mihomo icon indicating copy to clipboard operation
mihomo copied to clipboard

Published 20 hours ago verified publisher icon MetaCubeX

[Bug] DNS leak with TProxy on Android

Open cccp6 opened this issue 10 months ago • 2 comments

Verify steps

  • [X] 确保你使用的是本仓库最新的的 mihomo 或 mihomo Alpha 版本 Ensure you are using the latest version of Mihomo or Mihomo Alpha from this repository.
  • [ ] 如果你可以自己 debug 并解决的话,提交 PR 吧 Is this something you can debug and fix? Send a pull request! Bug fixes and documentation fixes are welcome.
  • [X] 我已经在 Issue Tracker 中找过我要提出的问题 I have searched on the issue tracker for a related issue.
  • [X] 我已经使用 Alpha 分支版本测试过,问题依旧存在 I have tested using the dev branch, and the issue still exists.
  • [X] 我已经仔细看过 Documentation 并无法自行解决问题 I have read the documentation and was unable to solve the issue.
  • [X] 这是 Mihomo 核心的问题,并非我所使用的 Mihomo 衍生版本(如 OpenMihomo、KoolMihomo 等)的特定问题 This is an issue of the Mihomo core per se, not to the derivatives of Mihomo, like OpenMihomo or KoolMihomo.

Mihomo version

Mihomo Meta v1.18.3 android arm64 with go1.22.1 Fri Mar 29 11:56:18 UTC 2024 Use tags: with_gvisor

What OS are you seeing the problem on?

Linux

Mihomo config

mixed-port: 8848
redir-port: 6969
tproxy-port: 1145
allow-lan: true
mode: Rule
geodata-mode: true
unified-delay: true
log-level: silent
ipv6: true
external-controller: 0.0.0.0:9090
#面板默认Meta 可选Yacd 清除浏览器缓存即可重新加载
external-ui: ./dashboard/Meta #Yacd
secret: ""
tcp-concurrent: true
enable-process: true
find-process-mode: strict
global-client-fingerprint: random

#####################
#修改配置文件时,建议先停止模块服务,再进行保存.
#####################

geox-url:
  geoip: "https://github.com/MetaCubeX/meta-rules-dat/releases/download/latest/geoip.dat"
  geosite: "https://github.com/MetaCubeX/meta-rules-dat/releases/download/latest/geosite.dat"
  mmdb: "https://github.com/MetaCubeX/meta-rules-dat/releases/download/latest/country.mmdb"

profile:
  store-selected: true
  store-fake-ip: true

sniffer:
  enable: true
  sniff:
    TLS:
      ports: [443, 8443]
    HTTP:
      ports: [80, 8080-8880]
      override-destination: true

tun:
  enable: false
  device: tun0
  stack: system
  dns-hijack:
    - 'any:53'
    - 'tcp://any:53'
  auto-route: true
  auto-detect-interface: true
  
dns:
  enable: true
  prefer-h3: true
  listen: 0.0.0.0:1053
  ipv6: true
  enhanced-mode: fake-ip
  fake-ip-range: 28.0.0.1/8
  fake-ip-filter:
    - '*'
    - '+.lan'
    - 'connect.rom.miui.com'
    - 'localhost.ptlogin2.qq.com'
  nameserver:
    - https://doh.pub/dns-query
    - https://dns.alidns.com/dns-query
    


proxy-providers:
  1.主要地址:
    <<: *p
    ---------
    path: ./proxy_providers/subscribe1.yaml
    #注意!如果您的订阅链接中带有“&”字符,请删掉.
  2.备用地址:
    <<: *p
    url:-------
    path: ./proxy_providers/subscribe2.yaml
    #注意!如果您的订阅链接中带有“&”字符,请删掉.

proxy-groups:
  - {name: 🎯 总模式, type: select, proxies: [🚀 自有设施,♻️ 自有自动,🛫 机场选择,♻️ 自动机场,🌎 全球直连]}
  - {name: 🚀 自有设施, type: select, proxies: [♻️ 自有自动,负载均衡GRPC-CDN,负载均衡WS-CDN,负载均衡hysteria2,🌎 全球直连], <<: *n}
  - {name: 🛫 机场选择, type: select, proxies: [♻️ 自动机场,✈️hk负载均衡机场,🌎 全球直连], <<: *c,exclude-filter: "港"}
  - {name: ♻️ 自有自动, <<: *n, tolerance: 2, type: url-test,proxies: [负载均衡GRPC-CDN,负载均衡WS-CDN],exclude-filter: "hysteria*"}
  - {name: ♻️ 自动机场, <<: *c, tolerance: 2, type: url-test,proxies: [✈️hk负载均衡机场],exclude-filter: "港",lazy: true}
  - {name: 🤖 OpenAI, type: select, proxies: [🎯 总模式,🚀 自有设施,♻️ 自有自动,🛫 机场选择,♻️ 自动机场,🌎 全球直连]}
  - {name: 📲 电报信息, type: select, proxies: [🎯 总模式,🚀 自有设施,♻️ 自有自动,🛫 机场选择,♻️ 自动机场,🌎 全球直连]}
  - {name: 🎬 油管视频, type: select, proxies: [🎯 总模式,🚀 自有设施,♻️ 自有自动,🛫 机场选择,♻️ 自动机场,🌎 全球直连]}
  - {name: 📹 奈飞视频, type: select, proxies: [🎯 总模式,🚀 自有设施,♻️ 自有自动,🛫 机场选择,♻️ 自动机场,🌎 全球直连]}
  - {name: 📢 谷歌服务, type: select, proxies: [🎯 总模式,🚀 自有设施,♻️ 自有自动,🛫 机场选择,♻️ 自动机场,🌎 全球直连]}
  - {name: Ⓜ️ 微软服务, type: select, proxies: [🎯 总模式,🚀 自有设施,♻️ 自有自动,🛫 机场选择,♻️ 自动机场,🌎 全球直连]}
  - {name: 🍎 苹果服务, type: select, proxies: [🎯 总模式,🚀 自有设施,♻️ 自有自动,🛫 机场选择,♻️ 自动机场,🌎 全球直连]}
  - {name: 🎮 Discord, type: select, proxies: [🎯 总模式,🚀 自有设施,♻️ 自有自动,🛫 机场选择,♻️ 自动机场,🌎 全球直连]}
  - {name: 📸 国际抖音, type: select, proxies: [🎯 总模式,🚀 自有设施,♻️ 自有自动,🛫 机场选择,♻️ 自动机场,🌎 全球直连]}
  - {name: 📷 中国抖音, type: select, proxies: [🌎 全球直连,🎯 总模式,🚀 自有设施,♻️ 自有自动,🛫 机场选择,♻️ 自动机场]}
  - {name: 🎹 网易音乐, type: select, proxies: [🌎 全球直连,🎯 总模式,🚀 自有设施,♻️ 自有自动,🛫 机场选择,♻️ 自动机场]}
  - {name: 🛑 广告拦截, type: select, proxies: [REJECT,🌎 全球直连]}
  - {name: 🐋 漏网之鱼, type: select, proxies: [🎯 总模式,🌎 全球直连]}
  - {name: 🌎 全球直连, type: select, proxies: [DIRECT]}


rule-providers:
  Telegram:
    type: http
    behavior: classical
    format: yaml
    path: ./rule/Telegram.yaml
    url: "https://raw.githubusercontent.com/ACL4SSR/ACL4SSR/master/Clash/Providers/Ruleset/Telegram.yaml"
    interval: 86400
  Youtube:
    type: http
    behavior: classical
    format: yaml
    path: ./rule/Youtube.yaml
    url: "https://raw.githubusercontent.com/ACL4SSR/ACL4SSR/master/Clash/Providers/Ruleset/Telegram.yaml"
    interval: 86400
  Google:
    type: http
    behavior: classical
    format: yaml
    path: ./rule/Google.yaml
    url: "https://raw.githubusercontent.com/ACL4SSR/ACL4SSR/master/Clash/Providers/Ruleset/Google.yaml"
    interval: 86400
  Microsoft:
    type: http
    behavior: classical
    format: yaml
    path: ./rule/Microsoft.yaml
    url: "https://raw.githubusercontent.com/ACL4SSR/ACL4SSR/master/Clash/Providers/Ruleset/Microsoft.yaml"
    interval: 86400
  Apple:
    type: http
    behavior: classical
    format: yaml
    path: ./rule/Apple.yaml
    url: "https://raw.githubusercontent.com/ACL4SSR/ACL4SSR/master/Clash/Providers/Ruleset/Apple.yaml"
    interval: 86400
  Openai:
    type: http
    behavior: classical
    format: yaml
    path: ./rule/Openai.yaml
    url: "https://raw.githubusercontent.com/ACL4SSR/ACL4SSR/master/Clash/Providers/Ruleset/OpenAi.yaml"
    interval: 86400
  Netflix:
    type: http
    behavior: classical
    format: yaml
    path: ./rule/Netflix.yaml
    url: "https://raw.githubusercontent.com/ACL4SSR/ACL4SSR/master/Clash/Providers/Ruleset/Netflix.yaml"
    interval: 86400
  AWAvenue:
    type: http
    behavior: domain
    format: yaml
    path: ./rule/AWAvenue-Ads-Rule-Clash.yaml
    url: "https://raw.githubusercontent.com/TG-Twilight/AWAvenue-Ads-Rule/main/Filters/AWAvenue-Ads-Rule-Clash.yaml"
    interval: 86400
rules:
  - AND,((PROCESS-NAME,clash),(NOT,((IN-TYPE,inner)))),REJECT
  - PROCESS-NAME,com.zhiliaoapp.musically,📸 国际抖音
  - PROCESS-NAME,com.ss.android.ugc.aweme,📷 中国抖音
  - PROCESS-NAME,com.netease.cloudmusic,🎹 网易音乐
  - RULE-SET,Youtube,🎬 油管视频
  - RULE-SET,Netflix,📹 奈飞视频
  - RULE-SET,Google,📢 谷歌服务
  - RULE-SET,Apple,🍎 苹果服务
  - RULE-SET,Microsoft,Ⓜ️ 微软服务
  - RULE-SET,Telegram,📲 电报信息
  - RULE-SET,Openai,🤖 OpenAI
  - RULE-SET,AWAvenue,REJECT
  - GEOSITE,category-ads-all,🛑 广告拦截
  - GEOSITE,CN,🌎 全球直连
  - GEOIP,private,🌎 全球直连,no-resolve
  - GEOIP,CN,🌎 全球直连,no-resolve
  - MATCH,🐋 漏网之鱼

Mihomo log

No response

Description

Tested on magisk module 'Surfing' and 'box for root', and DNS leak is confirmed with both modules by testing on ipleak.net. Both are using pure tproxy configurations. However using tun and tproxy(tcp)+tun(udp) will not cause DNS leaks.

cccp6 avatar Apr 03 '24 16:04 cccp6

no log no bug

xishang0128 avatar Apr 04 '24 12:04 xishang0128

how to setup tproxy(tcp)+tun(udp) on android magisk module, thanks

debiansid avatar May 08 '24 02:05 debiansid