[Bug Report] DNS 可能出现卡死问题

[akiooo45]

Checks

• [x] I have searched the existing issues
• [x] I have read the documentation
• [ ] Is it your first time sumbitting an issue

Current Behavior

当dns服务器（如udp://8.8.8.8:53）走代理，查询次数增加过多或者dns berchmark后，dae的dns就会出现以下症状，包括但不限于： 1、国外dns解析速度变慢 2、无法解析节点域名 3、部分域名解析超时 4、相对于dns查询不走代理的情况，解析失败次数有明显增加

Expected Behavior

当dns走代理后，dns解析正常。不再出现超时或者解析失败的情况。

Steps to Reproduce

1、dae的dns upsteam写上“tcp+udp://1.1.1.1:53“，并在route增加以下配置: "dip(8.8.8.8) && dport(53)->proxy" 2、在dhcp下方设备运行python脚本（要先把脚本中的‘172.17.17.1’修改为dae地址） ` #main.py import socket import threading import time from dnslib import DNSRecord, DNSQuestion, type_A

class DNSTester(threading.Thread): def init(self, domain, num_requests, server_ip): super().init() self.domain = domain self.num_requests = num_requests self.server_ip = server_ip self.responses = [] self.start_time = None

def run(self):
    for _ in range(self.num_requests):
        try:
            # 构造DNS查询
            q = DNSQuestion(self.domain, type_A)
            record = DNSRecord.question(q)
            packet = bytes(record)
            # 发送查询并计算响应时间
            sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
            sock.settimeout(1)
            start_time = time.time()
            sock.sendto(packet, (self.server_ip, 53))
            data = sock.recvfrom()
            end_time = time.time()
            rtt = end_time - start_time
            self.responses.append(rtt)
        except Exception as e:
            self.responses.append(float('inf'))  # 记录为无穷大，表示失败
        finally:
            if sock:
                sock.close()

def get_success_responses(self):
    return [rt for rt in self.responses if rt != float('inf')]

def main(): target_domains = ['www.youtube.com', 'www.google.com', 'www.hub.docker.com'] server_ip = '172.17.17.1'

# 获取用户输入
total_requests = int(input("请输入总请求数："))
threads = int(input("请输入线程数："))

threads_per_domain = total_requests // len(target_domains)

testers = []
for domain in target_domains:
    t = DNSTester(domain, threads_per_domain, server_ip)
    testers.append(t)

for t in testers:
    t.start()

for t in testers:
    t.join()

# 收集所有响应时间
all_responses = []
for t in testers:
    all_responses += t.responses

success_count = sum(1 for rt in all_responses if rt != float('inf'))
total_count = len(all_responses)

if total_count == 0:
    print("没有响应")
else:
    avg_rt = sum(all_responses) / total_count
    max_rt = max(all_responses)
    min_rt = min(all_responses)
    
    # 计算成功的响应
    success_rt_sum = sum(rt for rt in all_responses if rt != float('inf'))
    if success_count > 0:
        avg_success_rt = success_rt_sum / success_count
    else:
        avg_success_rt = 0.0
    total_rt_sum = sum(all_responses)
    
    print(f"测试完成：总请求数：{total_requests}")
    print(f"成功请求数：{success_count}")
    print(f"总响应时间：{total_rt_sum:.3f}s")
    print(f"平均响应时间：{avg_rt:.3f}s")
    print(f"最短响应时间：{min_rt:.3f}s")
    print(f"最长响应时间：{max_rt:.3f}s")
    print(f"平均成功响应时间：{avg_success_rt:.3f}s")

if name == "main": main()

### Environment

- **Dae version (use `dae --version`)**:v1.0.0rc1
- **OS (e.g `cat /etc/os-release`)**:Debian GNU/Linux 12 (bookworm) x86_64
- **Kernel (e.g. `uname -a`)**:6.12.9+bpo-amd64 
- **Others**:


### Anything else?

_No response_

[dae-prow[bot]]

Thanks for opening this issue!

[MarksonHon]

@akiooo45 请自行建立一个中转服务器（比如 clash 或 xray），然后让 dae 去连接这个中转服务器（两者最好不要在同一台设备上），看下是否有 dae 在疯狂查询 DNS、但是日志里面毫无显示的状况。

[soulwhisper]

我在最近的 nixos rebuild 过程遇到了同样的问题，在部署 dae 的构建服务器上会长时间大量查询 cache.nixos.org 域名下的目录文件，启用 dae 时会报大量的域名无法解析错误，直接用 curl 单独拉取对应的文件是没问题的。关闭 dae 用单独的 clash-proxy 构建也没问题。使用的 config.dae 见链接. @MarksonHon

[Mapleshade20]

我昨天也遇到了这个问题。dae在openwrt作主路由，代理LAN，一切正常但是我的电脑在某个时刻突然断了github.com和steam的连接，然后我尝试刷新但是在dae log里看不到从我这个电脑来的dns请求，电脑上也仍然是加载不出来。

配置： https://github.com/daeuniverse/dae/discussions/770#discussion-8033692

[Kimiblock]

Dae 有时候似乎无法劫持 systemd-resolved 的流量, 单独用 dig 是没有问题的. AdGuard Home 后台看不到 dae 的请求记录

[muziling]

部署在无线路由器也有这种问题， lan_interface 设置成 br-lan，会导致通过网线接路由的设备无法解析域名，访问DNS服务器会超时，如果lan_interface 设置成 eth0， DNS则正常，但是dae就没代理有线网口的设备了。

设置成 br-lan 时，无线设备通过此路由上网， DNS和代理都是正常的。

不知道dae的劫持机制是什么，是客户端53端口的UDP包先到DNS服务器，劫持DNS服务器对上游发出53 UDP报文吗？

[dae-intelligence[bot]]

[!NOTE] The following content has been translated from its original language using an automated process powered by a proprietary API. Segments originally written in English have been preserved, while non-English portions have been machine-translated for readability. Please be aware that minor inaccuracies may exist due to the automated nature of the translation.

There is also this issue with devices connected via Ethernet cables to a wireless router. If the lan_interface is set to br-lan, devices connected via Ethernet cables to the router will be unable to resolve domains and access DNS servers will time out. If the lan_interface is set to eth0, DNS works normally, but the traffic from wireless devices will not be properly routed to the LAN interface.