[Bug]: Sing-Box 与 ChinaDNS-NG 的兼容性不太好 #2960

mm11253 · 2024-02-23T18:42:20Z

描述您遇到的bug

之前的反馈：#2937

当使用 Sing-Box DNS + ChinaDNS-NG 时，Linux 系统下对 www.youtube.com 这个域名解析失败，原以为完全是 Sing-Box 那边的问题，现在测了下感觉又不完全是。

结合 SagerNet/sing-box#1417 的反馈再次测试，我发现无法解析似乎和开启了 ChinaDNS-NG 有关：
开启时，dig 默认 DNS 端口无法解析，15353 端口正常，15354 端口连接被拒绝。
关闭时，dig 默认 DNS 端口正常解析，15353 端口正常。
开启时的 dig 结果如下：

root@OpenWrt:~# dig www.youtube.com
;; Truncated, retrying in TCP mode.
;; communications error to 127.0.0.1#53: end of file
;; communications error to 127.0.0.1#53: end of file
;; communications error to 127.0.0.1#53: end of file
;; communications error to ::1#53: end of file

; <<>> DiG 9.18.24 <<>> www.youtube.com
;; global options: +cmd
;; no servers could be reached

root@OpenWrt:~# dig www.youtube.com -p 15354
;; Truncated, retrying in TCP mode.
;; Connection to 127.0.0.1#15354(127.0.0.1) for www.youtube.com failed: connection refused.
;; no servers could be reached

;; Connection to 127.0.0.1#15354(127.0.0.1) for www.youtube.com failed: connection refused.
;; no servers could be reached

;; Connection to 127.0.0.1#15354(127.0.0.1) for www.youtube.com failed: connection refused.
;; Connection to ::1#15354(::1) for www.youtube.com failed: connection refused.
;; no servers could be reached

root@OpenWrt:~# dig www.youtube.com -p 15353
;; Truncated, retrying in TCP mode.

; <<>> DiG 9.18.24 <<>> www.youtube.com -p 15353
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 13661
;; flags: qr rd ra; QUERY: 1, ANSWER: 17, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; MBZ: 0x00fe, udp: 1232
;; QUESTION SECTION:
;www.youtube.com.		IN	A

;; ANSWER SECTION:
www.youtube.com.	254	IN	CNAME	youtube-ui.l.google.com.
youtube-ui.l.google.com. 254	IN	A	142.251.220.78
youtube-ui.l.google.com. 254	IN	A	172.217.24.238
youtube-ui.l.google.com. 254	IN	A	142.251.130.14
youtube-ui.l.google.com. 254	IN	A	142.251.222.206
youtube-ui.l.google.com. 254	IN	A	172.217.31.14
youtube-ui.l.google.com. 254	IN	A	172.217.24.110
youtube-ui.l.google.com. 254	IN	A	172.217.27.46
youtube-ui.l.google.com. 254	IN	A	172.217.27.14
youtube-ui.l.google.com. 254	IN	A	142.251.220.110
youtube-ui.l.google.com. 254	IN	A	142.250.207.78
youtube-ui.l.google.com. 254	IN	A	142.250.66.46
youtube-ui.l.google.com. 254	IN	A	142.250.199.78
youtube-ui.l.google.com. 254	IN	A	172.217.25.14
youtube-ui.l.google.com. 254	IN	A	142.250.66.142
youtube-ui.l.google.com. 254	IN	A	142.250.66.110
youtube-ui.l.google.com. 254	IN	A	142.250.66.78

;; Query time: 39 msec
;; SERVER: 127.0.0.1#15353(127.0.0.1) (TCP)
;; WHEN: Sat Feb 24 02:03:08 CST 2024
;; MSG SIZE  rcvd: 720

关闭时的 dig 结果如下：

root@OpenWrt:~# dig www.youtube.com

; <<>> DiG 9.18.24 <<>> www.youtube.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 45054
;; flags: qr rd ra; QUERY: 1, ANSWER: 17, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;www.youtube.com.		IN	A

;; ANSWER SECTION:
www.youtube.com.	118	IN	CNAME	youtube-ui.l.google.com.
youtube-ui.l.google.com. 118	IN	A	142.250.204.142
youtube-ui.l.google.com. 118	IN	A	142.250.204.78
youtube-ui.l.google.com. 118	IN	A	172.217.24.78
youtube-ui.l.google.com. 118	IN	A	172.217.31.14
youtube-ui.l.google.com. 118	IN	A	142.250.204.110
youtube-ui.l.google.com. 118	IN	A	172.217.27.14
youtube-ui.l.google.com. 118	IN	A	142.250.199.78
youtube-ui.l.google.com. 118	IN	A	142.251.220.14
youtube-ui.l.google.com. 118	IN	A	172.217.24.238
youtube-ui.l.google.com. 118	IN	A	142.250.204.46
youtube-ui.l.google.com. 118	IN	A	172.217.27.46
youtube-ui.l.google.com. 118	IN	A	216.58.200.238
youtube-ui.l.google.com. 118	IN	A	142.251.220.46
youtube-ui.l.google.com. 118	IN	A	216.58.203.78
youtube-ui.l.google.com. 118	IN	A	172.217.24.110
youtube-ui.l.google.com. 118	IN	A	172.217.25.14

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1) (UDP)
;; WHEN: Sat Feb 24 02:05:01 CST 2024
;; MSG SIZE  rcvd: 337

root@OpenWrt:~# dig www.youtube.com -p 15353
;; Truncated, retrying in TCP mode.

; <<>> DiG 9.18.24 <<>> www.youtube.com -p 15353
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 48655
;; flags: qr rd ra; QUERY: 1, ANSWER: 17, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; MBZ: 0x0072, udp: 1232
;; QUESTION SECTION:
;www.youtube.com.		IN	A

;; ANSWER SECTION:
www.youtube.com.	114	IN	CNAME	youtube-ui.l.google.com.
youtube-ui.l.google.com. 114	IN	A	172.217.25.14
youtube-ui.l.google.com. 114	IN	A	142.250.66.46
youtube-ui.l.google.com. 114	IN	A	142.250.66.110
youtube-ui.l.google.com. 114	IN	A	142.250.204.110
youtube-ui.l.google.com. 114	IN	A	142.250.66.78
youtube-ui.l.google.com. 114	IN	A	142.250.207.78
youtube-ui.l.google.com. 114	IN	A	172.217.24.238
youtube-ui.l.google.com. 114	IN	A	142.250.204.46
youtube-ui.l.google.com. 114	IN	A	172.217.27.46
youtube-ui.l.google.com. 114	IN	A	172.217.24.110
youtube-ui.l.google.com. 114	IN	A	142.250.204.78
youtube-ui.l.google.com. 114	IN	A	142.250.199.78
youtube-ui.l.google.com. 114	IN	A	142.251.222.206
youtube-ui.l.google.com. 114	IN	A	142.250.66.142
youtube-ui.l.google.com. 114	IN	A	172.217.31.14
youtube-ui.l.google.com. 114	IN	A	172.217.27.14

;; Query time: 29 msec
;; SERVER: 127.0.0.1#15353(127.0.0.1) (TCP)
;; WHEN: Sat Feb 24 02:05:13 CST 2024
;; MSG SIZE  rcvd: 720

也就是，只要不开启 ChinaDNS-NG，即使 DNS 相应超过 512B，解析也是正常的，上面测试 15353 的响应大小都是 720B。
但是，也不能说 Sing-Box 完全没问题，在使用 dns2tcp 时，15353 端口的响应明显要小很多：

root@OpenWrt:~# dig www.youtube.com -p 15353

; <<>> DiG 9.18.24 <<>> www.youtube.com -p 15353
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 7423
;; flags: qr rd ra; QUERY: 1, ANSWER: 17, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;www.youtube.com.		IN	A

;; ANSWER SECTION:
www.youtube.com.	86	IN	CNAME	youtube-ui.l.google.com.
youtube-ui.l.google.com. 86	IN	A	142.250.204.142
youtube-ui.l.google.com. 86	IN	A	142.250.204.46
youtube-ui.l.google.com. 86	IN	A	172.217.24.78
youtube-ui.l.google.com. 86	IN	A	142.250.204.78
youtube-ui.l.google.com. 86	IN	A	216.58.200.238
youtube-ui.l.google.com. 86	IN	A	172.217.27.46
youtube-ui.l.google.com. 86	IN	A	142.250.204.110
youtube-ui.l.google.com. 86	IN	A	142.251.220.46
youtube-ui.l.google.com. 86	IN	A	172.217.31.14
youtube-ui.l.google.com. 86	IN	A	172.217.25.14
youtube-ui.l.google.com. 86	IN	A	172.217.24.238
youtube-ui.l.google.com. 86	IN	A	172.217.27.14
youtube-ui.l.google.com. 86	IN	A	172.217.24.110
youtube-ui.l.google.com. 86	IN	A	216.58.203.78
youtube-ui.l.google.com. 86	IN	A	142.251.220.14
youtube-ui.l.google.com. 86	IN	A	142.250.199.78

;; Query time: 59 msec
;; SERVER: 127.0.0.1#15353(127.0.0.1) (UDP)
;; WHEN: Sat Feb 24 02:17:57 CST 2024
;; MSG SIZE  rcvd: 334

我看着 334B 的响应结果和前面 720B 的响应结果似乎没有什么区别，不知道为什么 Sing-Box 的 DNS 响应会更大一些。

之前有大佬帮忙测了下没有复现：#2937 (comment)
这位大佬的响应就正常，只有 291B，我也测了下 DoH，并没有解决我的问题，所以我不清楚问题到底出在哪里了，只能先发在这里麻烦各位大佬帮忙分析一下了。

复现此Bug的步骤

和上面说的一样。

您想要实现的目的

优化 DNS 解析流程。

日志信息

2024-02-24 02:31:03: 删除相关防火墙规则完成。
2024-02-24 02:31:07: 清空并关闭相关程序和缓存完成。
2024-02-24 02:31:07: 分析 Socks 服务的节点配置...
2024-02-24 02:31:07:   - Socks节点：[HKG 17]*:20017，启动 0.0.0.0:1081
2024-02-24 02:31:07:   - Socks节点：[SGP 07]*:20107，启动 0.0.0.0:1082
2024-02-24 02:31:07: TCP节点：[分流总节点]，监听端口：1041
2024-02-24 02:31:07: - 域名解析 DNS Over HTTPS
2024-02-24 02:31:08: 过滤服务配置：准备接管域名解析...
2024-02-24 02:31:08:   | - (chinadns-ng) 最高支持4级域名过滤...
2024-02-24 02:31:08:   + 过滤服务：ChinaDNS-NG(:15354)：国内DNS：*.*.*.35,*.*.*.47，可信DNS：127.0.0.1#15353
2024-02-24 02:31:08:   - 以上所列以外及默认：127.0.0.1#15354
2024-02-24 02:31:08:   - PassWall必须依赖于Dnsmasq，如果你自行配置了错误的DNS流程，将会导致域名(直连/代理域名)分流失效！！！
2024-02-24 02:31:08: 开始加载防火墙规则...
2024-02-24 02:31:08: 加入负载均衡的节点到ipset[passwall_vpslist]直连完成
2024-02-24 02:31:08: 加入所有节点到ipset[passwall_vpslist]直连完成
2024-02-24 02:31:08: 加载路由器自身 TCP 代理...
2024-02-24 02:31:08:   - [0]，屏蔽代理UDP 端口：443
2024-02-24 02:31:08: 加载路由器自身 UDP 代理...
2024-02-24 02:31:09: TCP默认代理：使用TCP节点[分流总节点] [代理](REDIRECT:1041)代理所有端口
2024-02-24 02:31:09: UDP默认代理：使用UDP节点[分流总节点] [代理](TPROXY:1041)代理所有端口
2024-02-24 02:31:09: 防火墙规则加载完成！
2024-02-24 02:31:12: 重启 dnsmasq 服务
2024-02-24 02:31:12: 配置定时任务：自动更新规则。
2024-02-24 02:31:12: 运行完成！

截图

系统相关信息

Passwall: 4.74-1
ChinaDNS-NG: 2023.10.28
Sing-Box: v1.8.5
国内 DNS 为运营商默认 DNS，未使用其他 DNS 插件。

其他信息

No response

The text was updated successfully, but these errors were encountered:

mm11253 · 2024-02-23T18:57:45Z

简答点说，就是 Sing-Box 15353 端口正常给出了解析结果，但 ChinaDNS-NG 15354 端口的连接被拒绝了，导致无法正常获取 DNS 解析结果，但 Windows 上却又能正常拿到解析结果、能正常打开网页，只有 Linux 系统有问题。
然后是 Sing-Box 的 DNS 响应结果过大，比 dns2tcp 的响应大很多，不清楚是 BUG 还是设计如此。

SakuraFallingMad · 2024-02-24T05:33:47Z

root@ImmortalWrt:~# dig www.youtube.com -p 15354

; <<>> DiG 9.18.24 <<>> www.youtube.com -p 15354
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 52794
;; flags: qr rd ra; QUERY: 1, ANSWER: 6, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; MBZ: 0x011a, udp: 1232
;; QUESTION SECTION:
;www.youtube.com.		IN	A

;; ANSWER SECTION:
www.youtube.com.	282	IN	CNAME	youtube-ui.l.google.com.
youtube-ui.l.google.com. 282	IN	A	142.251.43.14
youtube-ui.l.google.com. 282	IN	A	142.251.42.238
youtube-ui.l.google.com. 282	IN	A	172.217.160.78
youtube-ui.l.google.com. 282	IN	A	172.217.163.46
youtube-ui.l.google.com. 282	IN	A	172.217.160.110

;; Query time: 0 msec
;; SERVER: 127.0.0.1#15354(127.0.0.1) (UDP)
;; WHEN: Sat Feb 24 13:32:04 CST 2024
;; MSG SIZE  rcvd: 291

root@ImmortalWrt:~# dig www.youtube.com -p 15353

; <<>> DiG 9.18.24 <<>> www.youtube.com -p 15353
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 20712
;; flags: qr rd ra; QUERY: 1, ANSWER: 6, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; MBZ: 0x0115, udp: 1232
;; QUESTION SECTION:
;www.youtube.com.		IN	A

;; ANSWER SECTION:
www.youtube.com.	277	IN	CNAME	youtube-ui.l.google.com.
youtube-ui.l.google.com. 277	IN	A	142.251.43.14
youtube-ui.l.google.com. 277	IN	A	142.251.42.238
youtube-ui.l.google.com. 277	IN	A	172.217.160.78
youtube-ui.l.google.com. 277	IN	A	172.217.163.46
youtube-ui.l.google.com. 277	IN	A	172.217.160.110

;; Query time: 0 msec
;; SERVER: 127.0.0.1#15353(127.0.0.1) (UDP)
;; WHEN: Sat Feb 24 13:32:09 CST 2024
;; MSG SIZE  rcvd: 291

好像一切正常

mm11253 · 2024-02-24T07:47:59Z

root@ImmortalWrt:~# dig www.youtube.com -p 15354

; <<>> DiG 9.18.24 <<>> www.youtube.com -p 15354
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 52794
;; flags: qr rd ra; QUERY: 1, ANSWER: 6, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; MBZ: 0x011a, udp: 1232
;; QUESTION SECTION:
;www.youtube.com.		IN	A

;; ANSWER SECTION:
www.youtube.com.	282	IN	CNAME	youtube-ui.l.google.com.
youtube-ui.l.google.com. 282	IN	A	142.251.43.14
youtube-ui.l.google.com. 282	IN	A	142.251.42.238
youtube-ui.l.google.com. 282	IN	A	172.217.160.78
youtube-ui.l.google.com. 282	IN	A	172.217.163.46
youtube-ui.l.google.com. 282	IN	A	172.217.160.110

;; Query time: 0 msec
;; SERVER: 127.0.0.1#15354(127.0.0.1) (UDP)
;; WHEN: Sat Feb 24 13:32:04 CST 2024
;; MSG SIZE  rcvd: 291

root@ImmortalWrt:~# dig www.youtube.com -p 15353

; <<>> DiG 9.18.24 <<>> www.youtube.com -p 15353
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 20712
;; flags: qr rd ra; QUERY: 1, ANSWER: 6, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; MBZ: 0x0115, udp: 1232
;; QUESTION SECTION:
;www.youtube.com.		IN	A

;; ANSWER SECTION:
www.youtube.com.	277	IN	CNAME	youtube-ui.l.google.com.
youtube-ui.l.google.com. 277	IN	A	142.251.43.14
youtube-ui.l.google.com. 277	IN	A	142.251.42.238
youtube-ui.l.google.com. 277	IN	A	172.217.160.78
youtube-ui.l.google.com. 277	IN	A	172.217.163.46
youtube-ui.l.google.com. 277	IN	A	172.217.160.110

;; Query time: 0 msec
;; SERVER: 127.0.0.1#15353(127.0.0.1) (UDP)
;; WHEN: Sat Feb 24 13:32:09 CST 2024
;; MSG SIZE  rcvd: 291

好像一切正常

这个响应体大小没超过 512B，是正常的。

SakuraFallingMad · 2024-02-24T07:57:21Z

我这边测试了好几个域名，都么有超过512B，没法复现了，抱歉

mm11253 · 2024-02-24T08:15:26Z

引用隔壁 ChinaDNS-NG 作者的回复 zfl9/chinadns-ng#144 (comment)

拒绝连接是因为 chinadns-ng 目前还没实施 tcp 监听。用 zig 重写的 1.0/2.0 版本已经加入 tcp 支持了。

结合你引用的几个 issue 推测，有这几方面的原因：

上游未遵循 EDNS 的 udp bufsz 扩展信息，你给出的示例显示 dig 的 bufsz 是 1232 字节，即使超过 512 字节的响应，也不应该设置 TC 标志，因为实际缓冲区大小是 1232 字节，并不会“截断”
上游未实施 DNS 域名压缩导致响应消息比较大，容易超出传统的 512 字节限制，而又由于第 1 条原因，导致很多“不必要的截断，然后通过 TCP 重试”的行为
chinadns-ng 目前尚未支持 TCP 监听/上游，导致 dig（查询客户端）在收到带 TC 标志的udp响应后，通过 tcp 重试查询时，未能连接上 chinadns-ng，于是出现连接被拒，查询超时。

所以，主要原因在于 Sing-Box 未将 DNS 响应体进行压缩。ChinaDNS-NG 拒绝连接的原因是目前还不支持 TCP 监听。

kxdn3 · 2024-02-24T12:16:08Z

导致机场的节点大部分不能用，郁闷

SakuraFallingMad · 2024-02-24T13:10:18Z

推荐singbox dns就只使用tcp dns，刚才选了个直播的cdn测singbox doh，返回是异常的。

#2953 (comment)

github-actions · 2024-03-06T01:47:46Z

Stale Issue

Saxon-Sun · 2024-03-24T07:50:59Z

推荐singbox dns就只使用tcp dns，刚才选了个直播的cdn测singbox doh，返回是异常的。

#2953 (comment)

问下大佬需不要打开缓存解析结果和FakeDNS的呀如果用singbox的话是不是ChinaDNS-NG就不用打开了

mm11253 added the bug Something isn't working label Feb 23, 2024

This was referenced Feb 24, 2024

由于UDP DNS响应长度超过512B进行截取导致某些域名无法获取IP信息 SagerNet/sing-box#1448

Closed

ChinaDNS-NG 2.0 zfl9/chinadns-ng#144

Closed

[Feature Request]: DNS分流 #2953

Closed

ShanStone mentioned this issue Feb 28, 2024

[Bug]: 更新新版本后，谷歌连接和github连接点击时显示都是失败的 #2970

Closed

SakuraFallingMad mentioned this issue Feb 29, 2024

[Bug]: 感觉4.74以后DNS远程DNS解析有问题 #2977

Closed

github-actions bot added the no-issue-activity stale issue label Mar 6, 2024

xiaorouji closed this as completed Mar 10, 2024

SakuraFallingMad mentioned this issue Mar 19, 2024

[Feature Request]: 建议默认使用udp与2024.03.07及之后的chinadns-ng通讯 #3048

Closed

kkqy mentioned this issue Aug 2, 2024

[Bug]: 开启passwall以后s.taobao.com解析非常慢 #3348

Closed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[Bug]: Sing-Box 与 ChinaDNS-NG 的兼容性不太好 #2960

[Bug]: Sing-Box 与 ChinaDNS-NG 的兼容性不太好 #2960

mm11253 commented Feb 23, 2024

mm11253 commented Feb 23, 2024

SakuraFallingMad commented Feb 24, 2024

mm11253 commented Feb 24, 2024

SakuraFallingMad commented Feb 24, 2024

mm11253 commented Feb 24, 2024

kxdn3 commented Feb 24, 2024

SakuraFallingMad commented Feb 24, 2024

github-actions bot commented Mar 6, 2024

Saxon-Sun commented Mar 24, 2024

[Bug]: Sing-Box 与 ChinaDNS-NG 的兼容性不太好 #2960

[Bug]: Sing-Box 与 ChinaDNS-NG 的兼容性不太好 #2960

Comments

mm11253 commented Feb 23, 2024

描述您遇到的bug

复现此Bug的步骤

您想要实现的目的

日志信息

截图

系统相关信息

其他信息

mm11253 commented Feb 23, 2024

SakuraFallingMad commented Feb 24, 2024

mm11253 commented Feb 24, 2024

SakuraFallingMad commented Feb 24, 2024

mm11253 commented Feb 24, 2024

kxdn3 commented Feb 24, 2024

SakuraFallingMad commented Feb 24, 2024

github-actions bot commented Mar 6, 2024

Saxon-Sun commented Mar 24, 2024