shadowsocks-android icon indicating copy to clipboard operation
shadowsocks-android copied to clipboard
verified publisher icon shadowsocks

Can't connect properly after turning on private DNS feature on Android 10+

Open marierose147 opened this issue 5 years ago • 9 comments

Describe the bug After turning on Android's private DNS feature, it cannot connect properly.

To Reproduce Steps to reproduce the behavior:

  1. Turn on the private DNS function inside the Android system settings, set the DNS server to dns.google.
  2. Set the profile to use custom rules.
  3. Only google.com and its subdomains are configured in the custom rules.
  4. After initiating the connection, it was not possible to successfully connect to google.com.

Expected behavior Successfully connected to google.com.

Screenshots Screenshot_20200511-102952_Shadowsocks

Smartphone (please complete the following information):

  • Android version: Android 10 with OneUI 2.1
  • Device: Samsung Galaxy S10
  • Version: v5.1.0
  • Last version that did not exhibit the issue: v5.0.6

Configuration

  • [x] IPv4 server address
  • [ ] IPv6 server address
  • [x] Client IPv4 availability
  • [ ] Client IPv6 availability
  • Encrypt method: xchacha20-ietf-poly1305
  • Route
    • [ ] All
    • [ ] Bypass LAN
    • [ ] Bypass China
    • [ ] Bypass LAN & China
    • [ ] GFW List
    • [ ] China List
    • [x] Custom rules
  • [ ] IPv6 route
  • [x] Apps VPN mode
    • [ ] Bypass mode
  • Remote DNS: 1dot1dot1dot1.cloudflare-dns.com
  • [x] DNS over UDP
  • Plugin configuration (if applicable):
  • [ ] Auto Connect
  • [x] TCP Fast Open
  • If you're not using VPN mode, please supply more details here:

Additional context

  • This problem exists whether the Remote DNS feature is turned on or off.
  • There is a problem only in custom rule mode, global mode works fine.
  • With Android's private DNS feature turned off, you can connect properly.
  • This problem exists whether the DNS server is set to dns.google, 1dot1dot1dot1.cloudflare-dns.com, dns.quad9.net or dns.alidns.com.

marierose147 avatar May 11 '20 02:05 marierose147

Ooh interesting. Looks like something is failing, which is causing sslocal to bypass the connection.

Mygod avatar May 11 '20 03:05 Mygod

@madeye Apparently on Android 10, if private DNS is enabled, it will be used even for VPN connections (as opposed to not on Android 9). It was working in v5.0.x because shadowsocks-libev was using sni_parser to force redirect traffic.

Mygod avatar May 11 '20 04:05 Mygod

https://issuetracker.google.com/issues/141674015#comment6

Mygod avatar May 11 '20 04:05 Mygod

For now, either turn off private DNS, or add IP blocks to be proxied to custom rules as well. Adding back sni_parser does not sound like a desirable thing to do.

Mygod avatar May 11 '20 04:05 Mygod

I think the behavior is expected, if the ACL doesn't include the rules for that private DNS, we should not proxy it.

madeye avatar May 11 '20 08:05 madeye

The issue is that no matter what ACL is, the system will not use our DNS relay other than resolving private DNS hostname...

Mygod avatar May 11 '20 17:05 Mygod

For now, let's see if Google is willing to implement any changes to private DNS with VPN. If not, we might need to do some nasty changes.

Mygod avatar May 13 '20 16:05 Mygod

It's been 5 months and by the looks of it, Google is not willing to do anything about it. 1 It's even described as a bug in Android 9 which was "fixed in Android 10". IMHO there is no way they change it back.

christaikobo avatar Oct 18 '20 14:10 christaikobo