Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CNAME doesn't follow domain-rules #1743

Closed
zonyitoo opened this issue May 24, 2024 · 4 comments
Closed

CNAME doesn't follow domain-rules #1743

zonyitoo opened this issue May 24, 2024 · 4 comments

Comments

@zonyitoo
Copy link

zonyitoo commented May 24, 2024
edited
Loading

需求应用场景

api.pinterest.com 被劫持了,于是使用 domain-rule 来让它使用海外可信DNS来解析:

domain-rules /pinterest.com/ -nameserver oversea -ipset #4:gfwlist,#6:gfwlist6 -speed-check-mode none

但是 api.pinterest.com 有部分海外 DNS 解析时会返回 CNAME ,CNAME 的域名没有在 domain-rules 中导致还是被劫持。

以下是前置的 dnsmasq 的日志,实际域名由 smartdns 解析

Sat May 25 02:03:52 2024 daemon.info dnsmasq[1]: query[A] api.pinterest.com from 240e:3b7:3222:fbb0:1db8:bf3:8e23:6efb
Sat May 25 02:03:52 2024 daemon.info dnsmasq[1]: forwarded api.pinterest.com to 127.0.0.1#6051
Sat May 25 02:03:52 2024 daemon.info dnsmasq[1]: query[AAAA] api.pinterest.com from 240e:3b7:3222:fbb0:1db8:bf3:8e23:6efb
Sat May 25 02:03:52 2024 daemon.info dnsmasq[1]: forwarded api.pinterest.com to 127.0.0.1#6051
Sat May 25 02:03:52 2024 daemon.info dnsmasq[1]: reply api.pinterest.com is <CNAME>
Sat May 25 02:03:52 2024 daemon.info dnsmasq[1]: reply prod.pinterest.global.map.fastly.net is 151.101.192.84
Sat May 25 02:03:52 2024 daemon.info dnsmasq[1]: reply prod.pinterest.global.map.fastly.net is 23.54.56.217
Sat May 25 02:03:52 2024 daemon.info dnsmasq[1]: reply prod.pinterest.global.map.fastly.net is 151.101.64.84
Sat May 25 02:03:52 2024 daemon.info dnsmasq[1]: reply prod.pinterest.global.map.fastly.net is 151.101.0.84
Sat May 25 02:03:52 2024 daemon.info dnsmasq[1]: reply prod.pinterest.global.map.fastly.net is 151.101.128.84
Sat May 25 02:03:52 2024 daemon.info dnsmasq[1]: reply dualstack.pinterest.map.fastly.net is 23.193.119.210
Sat May 25 02:03:52 2024 daemon.info dnsmasq[1]: reply dualstack.pinterest.map.fastly.net is 23.193.119.203
Sat May 25 02:03:52 2024 daemon.info dnsmasq[1]: reply dualstack.pinterest.map.fastly.net is 172.64.149.192
Sat May 25 02:03:52 2024 daemon.info dnsmasq[1]: reply dualstack.pinterest.map.fastly.net is 146.75.112.84
Sat May 25 02:03:52 2024 daemon.info dnsmasq[1]: reply dualstack.pinterest.map.fastly.net is 151.101.228.84
Sat May 25 02:03:52 2024 daemon.info dnsmasq[1]: reply dualstack.pinterest.map.fastly.net is 104.18.38.64
Sat May 25 02:03:52 2024 daemon.info dnsmasq[1]: reply dualstack.pinterest.map.fastly.net is 2606:4700:4400::ac40:95c0
Sat May 25 02:03:52 2024 daemon.info dnsmasq[1]: reply dualstack.pinterest.map.fastly.net is 2a04:4e42:1a::84
Sat May 25 02:03:52 2024 daemon.info dnsmasq[1]: reply dualstack.pinterest.map.fastly.net is 2600:140b:1e00:11::17db:aa27
Sat May 25 02:03:52 2024 daemon.info dnsmasq[1]: reply dualstack.pinterest.map.fastly.net is 2600:140b:1e00:11::17db:aa1c
Sat May 25 02:03:52 2024 daemon.info dnsmasq[1]: reply dualstack.pinterest.map.fastly.net is 2606:4700:4400::6812:2640
Sat May 25 02:03:52 2024 daemon.info dnsmasq[1]: reply api.pinterest.com is NODATA-IPv6
Sat May 25 02:03:52 2024 daemon.info dnsmasq[1]: query[AAAA] prod.pinterest.global.map.fastly.net from 240e:3b7:3222:fbb0:1db8:bf3:8e23:6efb
Sat May 25 02:03:52 2024 daemon.info dnsmasq[1]: forwarded prod.pinterest.global.map.fastly.net to 127.0.0.1#6051
Sat May 25 02:03:52 2024 daemon.info dnsmasq[1]: reply prod.pinterest.global.map.fastly.net is 2a03:2880:f126:83:face:b00c:0:25de
Sat May 25 02:03:52 2024 daemon.info dnsmasq[1]: reply prod.pinterest.global.map.fastly.net is 2a03:2880:f12c:183:face:b00c:0:25de
Sat May 25 02:03:52 2024 daemon.info dnsmasq[1]: reply prod.pinterest.global.map.fastly.net is 2a03:2880:f11b:83:face:b00c:0:25de
Sat May 25 02:03:52 2024 daemon.info dnsmasq[1]: query[A] trk.pinterest.com from 240e:3b7:3222:fbb0:1db8:bf3:8e23:6efb
Sat May 25 02:03:52 2024 daemon.info dnsmasq[1]: forwarded trk.pinterest.com to 127.0.0.1#6051
Sat May 25 02:03:52 2024 daemon.info dnsmasq[1]: query[AAAA] trk.pinterest.com from 240e:3b7:3222:fbb0:1db8:bf3:8e23:6efb
Sat May 25 02:03:52 2024 daemon.info dnsmasq[1]: forwarded trk.pinterest.com to 127.0.0.1#6051
Sat May 25 02:03:52 2024 daemon.info dnsmasq[1]: reply trk.pinterest.com is <CNAME>
Sat May 25 02:03:52 2024 daemon.info dnsmasq[1]: reply trk.pinterest.com is <CNAME>
Sat May 25 02:04:52 2024 daemon.info dnsmasq[1]: query[A] api.pinterest.com from 240e:3b7:3222:fbb0:1db8:bf3:8e23:6efb
Sat May 25 02:04:52 2024 daemon.info dnsmasq[1]: forwarded api.pinterest.com to 127.0.0.1#6051
Sat May 25 02:04:52 2024 daemon.info dnsmasq[1]: reply api.pinterest.com is <CNAME>
Sat May 25 02:04:52 2024 daemon.info dnsmasq[1]: reply prod.pinterest.global.map.fastly.net is 151.101.192.84
Sat May 25 02:04:52 2024 daemon.info dnsmasq[1]: reply prod.pinterest.global.map.fastly.net is 23.54.56.217
Sat May 25 02:04:52 2024 daemon.info dnsmasq[1]: reply prod.pinterest.global.map.fastly.net is 151.101.64.84
Sat May 25 02:04:52 2024 daemon.info dnsmasq[1]: reply prod.pinterest.global.map.fastly.net is 151.101.0.84
Sat May 25 02:04:52 2024 daemon.info dnsmasq[1]: reply prod.pinterest.global.map.fastly.net is 151.101.128.84
Sat May 25 02:04:52 2024 daemon.info dnsmasq[1]: query[AAAA] prod.pinterest.global.map.fastly.net from 240e:3b7:3222:fbb0:1db8:bf3:8e23:6efb
Sat May 25 02:04:52 2024 daemon.info dnsmasq[1]: forwarded prod.pinterest.global.map.fastly.net to 127.0.0.1#6051
Sat May 25 02:04:52 2024 daemon.info dnsmasq[1]: reply prod.pinterest.global.map.fastly.net is 2a03:2880:f10f:83:face:b00c:0:25de
Sat May 25 02:04:52 2024 daemon.info dnsmasq[1]: reply prod.pinterest.global.map.fastly.net is 2a03:2880:f126:83:face:b00c:0:25de
Sat May 25 02:06:05 2024 daemon.info dnsmasq[1]: query[AAAA] trk.pinterest.com from 240e:3b7:3222:fbb0:1db8:bf3:8e23:6efb
Sat May 25 02:06:05 2024 daemon.info dnsmasq[1]: forwarded trk.pinterest.com to 127.0.0.1#6051
Sat May 25 02:06:05 2024 daemon.info dnsmasq[1]: query[A] trk.pinterest.com from 240e:3b7:3222:fbb0:1db8:bf3:8e23:6efb
Sat May 25 02:06:05 2024 daemon.info dnsmasq[1]: forwarded trk.pinterest.com to 127.0.0.1#6051
Sat May 25 02:06:05 2024 daemon.info dnsmasq[1]: reply trk.pinterest.com is <CNAME>
Sat May 25 02:06:05 2024 daemon.info dnsmasq[1]: reply trk.pinterest.com is <CNAME>
Sat May 25 02:06:05 2024 daemon.info dnsmasq[1]: query[HTTPS] assets.pinterest.com from 240e:3b7:3222:fbb0:1db8:bf3:8e23:6efb
Sat May 25 02:06:05 2024 daemon.info dnsmasq[1]: forwarded assets.pinterest.com to 127.0.0.1#6051
Sat May 25 02:06:05 2024 daemon.info dnsmasq[1]: query[AAAA] assets.pinterest.com from 240e:3b7:3222:fbb0:1db8:bf3:8e23:6efb
Sat May 25 02:06:05 2024 daemon.info dnsmasq[1]: forwarded assets.pinterest.com to 127.0.0.1#6051
Sat May 25 02:06:05 2024 daemon.info dnsmasq[1]: query[A] assets.pinterest.com from 240e:3b7:3222:fbb0:1db8:bf3:8e23:6efb
Sat May 25 02:06:05 2024 daemon.info dnsmasq[1]: forwarded assets.pinterest.com to 127.0.0.1#6051
Sat May 25 02:06:05 2024 daemon.info dnsmasq[1]: reply assets.pinterest.com is NODATA
Sat May 25 02:06:05 2024 daemon.info dnsmasq[1]: reply assets.pinterest.com is <CNAME>
Sat May 25 02:06:05 2024 daemon.info dnsmasq[1]: reply dualstack.pinterest.map.fastly.net is 151.101.228.84
Sat May 25 02:06:05 2024 daemon.info dnsmasq[1]: query[HTTPS] dualstack.pinterest.map.fastly.net from 240e:3b7:3222:fbb0:1db8:bf3:8e23:6efb
Sat May 25 02:06:05 2024 daemon.info dnsmasq[1]: forwarded dualstack.pinterest.map.fastly.net to 127.0.0.1#6051
Sat May 25 02:06:05 2024 daemon.info dnsmasq[1]: reply dualstack.pinterest.map.fastly.net is NODATA
Sat May 25 02:06:05 2024 daemon.info dnsmasq[1]: reply assets.pinterest.com is <CNAME>
Sat May 25 02:06:05 2024 daemon.info dnsmasq[1]: query[AAAA] dualstack.pinterest.map.fastly.net from 240e:3b7:3222:fbb0:1db8:bf3:8e23:6efb
Sat May 25 02:06:05 2024 daemon.info dnsmasq[1]: forwarded dualstack.pinterest.map.fastly.net to 127.0.0.1#6051
Sat May 25 02:06:05 2024 daemon.info dnsmasq[1]: reply dualstack.pinterest.map.fastly.net is 2a03:2880:f10a:83:face:b00c:0:25de
Sat May 25 02:06:21 2024 daemon.info dnsmasq[1]: query[HTTPS] api-pinterest-com-eip-akadns-net.pinterest.com from 240e:3b7:3222:fbb0:1db8:bf3:8e23:6efb
Sat May 25 02:06:21 2024 daemon.info dnsmasq[1]: forwarded api-pinterest-com-eip-akadns-net.pinterest.com to 127.0.0.1#6051
Sat May 25 02:06:21 2024 daemon.info dnsmasq[1]: reply api-pinterest-com-eip-akadns-net.pinterest.com is NODATA
Sat May 25 02:06:21 2024 daemon.info dnsmasq[1]: query[AAAA] api-pinterest-com-eip-akadns-net.pinterest.com from 240e:3b7:3222:fbb0:1db8:bf3:8e23:6efb
Sat May 25 02:06:21 2024 daemon.info dnsmasq[1]: forwarded api-pinterest-com-eip-akadns-net.pinterest.com to 127.0.0.1#6051
Sat May 25 02:06:21 2024 daemon.info dnsmasq[1]: query[A] api-pinterest-com-eip-akadns-net.pinterest.com from 240e:3b7:3222:fbb0:1db8:bf3:8e23:6efb
Sat May 25 02:06:21 2024 daemon.info dnsmasq[1]: forwarded api-pinterest-com-eip-akadns-net.pinterest.com to 127.0.0.1#6051
Sat May 25 02:06:22 2024 daemon.info dnsmasq[1]: reply api-pinterest-com-eip-akadns-net.pinterest.com is NODATA-IPv6
Sat May 25 02:06:22 2024 daemon.info dnsmasq[1]: reply api-pinterest-com-eip-akadns-net.pinterest.com is <CNAME>
Sat May 25 02:06:22 2024 daemon.info dnsmasq[1]: reply eip-tata.api.pinterest.com.akahost.net is 23.40.100.37
Sat May 25 02:06:22 2024 daemon.info dnsmasq[1]: query[HTTPS] eip-tata.api.pinterest.com.akahost.net from 240e:3b7:3222:fbb0:1db8:bf3:8e23:6efb
Sat May 25 02:06:22 2024 daemon.info dnsmasq[1]: forwarded eip-tata.api.pinterest.com.akahost.net to 127.0.0.1#6051
Sat May 25 02:06:22 2024 daemon.info dnsmasq[1]: query[AAAA] eip-tata.api.pinterest.com.akahost.net from 240e:3b7:3222:fbb0:1db8:bf3:8e23:6efb
Sat May 25 02:06:22 2024 daemon.info dnsmasq[1]: forwarded eip-tata.api.pinterest.com.akahost.net to 127.0.0.1#6051
Sat May 25 02:06:22 2024 daemon.info dnsmasq[1]: reply eip-tata.api.pinterest.com.akahost.net is NODATA
Sat May 25 02:06:22 2024 daemon.info dnsmasq[1]: reply eip-tata.api.pinterest.com.akahost.net is NODATA-IPv6

api.pinterest.com 是没有 AAAA Records 的,从上面日志可以看出是那几个 fastly.net 的域名返回了 AAAA Records ,被劫持。

建议的方案

若主查询的域名有 domain-rules ,CNAME 的域名应同样应用其 domain-rules

设备信息

  1. 设备信息(CPU,厂家) R4S

  2. 固件信息 OpenWRT 18.06
@PikuZheng
Copy link
Contributor

对于smartdns,一个域名查询出cname后,其cname递归查询时也是遵循主域名规则的。这里没有问题。

你说的情况发生在smartdns下级不是终端用户而是另一个dns服务器的情形。根据rfc规范,dns服务器会发起两次查询。第一次查询A记录。若上游返回CNAME和A记录,第二次应使用CNAME再次查询AAAA记录。
但终端用户查询时会查询A+AAAA记录,便不会出现第二次使用CNAME查询的情形。

对于上述问题有几个解决方案。一是将CNAME对应的域名也写入域名规则。二是smartdns直接对终端用户使用,中间不要有其他dns服务器做转发。三是配置 force-no-CNAME yes 使smartdns在应答时不返回cname(这不符合规范,参考#1648

@zonyitoo
Copy link
Author

force-no-CNAME yes 应该是比较好的选择

  1. 如果不直接连 dnsmasq ,那么 .lan 域名的解析就有问题,目前对这些域名有依赖
  2. 把 CNAME 对应的域名写入规则,发现问题之后确实是这样做,但不可靠,写不完
  3. dnsmasq 设置为无缓存,相当于直接透传,应该问题不大

@PikuZheng
Copy link
Contributor

  1. 如果不直接连 dnsmasq ,那么 .lan 域名的解析就有问题,目前对这些域名有依赖

配个上游组单独给.lan

我自己是用第二种方法,感觉也就是那几组分布式加速服务器,fastly,akamai之类的

@zonyitoo
Copy link
Author

zonyitoo commented May 25, 2024
edited
Loading

实际上在OpenWRT的使用场景,dnsmasq -> smartdns 可以视为一个整体,不往上传递 CNAME ,对应用来讲没有问题。一个个加白不够一劳永逸,把fastly整个都加了又太过暴力

@moetayuko moetayuko mentioned this issue Aug 10, 2024
Open
@PikuZheng PikuZheng mentioned this issue Sep 2, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@zonyitoo @PikuZheng