mihomo icon indicating copy to clipboard operation
mihomo copied to clipboard

Published 20 hours ago verified publisher icon MetaCubeX

[Bug] MacOS开启TUN模式后,导致部分dns请求无效

Open levihuayuzhang opened this issue 1 year ago • 4 comments

Verify steps

  • [X] 确保你使用的是本仓库最新的的 mihomo 或 mihomo Alpha 版本 Ensure you are using the latest version of Mihomo or Mihomo Alpha from this repository.
  • [X] 如果你可以自己 debug 并解决的话,提交 PR 吧 Is this something you can debug and fix? Send a pull request! Bug fixes and documentation fixes are welcome.
  • [X] 我已经在 Issue Tracker 中找过我要提出的问题 I have searched on the issue tracker for a related issue.
  • [X] 我已经使用 Alpha 分支版本测试过,问题依旧存在 I have tested using the dev branch, and the issue still exists.
  • [X] 我已经仔细看过 Documentation 并无法自行解决问题 I have read the documentation and was unable to solve the issue.
  • [X] 这是 Mihomo 核心的问题,并非我所使用的 Mihomo 衍生版本(如 OpenMihomo、KoolMihomo 等)的特定问题 This is an issue of the Mihomo core per se, not to the derivatives of Mihomo, like OpenMihomo or KoolMihomo.

Mihomo version

Mihomo Meta alpha-e6011301 darwin arm64 with go1.21.6 Sat Feb 3 07:02:18 UTC 2024 Use tags: with_gvisor

What OS are you seeing the problem on?

No response

Mihomo config

tun:
  enable: true
  stack: system # gvisor
  dns-hijack:
    - any:53
  auto-route: true
  auto-detect-interface: true
  strict-route: false # 严格路由,它可以防止地址泄漏,并使 DNS 劫持在 Android 和使用 systemd-resolved 的 Linux 上工作,但你的设备将无法被其他设备访问

sniffer:
  enable: true
  force-dns-mapping: true
  parse-pure-ip: true
  override-destination: true
  sniff:
    HTTP:
      ports: [80, 8080-8880]
      override-destination: true
    TLS:
      ports: [443, 8443]
    QUIC:
      ports: [443, 8443]
  force-domain:
    - +.v2ex.com

dns:
  enable: true
  prefer-h3: true
  listen: 0.0.0.0:1053
  ipv6: false
  use-hosts: true
  enhanced-mode: fake-ip
  fake-ip-range: 198.18.0.1/16
  fake-ip-filter:
    - '*.lan'
    - localhost.ptlogin2.qq.com
  default-nameserver:
    - 223.5.5.5
    # - system # append DNS server from system configuration. If not found, it would print an error log and skip.
  nameserver:
    - quic://dns.alidns.com:784
    - https://dns.alidns.com/dns-query#h3=true
  proxy-server-nameserver:
    - https://dns.alidns.com/dns-query#h3=true
  fallback:
    - tls://8.8.4.4
    - tls://1.1.1.1
  fallback-filter:
    geoip: true
    geoip-code: CN # 当 nameserver 域名的 IP 查询 geoip 库为 CN 时,不使用 fallback 中的 DNS 查询结果
    geosite:
      - gfw
      - geolocation-!cn
    ipcidr:
      - 240.0.0.0/4
    domain:
      - '+.google.com'
      - '+.facebook.com'
      - '+.youtube.com'
  nameserver-policy:
    "geosite:cn,private,apple":
      - quic://dns.alidns.com:784
      - https://dns.alidns.com/dns-query#h3=true
    "geosite:category-ads-all": rcode://success
    "rule-set:reject,ad": rcode://success
    "rule-set:direct,apple,icloud": https://dns.alidns.com/dns-query#h3=true
    "rule-set:gfw,proxy,google": tls://1.1.1.1

Mihomo log

connect error: dns resolve failed: all DNS requests failed, first error: failed to reset http client:

Description

mihomo core 编译自Alpha分支源码。

开启tun后的行为:所有走代理的请求都可以正常访问,但走直连的都error了。 此问题似乎在linux上也会出现。

levihuayuzhang avatar Feb 03 '24 07:02 levihuayuzhang

@levihuayuzhang dns只留nameserver,并且不要使用http/3

xishang0128 avatar Feb 03 '24 07:02 xishang0128

感谢提示,经过测试:所有涉及h3和quic的dns都error了。普通doh是ok的。

levihuayuzhang avatar Feb 03 '24 08:02 levihuayuzhang

但不开启tun,似乎h3和quic是可用的。

levihuayuzhang avatar Feb 03 '24 08:02 levihuayuzhang

@levihuayuzhang meta发起的udp可能会有一些奇怪的原因导致重新流入tun,所以可能会被规则拦截

xishang0128 avatar Feb 03 '24 08:02 xishang0128