolved to an IP. Is there something wrong with the configuration?

Inbound sniffing is disabled.

Thanks!

(In addition, I just found that domainStrategy: ForceIP will cause Wireguard to try to connect using IPv6 that is not supported by the network, and get a lot of sendto: network is unreachable errors)

# xray version
Xray 24.11.11 (Xray, Penetrates Everything.) 0df2446 (go1.23.3 linux/amd64)
A unified platform for anti-censorship.

{
	"dns": {
		"servers": [
			"https+local://1.0.0.1/dns-query",
			"https+local://1.1.1.1/dns-query",
			"localhost",
			{
				// 使用 DNS 解锁服务来解析特定域名组 / Use DNS Unlock service to resolve specific domain name groups.
				"tag": "openai",
				"address": "{unlock_dns_server}",
				"port": 53,
				"domains": [
					"geosite:openai"
				],
				"skipFallback": false
			}
		]
	},
	"routing": {
		"rules": [
			{
				// 特定 IP 直连, 避免回环问题 / Directly connect to a specific IP address to avoid loopback issues.
				"type": "field",
				"ip": [
					"1.1.1.1",
					"1.0.0.1",
					"{unlock_dns_server}"
				],
				"outboundTag": "direct"
			},
			{
				// 特定域名直连, 避免回环问题 / Directly connect to a specific domain to avoid loopback issues.
				"type": "field",
				"domains": [
					"engage.cloudflareclient.com"
				],
				"outboundTag": "direct"
			}
			/*
			,{
				// 特定域名组走直连, 避免 DNS 解锁服务的入口 IP 限制 / Directly connect to specific domain groups to avoid entry IP restrictions of DNS unlocking services.
				"type": "field",
				"domains": [
					"geosite:openai"
				],
				"outboundTag": "direct"
			}
			*/
		]
	},
	"outbounds": [
		{
			// Cloudflare Warp.
			"tag": "wireguard",
			"protocol": "wireguard",
			"settings": {
				"secretKey": "{secretKey}",
				"address": [
					"172.16.0.2/32",
					"{wgIPv6}/128"
				],
				"peers": [
					{
						"publicKey": "{publicKey}",
						"allowedIPs": [
							"0.0.0.0/0",
							"::/0"
						],
						"endpoint": "engage.cloudflareclient.com:2408"
					}
				],
				"reserved": [0, 0, 0],
				"mtu": 1280,
				"noKernelTun": true
			}
		},
		{
				"tag": "direct",
				"protocol": "freedom",
				"domainStrategy": "ForceIPv4" // 强制使用内置 DNS 服务器, 以利用 DNS 解锁服务 / Force use of built-in DNS servers to take advantage of DNS Unblock services.
		}
	]
}

Answered by lslqtz

Nov 24, 2024

问题已经解决, 属于配置问题: direct 部分 domainStrategy 应位于 settingsObject 内. domainStrategy: ForceIP 的情况会导致 Wireguard 尝试使用网络不支持的 IPv6 去连接实际上也可能是 Xray 本身或 AsIs 的问题.

解决完后的配置文件如下, 改善了如下问题:

使用 Cloudflare Warp 做 DNS 解析, 以进一步完全使用;
使用本机 DNS 解析 Cloudflare Warp 入口点, 并指定仅使用 IPv4 (只返回 A 记录), 以避免 sendto: network is unreachable 问题;
修复配置文件, 正确指定 direct 部分的 domainStrategy;

{
	"log": {
		"logLevel": "warning",
		"error": "/var/log/xray/error.log",
		"access": "/var/log/xray/access.log"
	},
	"dns": {
		"servers": [
			"https://1.1.1.1/dns-query",
			"https://1.0.0.1/dns-query",
			"localhost",
			{
				"tag": "cloudflare-warp",
				"address": "localhost",
				"port": 53,
				"domains": [
					"engage.cloudflareclient…

View full answer

lslqtz · 2024-11-24T09:34:08Z

lslqtz
Nov 24, 2024
Author

我不太确定这是由于我配置问题, 还是属于一个 feature, 又或者属于一个 bug. 所以发至 Discussion, 希望有大佬能指点一下, 以解决配置上的困惑.

I'm not sure if this is due to my configuration problem, a feature, or a bug. So I posted this to Discussion, hoping someone can give me some pointers to solve the configuration confusion.

0 replies

lslqtz · 2024-11-24T09:42:43Z

lslqtz
Nov 24, 2024
Author

问题已经解决, 属于配置问题: direct 部分 domainStrategy 应位于 settingsObject 内. domainStrategy: ForceIP 的情况会导致 Wireguard 尝试使用网络不支持的 IPv6 去连接实际上也可能是 Xray 本身或 AsIs 的问题.

解决完后的配置文件如下, 改善了如下问题:

使用 Cloudflare Warp 做 DNS 解析, 以进一步完全使用;
使用本机 DNS 解析 Cloudflare Warp 入口点, 并指定仅使用 IPv4 (只返回 A 记录), 以避免 sendto: network is unreachable 问题;
修复配置文件, 正确指定 direct 部分的 domainStrategy;

{
	"log": {
		"logLevel": "warning",
		"error": "/var/log/xray/error.log",
		"access": "/var/log/xray/access.log"
	},
	"dns": {
		"servers": [
			"https://1.1.1.1/dns-query",
			"https://1.0.0.1/dns-query",
			"localhost",
			{
				"tag": "cloudflare-warp",
				"address": "localhost",
				"port": 53,
				"domains": [
					"engage.cloudflareclient.com"
				],
				"skipFallback": true,
				"queryStrategy": "UseIPv4"
			},
			{
				"tag": "openai",
				"address": "{unlock_dns_server}",
				"port": 53,
				"domains": [
					"geosite:openai"
				],
				"skipFallback": false,
				"queryStrategy": "UseIPv4"
			}
		]
	},
	"routing": {
		"rules": [
			{
				"type": "field",
				"ip": [
					"{unlock_dns_server}"
				],
				"outboundTag": "direct"
			},
			{
				"type": "field",
				"domains": [
					"engage.cloudflareclient.com"
				],
				"outboundTag": "direct"
			},
			{
				"type": "field",
				"domains": [
					"geosite:openai"
				],
				"outboundTag": "direct"
			}
		]
	},
	"outbounds": [
		{
			"tag": "wireguard",
			"protocol": "wireguard",
			"settings": {
				"secretKey": "{secretKey}",
				"address": [
					"172.16.0.2/32",
					"{wgIPv6}/128"
				],
				"peers": [
					{
						"publicKey": "{publicKey}",
						"allowedIPs": [
							"0.0.0.0/0",
							"::/0"
						],
						"endpoint": "engage.cloudflareclient.com:2408",
						"keepAlive": 25
					}
				],
				"reserved": [0, 0, 0],
				"mtu": 1280,
				"noKernelTun": true
			}
		},
		{
				"tag": "direct",
				"protocol": "freedom",
				"settings": {
					"domainStrategy": "ForceIPv4"
				}
		}
	],
	"policy": {
		"levels": {
			"0": {
				"handshake": 6,
				"connIdle": 180
			}
		}
	}
}

0 replies

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

如何解决使用非默认 outbound DNS 似乎就无法按预期解析的情况? (配置错误) #4056

{{title}}

{{editor}}'s edit

{{editor}}'s edit

Replies: 2 comments

{{title}}

{{editor}}'s edit

{{editor}}'s edit

{{title}}

{{editor}}'s edit

{{editor}}'s edit

Select a reply

如何解决使用非默认 outbound DNS 似乎就无法按预期解析的情况? (配置错误) #4056

lslqtz Nov 24, 2024

Replies: 2 comments

lslqtz Nov 24, 2024 Author

lslqtz Nov 24, 2024 Author

lslqtz
Nov 24, 2024

lslqtz
Nov 24, 2024
Author

lslqtz
Nov 24, 2024
Author