ClashForAndroid
ClashForAndroid copied to clipboard
[BUG] 纯ipv6访问显示ERR_NAME_NOT_RESOLVED
描述此错误
经过代理访问纯ipv6域名显示ERR_NAME_NOT_RESOLVED
配置覆写中已强制开启ipv6并强制使用内置DNS解析
同一设备上分应用不经过代理的firefox能正常访问
因此应该不是dns本身的问题
cfw也能正常访问,因此应该也不是core的问题
如何复现该错误
步骤 1:在ipv6可用环境下,使用cfa代理chrome 步骤 2:使用chrome访问纯ipv6域名(如https://api-ipv6.ip.sb/ip) 步骤 3:chrome报错ERR_NAME_NOT_RESOLVED 步骤 4:停止cfa代理 步骤 5:chrome访问纯ipv6域名恢复正常
设备信息
- 机型: MI 10,MI MIX 4
- 系统类型: MIUI
- Android 版本: 12
应用信息
- 版本:2.5.8
- 安装包文件名:cfa-2.5.8-premium-armeabi-v7a-release.apk
- 应用来源:github release
配置文件
port: 7890
socks-port: 7891
redir-port: 7892
mixed-port: 7893
allow-lan: false
bind-address: "*"
mode: rule
log-level: info
proxies:
- name: "proxy"
type: http
server: xxxxxxxxxxxxxxxxx
port: xxxxx
username: xxxxxxxxxxxxxxxxxxxx
password: xxxxxxxx
tls: true # https
skip-cert-verify: false
rule-providers:
ad:
type: http
behavior: classical
path: ./ad.txt
url: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
interval: 86400
direct:
type: http
behavior: classical
path: ./direct.txt
url: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
interval: 86400
rules:
- RULE-SET,ad,REJECT
- RULE-SET,direct,DIRECT
- MATCH,proxy
日志
无任何相关log
具体表现为:启动Logcat-访问纯ipv6地址-结束Logcat的过程中仅有`[APP] Logcat level: debug`
屏幕截图
No response
附加信息
No response
从 VPN 启用前开始记录日志
噢,ERR_NAME_NOT_RESOLVED看起来是因为我用着纯ipv6的private dns,而private dns本身的ip也没有解析出来:
[DNS] resolve my.private.dns.server error: couldn't find ip: my.private.dns.server
[TCP] dial DIRECT (match RuleSet/direct) to my.private.dns.server:853 error: couldn't find ip: my.private.dns.server
关掉private dns之后,我在termux上用curl重新做了测试,下面是log:
# Capture on 2022-04-26 10:26:14.461
10:26:18.961 Info: dns:
10:26:18.965 Info: enable: true
10:26:18.968 Info: ipv6: false
10:26:18.968 Info: use-hosts: true
10:26:18.968 Info: nameserver:
10:26:18.980 Info: - 223.5.5.5
10:26:18.987 Info: - 119.29.29.29
10:26:18.992 Info: - 8.8.4.4
10:26:18.993 Info: - 1.0.0.1
10:26:18.995 Info: - dhcp://system
10:26:18.996 Info: fallback: []
10:26:18.996 Info: fallback-filter:
10:26:18.996 Info: geoip: false
10:26:18.997 Info: geoip-code: ""
10:26:18.997 Info: ipcidr: []
10:26:18.999 Info: domain: []
10:26:19.000 Info: listen: ""
10:26:19.000 Info: enhanced-mode: fake-ip
10:26:19.011 Info: fake-ip-range: 28.0.0.0/8
10:26:19.012 Info: fake-ip-filter:
10:26:19.012 Info: - +.stun.*.*
10:26:19.013 Info: - +.stun.*.*.*
10:26:19.013 Info: - +.stun.*.*.*.*
10:26:19.017 Info: - +.stun.*.*.*.*.*
10:26:19.020 Info: - lens.l.google.com
10:26:19.020 Info: - '*.n.n.srv.nintendo.net'
10:26:19.020 Info: - +.stun.playstation.net
10:26:19.020 Info: - xbox.*.*.microsoft.com
10:26:19.023 Info: - '*.*.xboxlive.com'
10:26:19.023 Info: - '*.msftncsi.com'
10:26:19.024 Info: - '*.msftconnecttest.com'
10:26:19.025 Info: - '*.mcdn.bilivideo.cn'
10:26:19.026 Info: default-nameserver:
10:26:19.026 Info: - 223.5.5.5
10:26:19.026 Info: - 119.29.29.29
10:26:19.026 Info: - 8.8.4.4
10:26:19.026 Info: - 1.0.0.1
10:26:19.026 Info: nameserver-policy: {}
10:26:19.027 Info:
10:26:19.027 Info: Start initial rule provider ad
10:26:19.027 Info: Start initial rule provider direct
10:26:19.027 Info: HTTP proxy listening at: 127.0.0.1:7890
10:26:19.027 Info: SOCKS proxy listening at: 127.0.0.1:7891
10:26:19.027 Warning: Failed to start Redir UDP Listener: operation not permitted
10:26:19.027 Info: Redirect proxy listening at: 127.0.0.1:7892
10:26:19.028 Error: Start Redir server error: operation not permitted
10:26:19.028 Info: Mixed(http+socks) proxy listening at: 127.0.0.1:7893
10:26:19.029 Debug: TUN: fd = 99, gateway = 172.19.0.1/30, portal = 172.19.0.2, dns = 172.19.0.2
10:26:22.160 Debug: [DNS] resolve api-ipv6.ip.sb error: couldn't find ip: api-ipv6.ip.sb
10:26:22.162 Warning: [TCP] dial DIRECT (match RuleSet/direct) to api-ipv6.ip.sb:443 error: couldn't find ip: api-ipv6.ip.sb
curl -v https://api-ipv6.ip.sb/ip
的输出如下
* Trying 28.0.0.65:443...
* Connected to api-ipv6.ip.sb (28.0.0.65) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* CAfile: /data/data/com.termux/files/usr/etc/tls/cert.pem
* CApath: /data/data/com.termux/files/usr/etc/tls/certs
* TLSv1.0 (OUT), TLS header, Certificate Status (22):
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.0 (OUT), TLS header, Unknown (21):
* TLSv1.3 (OUT), TLS alert, decode error (562):
* error:0A000126:SSL routines::unexpected eof while reading
* Closing connection 0
curl: (35) error:0A000126:SSL routines::unexpected eof while reading
看起来覆写里的DNS设置“启用内置”之后并不是完全单纯走系统的DNS?
噢,ERR_NAME_NOT_RESOLVED看起来是因为我用着纯ipv6的private dns,而private dns本身的ip也没有解析出来:
[DNS] resolve my.private.dns.server error: couldn't find ip: my.private.dns.server [TCP] dial DIRECT (match RuleSet/direct) to my.private.dns.server:853 error: couldn't find ip: my.private.dns.server
关掉private dns之后,我在termux上用curl重新做了测试,下面是log:
# Capture on 2022-04-26 10:26:14.461 10:26:18.961 Info: dns: 10:26:18.965 Info: enable: true 10:26:18.968 Info: ipv6: false 10:26:18.968 Info: use-hosts: true 10:26:18.968 Info: nameserver: 10:26:18.980 Info: - 223.5.5.5 10:26:18.987 Info: - 119.29.29.29 10:26:18.992 Info: - 8.8.4.4 10:26:18.993 Info: - 1.0.0.1 10:26:18.995 Info: - dhcp://system 10:26:18.996 Info: fallback: [] 10:26:18.996 Info: fallback-filter: 10:26:18.996 Info: geoip: false 10:26:18.997 Info: geoip-code: "" 10:26:18.997 Info: ipcidr: [] 10:26:18.999 Info: domain: [] 10:26:19.000 Info: listen: "" 10:26:19.000 Info: enhanced-mode: fake-ip 10:26:19.011 Info: fake-ip-range: 28.0.0.0/8 10:26:19.012 Info: fake-ip-filter: 10:26:19.012 Info: - +.stun.*.* 10:26:19.013 Info: - +.stun.*.*.* 10:26:19.013 Info: - +.stun.*.*.*.* 10:26:19.017 Info: - +.stun.*.*.*.*.* 10:26:19.020 Info: - lens.l.google.com 10:26:19.020 Info: - '*.n.n.srv.nintendo.net' 10:26:19.020 Info: - +.stun.playstation.net 10:26:19.020 Info: - xbox.*.*.microsoft.com 10:26:19.023 Info: - '*.*.xboxlive.com' 10:26:19.023 Info: - '*.msftncsi.com' 10:26:19.024 Info: - '*.msftconnecttest.com' 10:26:19.025 Info: - '*.mcdn.bilivideo.cn' 10:26:19.026 Info: default-nameserver: 10:26:19.026 Info: - 223.5.5.5 10:26:19.026 Info: - 119.29.29.29 10:26:19.026 Info: - 8.8.4.4 10:26:19.026 Info: - 1.0.0.1 10:26:19.026 Info: nameserver-policy: {} 10:26:19.027 Info: 10:26:19.027 Info: Start initial rule provider ad 10:26:19.027 Info: Start initial rule provider direct 10:26:19.027 Info: HTTP proxy listening at: 127.0.0.1:7890 10:26:19.027 Info: SOCKS proxy listening at: 127.0.0.1:7891 10:26:19.027 Warning: Failed to start Redir UDP Listener: operation not permitted 10:26:19.027 Info: Redirect proxy listening at: 127.0.0.1:7892 10:26:19.028 Error: Start Redir server error: operation not permitted 10:26:19.028 Info: Mixed(http+socks) proxy listening at: 127.0.0.1:7893 10:26:19.029 Debug: TUN: fd = 99, gateway = 172.19.0.1/30, portal = 172.19.0.2, dns = 172.19.0.2 10:26:22.160 Debug: [DNS] resolve api-ipv6.ip.sb error: couldn't find ip: api-ipv6.ip.sb 10:26:22.162 Warning: [TCP] dial DIRECT (match RuleSet/direct) to api-ipv6.ip.sb:443 error: couldn't find ip: api-ipv6.ip.sb
curl -v https://api-ipv6.ip.sb/ip
的输出如下* Trying 28.0.0.65:443... * Connected to api-ipv6.ip.sb (28.0.0.65) port 443 (#0) * ALPN, offering h2 * ALPN, offering http/1.1 * CAfile: /data/data/com.termux/files/usr/etc/tls/cert.pem * CApath: /data/data/com.termux/files/usr/etc/tls/certs * TLSv1.0 (OUT), TLS header, Certificate Status (22): * TLSv1.3 (OUT), TLS handshake, Client hello (1): * TLSv1.0 (OUT), TLS header, Unknown (21): * TLSv1.3 (OUT), TLS alert, decode error (562): * error:0A000126:SSL routines::unexpected eof while reading * Closing connection 0 curl: (35) error:0A000126:SSL routines::unexpected eof while reading
看起来覆写里的DNS设置“启用内置”之后并不是完全单纯走系统的DNS?
是 完全不走系统 DNS 因为 会回环
dhcp://system 只是从系统的 网络 API 中获取 路由器分配的 DNS 地址
内置 是 预建在项目里的一份 DNS 配置
ipv6 开关打开了吗
常规设置里的ipv6开关是打开了的,截图二里可以看到。DNS的ipv6设定在选“使用内置”的时候好像也改不了?
@ha-ku DNS 里的不需要 最外面那层 开了就行
在我这里它是工作的
@Kr328 把 clash 关掉 在 termux 里
dig AAAA api-ipv6.ip.sb @223.5.5.5
~ $ dig AAAA api-ipv6.ip.sb @223.5.5.5
; <<>> DiG 9.16.27 <<>> AAAA api-ipv6.ip.sb @223.5.5.5
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 32897
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;api-ipv6.ip.sb. IN AAAA
;; ANSWER SECTION:
api-ipv6.ip.sb. 271 IN AAAA 2606:4700:20::681a:c1f
api-ipv6.ip.sb. 271 IN AAAA 2606:4700:20::ac43:4bac
;; Query time: 24 msec
;; SERVER: 223.5.5.5#53(223.5.5.5)
;; WHEN: Tue Apr 26 11:11:53 CST 2022
;; MSG SIZE rcvd: 88
我尝试手动配置了一下dns覆写:log输出如下(我自己的纯ipv6 dns server是udp和dot都支持的):
# Capture on 2022-04-26 13:16:58.630
13:16:58.631 Info: [APP] Logcat level: info
13:16:58.633 Info: [APP] request force GC
13:17:00.393 Info: dns:
13:17:00.397 Info: enable: true
13:17:00.403 Info: ipv6: true
13:17:00.403 Info: use-hosts: false
13:17:00.403 Info: nameserver:
13:17:00.403 Info: - udp://my.private.dns.server:53
13:17:00.405 Info: fallback: []
13:17:00.406 Info: fallback-filter:
13:17:00.407 Info: geoip: false
13:17:00.407 Info: geoip-code: CN
13:17:00.407 Info: ipcidr: []
13:17:00.407 Info: domain: []
13:17:00.409 Info: listen: ""
13:17:00.410 Info: enhanced-mode: redir-host
13:17:00.410 Info: fake-ip-range: 198.18.0.1/16
13:17:00.411 Info: fake-ip-filter: []
13:17:00.411 Info: default-nameserver:
13:17:00.411 Info: - 223.5.5.5
13:17:00.411 Info: - 119.29.29.29
13:17:00.411 Info: nameserver-policy: {}
13:17:00.412 Info:
13:17:00.412 Info: Start initial rule provider ad
13:17:00.412 Info: Start initial rule provider direct
13:17:00.412 Info: HTTP proxy listening at: 127.0.0.1:7890
13:17:00.413 Info: SOCKS proxy listening at: 127.0.0.1:7891
13:17:00.413 Info: Mixed(http+socks) proxy listening at: 127.0.0.1:7893
13:17:01.185 Warning: [TCP] dial proxy (match Match/) to 91.108.56.197:443 error: my.proxy.server:port connect error: all DNS requests failed, first error: couldn't find ip: my.private.dns.server
13:17:02.089 Warning: [TCP] dial proxy (match Match/) to www.google.com:443 error: my.proxy.server:port connect error: all DNS requests failed, first error: couldn't find ip: my.private.dns.server
如果将nameservers中的my.private.dns.server硬替换成对应的ipv6 ip可以正常工作
@ha-ku Can I ask you a question? I use the configuration that declared Tun mode:
tun:
enable: true
stack: system
dns-hijack:
- 1.1.1.1:53
auto-route: true
auto-detect-interface: true
but when run it will still error Start Tun interface error: permission denied
Does Tun mode require the device to be Root to have the right to execute?
Can you tell me what to do to use Tun mode on Clash for Android?
Thank you!
@kingsman1112 ClashForAndroid already enable tun mode by defualt through https://developer.android.com/guide/topics/connectivity/vpn
thank you but because I see in your logcat @ha-ku there is Tun mode: TUN: fd = 99, gateway = 172.19.0.1/30, portal = 172.19.0.2, dns = 172.19.0.2
, so I thought I had an error Tun interface error: permission blackie
means Tun mode does not work.