[BUG] 纯ipv6访问显示ERR_NAME_NOT_RESOLVED

[ha-ku]

描述此错误

经过代理访问纯ipv6域名显示ERR_NAME_NOT_RESOLVED 配置覆写中已强制开启ipv6并强制使用内置DNS解析 同一设备上分应用不经过代理的firefox能正常访问 因此应该不是dns本身的问题 cfw也能正常访问，因此应该也不是core的问题

如何复现该错误

步骤 1：在ipv6可用环境下，使用cfa代理chrome 步骤 2：使用chrome访问纯ipv6域名（如https://api-ipv6.ip.sb/ip） 步骤 3：chrome报错ERR_NAME_NOT_RESOLVED 步骤 4：停止cfa代理 步骤 5：chrome访问纯ipv6域名恢复正常

设备信息

• 机型: MI 10，MI MIX 4
• 系统类型: MIUI
• Android 版本: 12

应用信息

• 版本:2.5.8
• 安装包文件名:cfa-2.5.8-premium-armeabi-v7a-release.apk
• 应用来源:github release

配置文件

port: 7890
socks-port: 7891
redir-port: 7892
mixed-port: 7893
allow-lan: false
bind-address: "*"
mode: rule
log-level: info

proxies:
  - name: "proxy"
    type: http
    server: xxxxxxxxxxxxxxxxx
    port: xxxxx
    username: xxxxxxxxxxxxxxxxxxxx
    password: xxxxxxxx
    tls: true # https
    skip-cert-verify: false

rule-providers:
    ad:
        type: http
        behavior: classical
        path: ./ad.txt
        url: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
        interval: 86400
    direct:
        type: http
        behavior: classical
        path: ./direct.txt
        url: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
        interval: 86400
rules:
  - RULE-SET,ad,REJECT
  - RULE-SET,direct,DIRECT
  
  - MATCH,proxy

日志

无任何相关log
具体表现为：启动Logcat-访问纯ipv6地址-结束Logcat的过程中仅有`[APP] Logcat level: debug`

屏幕截图

No response

附加信息

No response

[Kr328]

从 VPN 启用前开始记录日志

[ha-ku]

噢，ERR_NAME_NOT_RESOLVED看起来是因为我用着纯ipv6的private dns，而private dns本身的ip也没有解析出来：

[DNS] resolve my.private.dns.server error: couldn't find ip: my.private.dns.server
[TCP] dial DIRECT (match RuleSet/direct) to my.private.dns.server:853 error: couldn't find ip: my.private.dns.server

关掉private dns之后，我在termux上用curl重新做了测试，下面是log：

# Capture on 2022-04-26 10:26:14.461
10:26:18.961    Info: dns:
10:26:18.965    Info:   enable: true
10:26:18.968    Info:   ipv6: false
10:26:18.968    Info:   use-hosts: true
10:26:18.968    Info:   nameserver:
10:26:18.980    Info:   - 223.5.5.5
10:26:18.987    Info:   - 119.29.29.29
10:26:18.992    Info:   - 8.8.4.4
10:26:18.993    Info:   - 1.0.0.1
10:26:18.995    Info:   - dhcp://system
10:26:18.996    Info:   fallback: []
10:26:18.996    Info:   fallback-filter:
10:26:18.996    Info:     geoip: false
10:26:18.997    Info:     geoip-code: ""
10:26:18.997    Info:     ipcidr: []
10:26:18.999    Info:     domain: []
10:26:19.000    Info:   listen: ""
10:26:19.000    Info:   enhanced-mode: fake-ip
10:26:19.011    Info:   fake-ip-range: 28.0.0.0/8
10:26:19.012    Info:   fake-ip-filter:
10:26:19.012    Info:   - +.stun.*.*
10:26:19.013    Info:   - +.stun.*.*.*
10:26:19.013    Info:   - +.stun.*.*.*.*
10:26:19.017    Info:   - +.stun.*.*.*.*.*
10:26:19.020    Info:   - lens.l.google.com
10:26:19.020    Info:   - '*.n.n.srv.nintendo.net'
10:26:19.020    Info:   - +.stun.playstation.net
10:26:19.020    Info:   - xbox.*.*.microsoft.com
10:26:19.023    Info:   - '*.*.xboxlive.com'
10:26:19.023    Info:   - '*.msftncsi.com'
10:26:19.024    Info:   - '*.msftconnecttest.com'
10:26:19.025    Info:   - '*.mcdn.bilivideo.cn'
10:26:19.026    Info:   default-nameserver:
10:26:19.026    Info:   - 223.5.5.5
10:26:19.026    Info:   - 119.29.29.29
10:26:19.026    Info:   - 8.8.4.4
10:26:19.026    Info:   - 1.0.0.1
10:26:19.026    Info:   nameserver-policy: {}
10:26:19.027    Info: 
10:26:19.027    Info: Start initial rule provider ad
10:26:19.027    Info: Start initial rule provider direct
10:26:19.027    Info: HTTP proxy listening at: 127.0.0.1:7890
10:26:19.027    Info: SOCKS proxy listening at: 127.0.0.1:7891
10:26:19.027 Warning: Failed to start Redir UDP Listener: operation not permitted
10:26:19.027    Info: Redirect proxy listening at: 127.0.0.1:7892
10:26:19.028   Error: Start Redir server error: operation not permitted
10:26:19.028    Info: Mixed(http+socks) proxy listening at: 127.0.0.1:7893
10:26:19.029   Debug: TUN: fd = 99, gateway = 172.19.0.1/30, portal = 172.19.0.2, dns = 172.19.0.2
10:26:22.160   Debug: [DNS] resolve api-ipv6.ip.sb error: couldn't find ip: api-ipv6.ip.sb
10:26:22.162 Warning: [TCP] dial DIRECT (match RuleSet/direct) to api-ipv6.ip.sb:443 error: couldn't find ip: api-ipv6.ip.sb

curl -v https://api-ipv6.ip.sb/ip的输出如下

*   Trying 28.0.0.65:443...
* Connected to api-ipv6.ip.sb (28.0.0.65) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
*  CAfile: /data/data/com.termux/files/usr/etc/tls/cert.pem
*  CApath: /data/data/com.termux/files/usr/etc/tls/certs
* TLSv1.0 (OUT), TLS header, Certificate Status (22):
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.0 (OUT), TLS header, Unknown (21):
* TLSv1.3 (OUT), TLS alert, decode error (562):
* error:0A000126:SSL routines::unexpected eof while reading
* Closing connection 0
curl: (35) error:0A000126:SSL routines::unexpected eof while reading

看起来覆写里的DNS设置“启用内置”之后并不是完全单纯走系统的DNS？

[Kr328]

噢，ERR_NAME_NOT_RESOLVED看起来是因为我用着纯ipv6的private dns，而private dns本身的ip也没有解析出来：

[DNS] resolve my.private.dns.server error: couldn't find ip: my.private.dns.server
[TCP] dial DIRECT (match RuleSet/direct) to my.private.dns.server:853 error: couldn't find ip: my.private.dns.server

关掉private dns之后，我在termux上用curl重新做了测试，下面是log：

# Capture on 2022-04-26 10:26:14.461
10:26:18.961    Info: dns:
10:26:18.965    Info:   enable: true
10:26:18.968    Info:   ipv6: false
10:26:18.968    Info:   use-hosts: true
10:26:18.968    Info:   nameserver:
10:26:18.980    Info:   - 223.5.5.5
10:26:18.987    Info:   - 119.29.29.29
10:26:18.992    Info:   - 8.8.4.4
10:26:18.993    Info:   - 1.0.0.1
10:26:18.995    Info:   - dhcp://system
10:26:18.996    Info:   fallback: []
10:26:18.996    Info:   fallback-filter:
10:26:18.996    Info:     geoip: false
10:26:18.997    Info:     geoip-code: ""
10:26:18.997    Info:     ipcidr: []
10:26:18.999    Info:     domain: []
10:26:19.000    Info:   listen: ""
10:26:19.000    Info:   enhanced-mode: fake-ip
10:26:19.011    Info:   fake-ip-range: 28.0.0.0/8
10:26:19.012    Info:   fake-ip-filter:
10:26:19.012    Info:   - +.stun.*.*
10:26:19.013    Info:   - +.stun.*.*.*
10:26:19.013    Info:   - +.stun.*.*.*.*
10:26:19.017    Info:   - +.stun.*.*.*.*.*
10:26:19.020    Info:   - lens.l.google.com
10:26:19.020    Info:   - '*.n.n.srv.nintendo.net'
10:26:19.020    Info:   - +.stun.playstation.net
10:26:19.020    Info:   - xbox.*.*.microsoft.com
10:26:19.023    Info:   - '*.*.xboxlive.com'
10:26:19.023    Info:   - '*.msftncsi.com'
10:26:19.024    Info:   - '*.msftconnecttest.com'
10:26:19.025    Info:   - '*.mcdn.bilivideo.cn'
10:26:19.026    Info:   default-nameserver:
10:26:19.026    Info:   - 223.5.5.5
10:26:19.026    Info:   - 119.29.29.29
10:26:19.026    Info:   - 8.8.4.4
10:26:19.026    Info:   - 1.0.0.1
10:26:19.026    Info:   nameserver-policy: {}
10:26:19.027    Info: 
10:26:19.027    Info: Start initial rule provider ad
10:26:19.027    Info: Start initial rule provider direct
10:26:19.027    Info: HTTP proxy listening at: 127.0.0.1:7890
10:26:19.027    Info: SOCKS proxy listening at: 127.0.0.1:7891
10:26:19.027 Warning: Failed to start Redir UDP Listener: operation not permitted
10:26:19.027    Info: Redirect proxy listening at: 127.0.0.1:7892
10:26:19.028   Error: Start Redir server error: operation not permitted
10:26:19.028    Info: Mixed(http+socks) proxy listening at: 127.0.0.1:7893
10:26:19.029   Debug: TUN: fd = 99, gateway = 172.19.0.1/30, portal = 172.19.0.2, dns = 172.19.0.2
10:26:22.160   Debug: [DNS] resolve api-ipv6.ip.sb error: couldn't find ip: api-ipv6.ip.sb
10:26:22.162 Warning: [TCP] dial DIRECT (match RuleSet/direct) to api-ipv6.ip.sb:443 error: couldn't find ip: api-ipv6.ip.sb

curl -v https://api-ipv6.ip.sb/ip的输出如下

*   Trying 28.0.0.65:443...
* Connected to api-ipv6.ip.sb (28.0.0.65) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
*  CAfile: /data/data/com.termux/files/usr/etc/tls/cert.pem
*  CApath: /data/data/com.termux/files/usr/etc/tls/certs
* TLSv1.0 (OUT), TLS header, Certificate Status (22):
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.0 (OUT), TLS header, Unknown (21):
* TLSv1.3 (OUT), TLS alert, decode error (562):
* error:0A000126:SSL routines::unexpected eof while reading
* Closing connection 0
curl: (35) error:0A000126:SSL routines::unexpected eof while reading

看起来覆写里的DNS设置“启用内置”之后并不是完全单纯走系统的DNS？

是 完全不走系统 DNS 因为 会回环

dhcp://system 只是从系统的 网络 API 中获取 路由器分配的 DNS 地址

内置 是 预建在项目里的一份 DNS 配置

[Kr328]

ipv6 开关打开了吗

[ha-ku]

常规设置里的ipv6开关是打开了的，截图二里可以看到。DNS的ipv6设定在选“使用内置”的时候好像也改不了？

[Kr328]

@ha-ku DNS 里的不需要 最外面那层 开了就行

在我这里它是工作的

[Kr328]

@Kr328 把 clash 关掉 在 termux 里

dig AAAA api-ipv6.ip.sb @223.5.5.5

[ha-ku]

~ $ dig AAAA api-ipv6.ip.sb @223.5.5.5

; <<>> DiG 9.16.27 <<>> AAAA api-ipv6.ip.sb @223.5.5.5
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 32897
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;api-ipv6.ip.sb.                        IN      AAAA

;; ANSWER SECTION:
api-ipv6.ip.sb.         271     IN      AAAA    2606:4700:20::681a:c1f
api-ipv6.ip.sb.         271     IN      AAAA    2606:4700:20::ac43:4bac

;; Query time: 24 msec
;; SERVER: 223.5.5.5#53(223.5.5.5)
;; WHEN: Tue Apr 26 11:11:53 CST 2022
;; MSG SIZE  rcvd: 88

[ha-ku]

我尝试手动配置了一下dns覆写：log输出如下（我自己的纯ipv6 dns server是udp和dot都支持的）：

# Capture on 2022-04-26 13:16:58.630
13:16:58.631    Info: [APP] Logcat level: info
13:16:58.633    Info: [APP] request force GC
13:17:00.393    Info: dns:
13:17:00.397    Info:   enable: true
13:17:00.403    Info:   ipv6: true
13:17:00.403    Info:   use-hosts: false
13:17:00.403    Info:   nameserver:
13:17:00.403    Info:   - udp://my.private.dns.server:53
13:17:00.405    Info:   fallback: []
13:17:00.406    Info:   fallback-filter:
13:17:00.407    Info:     geoip: false
13:17:00.407    Info:     geoip-code: CN
13:17:00.407    Info:     ipcidr: []
13:17:00.407    Info:     domain: []
13:17:00.409    Info:   listen: ""
13:17:00.410    Info:   enhanced-mode: redir-host
13:17:00.410    Info:   fake-ip-range: 198.18.0.1/16
13:17:00.411    Info:   fake-ip-filter: []
13:17:00.411    Info:   default-nameserver:
13:17:00.411    Info:   - 223.5.5.5
13:17:00.411    Info:   - 119.29.29.29
13:17:00.411    Info:   nameserver-policy: {}
13:17:00.412    Info: 
13:17:00.412    Info: Start initial rule provider ad
13:17:00.412    Info: Start initial rule provider direct
13:17:00.412    Info: HTTP proxy listening at: 127.0.0.1:7890
13:17:00.413    Info: SOCKS proxy listening at: 127.0.0.1:7891
13:17:00.413    Info: Mixed(http+socks) proxy listening at: 127.0.0.1:7893
13:17:01.185 Warning: [TCP] dial proxy (match Match/) to 91.108.56.197:443 error: my.proxy.server:port connect error: all DNS requests failed, first error: couldn't find ip: my.private.dns.server
13:17:02.089 Warning: [TCP] dial proxy (match Match/) to www.google.com:443 error: my.proxy.server:port connect error: all DNS requests failed, first error: couldn't find ip: my.private.dns.server

如果将nameservers中的my.private.dns.server硬替换成对应的ipv6 ip可以正常工作

[kingsman1112]

@ha-ku Can I ask you a question? I use the configuration that declared Tun mode:

tun:
  enable: true
  stack: system
  dns-hijack:
    - 1.1.1.1:53
  auto-route: true
  auto-detect-interface: true

but when run it will still error Start Tun interface error: permission denied Does Tun mode require the device to be Root to have the right to execute? Can you tell me what to do to use Tun mode on Clash for Android? Thank you!

[Kr328]

@kingsman1112 ClashForAndroid already enable tun mode by defualt through https://developer.android.com/guide/topics/connectivity/vpn

[kingsman1112]

thank you but because I see in your logcat @ha-ku there is Tun mode: TUN: fd = 99, gateway = 172.19.0.1/30, portal = 172.19.0.2, dns = 172.19.0.2, so I thought I had an error Tun interface error: permission blackie means Tun mode does not work.