配置 GEOIP 类规则后所有走代理域名 dns 本地泄漏问题 #2732
Replies: 8 comments 2 replies
-
|
域名匹配ip规则必须解析,这不是bug |
Beta Was this translation helpful? Give feedback.
-
谢谢回复,个人浊见,如果进来的是域名,1. 域名属于 geosite 中的 DIRECT, 就本地解析。2. 域名属于 PROXY, 就代理远程解析。这样可以吗? |
Beta Was this translation helpful? Give feedback.
-
|
你要分类解析就去写dns/nameserver-policy去,和rule没关系 |
Beta Was this translation helpful? Give feedback.
-
明白,我去试试 |
Beta Was this translation helpful? Give feedback.
-
不解析怎么知道是不是proxy? |
Beta Was this translation helpful? Give feedback.
-
我之前是这么想的,已经配了域名规则,从 mixed 口进来的是域名,就域名匹配优先,域名匹配成功就知道是不是 proxy,然后把域名送出去到 proxy 连接了。 |
Beta Was this translation helpful? Give feedback.
-
|
我原先想的是: 如果进来的是 IP, 就 IP 规则优先:
如果进来的是 域名,就 域名 规则优先,
|
Beta Was this translation helpful? Give feedback.
-
|
因为你一个geoip:cn没有写no-resolve,会强制resolve才能通过这条规则继续往下 |
Beta Was this translation helpful? Give feedback.
-
|
是的,你说的对,我问完问题后就在找解决方法,加上就可以了。而且要强调一点,必需所有 geoip 类规则都加 no-resolve,否则就泄漏 |
Beta Was this translation helpful? Give feedback.
-
|
现在是只要满足这两个条件时,就一定会泄漏
此时所有通过代理访问的域名都会传回国内服务器,就裸奔啦。 |
Beta Was this translation helpful? Give feedback.
Uh oh!
There was an error while loading. Please reload this page.
-
验证步骤
操作系统
Linux
系统版本
openwrt 25.12.0
Mihomo 版本
mihomo 版本:
配置文件
描述
在 OPENWRT 路由器上安装了 mihomo, 只配置了一个 mixed 入口(没有配置 TUN),域名分流分两种,一种走 DIRECT, 一种走 PROXY,没有配置 DNS 块,我发现, 所有走 PROXY 的域名,都会先本地查询(用路由的 127.0.0.1:53 查询),然后再向代理查询。PROXY 的绝大多数域名从本地解析不但拿不到结果,还向运营商大规模造成了泄露。
重现方式
每次都是这样。
日志
Beta Was this translation helpful? Give feedback.
All reactions