xray 透明代理dns的问题 #2446

adamgonglj · 2023-08-16T02:26:17Z

adamgonglj
Aug 16, 2023

xray 透明代理dns的问题

首先，我并非新人和伸手党，我自己在网络上查阅了大量的资料，和经过了多次尝试，仍有问题和不解，希望大佬不吝帮忙。

情况说明：使用ubuntu+nftables+xray配置软路由

问题点：主要是dns这一块，现在的情况是，打开Twitter刷不出视频，打开github超慢。

（个人经过测试，在相同的代理节点的情况下，使用shadowrocket+移动5G，也就是不经过ubuntu的透明代理的情况下，访问完全正常，所以，我100%确认，节点没有问题，问题就出在dns的配置上）

我的xray配置：

{
  "log": {
    "loglevel": "info",
    "access": "/var/log/xray.access.log",
    "error": "/var/log/xray.error.log",
    "dnsLog": true
  },
  "inbounds": [
    {
      "tag": "all-in",
      "port": 12345,
      "protocol": "dokodemo-door",
      "settings": {
        "network": "tcp,udp",
        "followRedirect": true
      },
      "sniffing": {
        "enabled": true,
        "destOverride": ["http", "tls", "quic"]
      },
      "streamSettings": {
        "sockopt": {
          "tproxy": "tproxy"
        }
      }
    },
    {
      "port": 10808,
      "protocol": "socks",
      "sniffing": {
        "enabled": true,
        "destOverride": ["http", "tls", "quic"]
      },
      "settings": {
        "auth": "noauth",
        "udp": true
      }
    }
  ],
  "outbounds": [
    {
     我自己的配置，tag为dvhk
    },
    {
      "tag": "direct",
      "protocol": "freedom",
      "settings": {},
      "streamSettings": {
        "sockopt": {
          "mark": 255
        }
      }
    },
    {
      "tag": "block",
      "protocol": "blackhole",
      "settings": {
        "response": {
          "type": "http"
        }
      }
    },
    {
      "tag": "to_internal_dns_server",
      "protocol": "dns",
      "streamSettings": {
        "sockopt": {
          "mark": 255
        }
      }
    }
  ],
  "dns": {
    "hosts": {
      "dns.google": "8.8.8.8",
      "domain:googleapis.cn": "googleapis.com",
      "my_server": "my_ip_address"
    },
    "servers": [
      "https+local://1.1.1.1/dns-query",
      {
        "address": "https+local://1.1.1.1/dns-query",
        "domains": ["domain:whatsapp.net","domain:whatsapp.com","twitter","domain:facebook.com","domain:instagram.com","domain:twimg.com","domain:twitter.com","domain:x.com","domain:twitch.tv", "geosite:geolocation-!cn" ]
      },
      {
        "address": "114.114.114.114",
        "domains": ["geosite:cn","domain:taobao.com","domain:tb.cn","domain:t.cn","domain:fliggy.com","domain:feizhu.com","domain:alitrip.com","domain:qq.com","domain:alibabacloud.com","domain:95599.com","domain:abchina.com","domain:cmbimg.com","domain:cmbchina.com","domain:cctv.com","domain:cntv.cn"],
        "expectIPs": ["geoip:cn"]
      },
      "119.29.29.29",
      "223.5.5.5",
      "https+local://dns.google/dns-query",
      "localhost"
    ],
    "disableCache": false,
    "queryStrategy": "UseIPv4"
  },
  "routing": {
    "domainStrategy": "IPIfNonMatch",
    "rules": [
      {
        "type": "field",
        "inboundTag": ["all-in"],
        "port": 53,
        "network": "udp",
        "outboundTag": "to_internal_dns_server"
      },
      {
        "type": "field",
        "ip": ["1.1.1.1"],
        "outboundTag": "direct"
      },
      {
        "type": "field",
        "domain":[ "domain:twimg.com","domain:twitter.com","domain:x.com","domain:twitch.tv"],
        "enabled": true,
        "outboundTag": "dvhk"
      },
      {
        "type": "field",
        "ip": ["geoip:private", "geoip:cn"],
        "outboundTag": "direct"
      },
      {
        "type": "field",
        "domain":["whatsapp.com","whatsapp.net"],
        "port":"443,5222,80",
        "outboundTag": "dvhk"
      },
      {
        "type": "field",
        "domain":[
          "domain:gigsgigscloud.com",
          "domain:gigsgigs.com"
        ],
        "outboundTag": "dvhk"
      },
      {
        "type": "field",
        "domain": [
          "openai.com",
          "bing.com",
          "buyee.jp"
        ],
        "outboundTag": "dvhk"
      },
      {
        "type": "field",
        "inboundTag": ["all-in"],
        "port": 123,
        "network": "udp",
        "outboundTag": "direct"
      },

      {
        "type": "field",
        "protocol": ["bittorrent"],
        "outboundTag": "direct"
      },
      {
        "type": "field",
        "domain": ["domain:gov.in"],
        "outboundTag": "dvhk"
      },
      {
        "type": "field",
        "domain": ["geosite:category-ads-all"],
        "outboundTag": "dvhk"
      },
      {
        "type": "field",
        "domain": [
          "geosite:geolocation-!cn",
          "domain:googleapis.cn",
          "dns.google"
        ],
        "outboundTag": "dvhk"
      }
    ]
  }
}

我的nftables配置

#!/usr/sbin/nft -f

flush ruleset


define RESERVED_IP4 = {
    10.0.0.0/8,
    100.64.0.0/10,
    127.0.0.0/8,
    169.254.0.0/16,
    172.16.0.0/12,
    192.0.0.0/8,
    224.0.0.0/4,
    240.0.0.0/4,
    255.255.255.255/32
}

include "/etc/direct_ip4.nft"
include "/etc/chnip.nft"  //中国的所有ip，包含了中国的dns的服务器。

table inet xray {


        chain prerouting {
                type filter hook prerouting priority filter; policy accept;
                meta l4proto tcp ip daddr $CHN_IP4 return
                meta l4proto tcp ip daddr $RESERVED_IP4 return
                ip daddr $CHN_IP4 udp dport != 53 return
                ip daddr $RESERVED_IP4 udp dport != 53 return
                ip6 daddr { 2001:db8:192:0::1/64 } return
                meta l4proto tcp ip6 daddr 2001:db8:192:0::1/64 return
                ip6 daddr 2001:db8:192:0::1/64 udp dport != 53 return
                meta mark 0x000000ff return
                meta l4proto { tcp, udp } meta mark set 0x00000001 tproxy ip to 127.0.0.1:12345 accept
                meta l4proto { tcp, udp } meta mark set 0x00000001 tproxy ip6 to [::1]:12345 accept
        }

        chain output {
                type route hook output priority filter; policy accept;
                meta l4proto tcp ip daddr $RESERVED_IP4 return
                meta l4proto tcp ip daddr $CHN_IP4 return
                ip daddr $RESERVED_IP4 udp dport != 53 return
                ip daddr $CHN_IP4 udp dport != 53 return
                ip6 daddr { 2001:db8:192:0::1/64 } return
                meta l4proto tcp ip6 daddr 2001:db8:192:0::1/64 return
                ip6 daddr 2001:db8:192:0::1/64 udp dport != 53 return
                meta mark 0x000000ff return
                meta l4proto { tcp, udp } meta mark set 0x00000001 accept
        }

        chain divert {
                type filter hook prerouting priority mangle; policy accept;
                meta l4proto tcp socket transparent 1 meta mark set 0x00000001 accept
        }
}

include "/etc/routernft.nft"

chise0713 · 2023-08-24T01:07:55Z

chise0713
Aug 24, 2023

单独在53端口开个dokodemo-door，然后在路由导入dns模块

{
      "port": 53,
      "protocol": "dokodemo-door",
      "settings": {
        "address": "233.233.233.233",
        "port": 53,
        "network": "tcp,udp"
      },
      "tag": "dns-in"
    },
"routing": {
    "domainStrategy": "IPIfNonMatch",
    "rules": [
      {
        "type": "field",
        "inboundTag": [],
        "ip": ["233.233.233.233"],
        "outboundTag": "dns-out"
      },

最后将dns指向这里

3 replies

adamgonglj Sep 4, 2023
Author

非常非常感谢您的回复。
我给您看一下我这边的路由设置，我有这么一条命令。
/usr/sbin/ip route add local default dev lo table 100 ; /usr/sbin/ip rule add fwmark 1 table 100，也就是将本机是所有导入了dokodemo-door的12345端口，我要怎么样才能把流量请求导入到xray的53号端口呢。我不知道怎么配置。

chise0713 Sep 4, 2023

没搓过ip桌子和nf桌子不是很懂，记得话似乎是单独加个53端口的绕过的策略就行？
不过既然全部都导入任意门了就在xray的路由里加上：“目标端口为53的所有流量导入dns模块”，应该就行了

us254 Sep 5, 2023

https://blog.indigo.codes/2021/11/20/iptables-tproxy-and-home/#output-%E5%92%8C-prerouting-chain

InnocenseYu · 2023-10-19T16:46:12Z

InnocenseYu
Oct 19, 2023

您好，楼主：

我最近也遇到和你类似的问题，怀疑是xray 内置DNS 解析问题，不知您是否已经解决？

xray：v1.8.3
openwrt: linux 内核版本 5.4.236
xray 配置文件相同，仿照该网址
路由规则和防火墙见下文

1、一些网站检测 ip 地区无法通过（已经添加域名规则，且该ip在全局模式下可以通过网站地区检测）
2、github 项目主页可以打开，但是无法展示 readme 的图文，还有无法打开网址 githubusercontent.com，比如这个项目https://github.com/m3u8playlist/dp
3. obsidian 软件的社区插件库无法打开

路由规则：
ip route add local 0.0.0.0/0 dev lo table 100
ip rule add fwmark 1 table 100

防火墙规则：
iptables -t mangle -N XRAY
iptables -t mangle -A XRAY -d 127.0.0.1/8 -j RETURN
iptables -t mangle -A XRAY -d 224.0.0.0/4 -j RETURN
iptables -t mangle -A XRAY -d 255.255.255.255/32 -j RETURN
iptables -t mangle -A XRAY -d 192.168.0.0/16 -p tcp ! --dport 53 -j RETURN
iptables -t mangle -A XRAY -d 192.168.0.0/16 -p udp ! --dport 53 -j RETURN
iptables -t mangle -A XRAY -j RETURN -m mark --mark 0xff
iptables -t mangle -A XRAY -p udp -j TPROXY --on-ip 127.0.0.1 --on-port 12345 --tproxy-mark 1
iptables -t mangle -A XRAY -p tcp -j TPROXY --on-ip 127.0.0.1 --on-port 12345 --tproxy-mark 1
iptables -t mangle -A PREROUTING -j XRAY

iptables -t mangle -N XRAY_MASK
iptables -t mangle -A XRAY_MASK -d 224.0.0.0/4 -j RETURN
iptables -t mangle -A XRAY_MASK -d 255.255.255.255/32 -j RETURN
iptables -t mangle -A XRAY_MASK -d 192.168.0.0/16 -p tcp ! --dport 53 -j RETURN
iptables -t mangle -A XRAY_MASK -d 192.168.0.0/16 -p udp ! --dport 53 -j RETURN
iptables -t mangle -A XRAY_MASK -j RETURN -m mark --mark 0xff
iptables -t mangle -A XRAY_MASK -p udp -j MARK --set-mark 1
iptables -t mangle -A XRAY_MASK -p tcp -j MARK --set-mark 1
iptables -t mangle -A OUTPUT -j XRAY_MASK

iptables -t mangle -N DIVERT
iptables -t mangle -A DIVERT -j MARK --set-mark 1
iptables -t mangle -A DIVERT -j ACCEPT
iptables -t mangle -I PREROUTING -p tcp -m socket -j DIVERT

0 replies

adamgonglj · 2023-10-20T05:02:02Z

adamgonglj
Oct 20, 2023
Author

我用nftables把国内ip全部绕过了。然后，所有的非国内IP全部走xray. InnocenseYu ***@***.***> 于2023年10月20日周五 00:46写道：

…

您好，楼主：我最近也遇到和你类似的问题，怀疑是xray 内置DNS 解析问题，不知您是否已经解决？ xray：v1.8.3 openwrt: linux 内核版本 5.4.236 xray 配置文件相同，仿照该网址 <https://xtls.github.io/document/level-2/tproxy_ipv4_and_ipv6.html#%E5%AE%A2%E6%88%B7%E7%AB%AF%E9%85%8D%E7%BD%AE> 路由规则和防火墙见下文 1、一些网站 <https://www.histar.tv/>检测 ip 地区无法通过（已经添加域名规则，且该ip在全局模式下可以通过网站地区检测） 2、github 项目主页可以打开，但是无法展示 readme 的图文，还有无法打开网址 githubusercontent.com，比如这个项目 https://github.com/m3u8playlist/dp 3. obsidian 软件的社区插件库无法打开路由规则： ip route add local 0.0.0.0/0 dev lo table 100 ip rule add fwmark 1 table 100 防火墙规则： iptables -t mangle -N XRAY iptables -t mangle -A XRAY -d 127.0.0.1/8 -j RETURN iptables -t mangle -A XRAY -d 224.0.0.0/4 -j RETURN iptables -t mangle -A XRAY -d 255.255.255.255/32 -j RETURN iptables -t mangle -A XRAY -d 192.168.0.0/16 -p tcp ! --dport 53 -j RETURN iptables -t mangle -A XRAY -d 192.168.0.0/16 -p udp ! --dport 53 -j RETURN iptables -t mangle -A XRAY -j RETURN -m mark --mark 0xff iptables -t mangle -A XRAY -p udp -j TPROXY --on-ip 127.0.0.1 --on-port 12345 --tproxy-mark 1 iptables -t mangle -A XRAY -p tcp -j TPROXY --on-ip 127.0.0.1 --on-port 12345 --tproxy-mark 1 iptables -t mangle -A PREROUTING -j XRAY iptables -t mangle -N XRAY_MASK iptables -t mangle -A XRAY_MASK -d 224.0.0.0/4 -j RETURN iptables -t mangle -A XRAY_MASK -d 255.255.255.255/32 -j RETURN iptables -t mangle -A XRAY_MASK -d 192.168.0.0/16 -p tcp ! --dport 53 -j RETURN iptables -t mangle -A XRAY_MASK -d 192.168.0.0/16 -p udp ! --dport 53 -j RETURN iptables -t mangle -A XRAY_MASK -j RETURN -m mark --mark 0xff iptables -t mangle -A XRAY_MASK -p udp -j MARK --set-mark 1 iptables -t mangle -A XRAY_MASK -p tcp -j MARK --set-mark 1 iptables -t mangle -A OUTPUT -j XRAY_MASK iptables -t mangle -N DIVERT iptables -t mangle -A DIVERT -j MARK --set-mark 1 iptables -t mangle -A DIVERT -j ACCEPT iptables -t mangle -I PREROUTING -p tcp -m socket -j DIVERT — Reply to this email directly, view it on GitHub <#2446 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AF33KENDXO7BTLEX476KXXDYAFKOBAVCNFSM6AAAAAA3R3LOXSVHI2DSMVQWIX3LMV43SRDJONRXK43TNFXW4Q3PNVWWK3TUHM3TGMZQGQ4TQ> . You are receiving this because you authored the thread.Message ID: ***@***.***>

0 replies

adamgonglj · 2023-10-20T05:14:58Z

adamgonglj
Oct 20, 2023
Author

然后dns使用SmartDNS。 InnocenseYu ***@***.***> 于2023年10月20日周五 00:46写道：

…

您好，楼主：我最近也遇到和你类似的问题，怀疑是xray 内置DNS 解析问题，不知您是否已经解决？ xray：v1.8.3 openwrt: linux 内核版本 5.4.236 xray 配置文件相同，仿照该网址 <https://xtls.github.io/document/level-2/tproxy_ipv4_and_ipv6.html#%E5%AE%A2%E6%88%B7%E7%AB%AF%E9%85%8D%E7%BD%AE> 路由规则和防火墙见下文 1、一些网站 <https://www.histar.tv/>检测 ip 地区无法通过（已经添加域名规则，且该ip在全局模式下可以通过网站地区检测） 2、github 项目主页可以打开，但是无法展示 readme 的图文，还有无法打开网址 githubusercontent.com，比如这个项目 https://github.com/m3u8playlist/dp 3. obsidian 软件的社区插件库无法打开路由规则： ip route add local 0.0.0.0/0 dev lo table 100 ip rule add fwmark 1 table 100 防火墙规则： iptables -t mangle -N XRAY iptables -t mangle -A XRAY -d 127.0.0.1/8 -j RETURN iptables -t mangle -A XRAY -d 224.0.0.0/4 -j RETURN iptables -t mangle -A XRAY -d 255.255.255.255/32 -j RETURN iptables -t mangle -A XRAY -d 192.168.0.0/16 -p tcp ! --dport 53 -j RETURN iptables -t mangle -A XRAY -d 192.168.0.0/16 -p udp ! --dport 53 -j RETURN iptables -t mangle -A XRAY -j RETURN -m mark --mark 0xff iptables -t mangle -A XRAY -p udp -j TPROXY --on-ip 127.0.0.1 --on-port 12345 --tproxy-mark 1 iptables -t mangle -A XRAY -p tcp -j TPROXY --on-ip 127.0.0.1 --on-port 12345 --tproxy-mark 1 iptables -t mangle -A PREROUTING -j XRAY iptables -t mangle -N XRAY_MASK iptables -t mangle -A XRAY_MASK -d 224.0.0.0/4 -j RETURN iptables -t mangle -A XRAY_MASK -d 255.255.255.255/32 -j RETURN iptables -t mangle -A XRAY_MASK -d 192.168.0.0/16 -p tcp ! --dport 53 -j RETURN iptables -t mangle -A XRAY_MASK -d 192.168.0.0/16 -p udp ! --dport 53 -j RETURN iptables -t mangle -A XRAY_MASK -j RETURN -m mark --mark 0xff iptables -t mangle -A XRAY_MASK -p udp -j MARK --set-mark 1 iptables -t mangle -A XRAY_MASK -p tcp -j MARK --set-mark 1 iptables -t mangle -A OUTPUT -j XRAY_MASK iptables -t mangle -N DIVERT iptables -t mangle -A DIVERT -j MARK --set-mark 1 iptables -t mangle -A DIVERT -j ACCEPT iptables -t mangle -I PREROUTING -p tcp -m socket -j DIVERT — Reply to this email directly, view it on GitHub <#2446 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AF33KENDXO7BTLEX476KXXDYAFKOBAVCNFSM6AAAAAA3R3LOXSVHI2DSMVQWIX3LMV43SRDJONRXK43TNFXW4Q3PNVWWK3TUHM3TGMZQGQ4TQ> . You are receiving this because you authored the thread.Message ID: ***@***.***>

0 replies

adamgonglj · 2023-10-21T07:20:17Z

adamgonglj
Oct 21, 2023
Author

使用nftables把所有国内IP都放行，再把所有的非国内IP都导入到xray中。DNS使用的事SmartDNS。现在问题已经解决。

1 reply

amintong Oct 23, 2023

求国内IP列表

adamgonglj · 2023-10-21T07:20:58Z

adamgonglj
Oct 21, 2023
Author

这个就不太懂了。 huyi51462 ***@***.***> 于2023年10月21日周六 09:39写道：

…

你们的问题大概率是非对称路由丢包 — Reply to this email directly, view it on GitHub <#2446 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AF33KEP326KR3ZV2YGOHAXDYAMRTVAVCNFSM6AAAAAA3R3LOXSVHI2DSMVQWIX3LMV43SRDJONRXK43TNFXW4Q3PNVWWK3TUHM3TGNBUGI4TE> . You are receiving this because you authored the thread.Message ID: ***@***.***>

0 replies

iopq · 2025-04-09T14:20:17Z

iopq
Apr 9, 2025

I have exactly the same issue, did you resolve it?

My issue is from sticking extra stuff after xray

0 replies

huyi51462 · 2025-04-10T11:53:07Z

huyi51462
Apr 10, 2025

my paswall system work good iopq ***@***.***> 于2025年4月9日周三 22:20写道：

…

I have exactly the same issue, did you resolve it? — Reply to this email directly, view it on GitHub <#2446 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AMBRERL7CF3PNZJ3DAOFTTL2YUUDPAVCNFSM6AAAAAB2ZEHFS2VHI2DSMVQWIX3LMV43URDJONRXK43TNFXW4Q3PNVWWK3TUHMYTENZXHEZDGOA> . You are receiving this because you commented.Message ID: ***@***.***>

0 replies

xray 透明代理dns的问题 #2446

Uh oh!

Uh oh!