Merge branch 'dev-next' into origin/tls-client-auth

Signed-off-by: jose-C2OaWi <111356383+jose-C2OaWi@users.noreply.github.com>
2025-06-13 21:54:13 +08:00 · 2023-12-02 15:09:11 +08:00 · 2023-12-02 15:09:11 +08:00 · 10681a754f
commit 10681a754f
parent fbd3b23116 292d63d4c9
3 changed files with 15 additions and 4 deletions
--- a/docs/changelog.md
+++ b/docs/changelog.md
@ -7,6 +7,7 @@ icon: material/alert-decagram
 #### 1.8.0-alpha.8

 * Add context to JSON decode error message **1**
+* Reject internal fake-ip queries **2**
 * Fixes and improvements

 **1**:
@ -14,6 +15,13 @@ icon: material/alert-decagram
 JSON parse errors will now include the current key path.
 Only takes effect when compiled with Go 1.21+.

+**2**:
+
+All internal DNS queries now skip DNS rules with `server` type `fakeip`,
+and the default DNS server can no longer be `fakeip`.
+
+This change is intended to break incorrect usage and essentially requires no action.
+
 #### 1.8.0-alpha.7

 * Fixes and improvements
--- a/route/router.go
+++ b/route/router.go
@ -255,6 +255,9 @@ func NewRouter(
 		}
 		defaultTransport = transports[0]
 	}
+	if _, isFakeIP := defaultTransport.(adapter.FakeIPTransport); isFakeIP {
+		return nil, E.New("default DNS server cannot be fakeip")
+	}
 	router.defaultTransport = defaultTransport
 	router.transports = transports
 	router.transportMap = transportMap
--- a/route/router_dns.go
+++ b/route/router_dns.go
@ -37,7 +37,7 @@ func (m *DNSReverseMapping) Query(address netip.Addr) (string, bool) {
 	return domain, loaded
 }

-func (r *Router) matchDNS(ctx context.Context) (context.Context, dns.Transport, dns.DomainStrategy) {
+func (r *Router) matchDNS(ctx context.Context, allowFakeIP bool) (context.Context, dns.Transport, dns.DomainStrategy) {
 	metadata := adapter.ContextFrom(ctx)
 	if metadata == nil {
 		panic("no context")
@ -51,7 +51,7 @@ func (r *Router) matchDNS(ctx context.Context) (context.Context, dns.Transport,
 				r.dnsLogger.ErrorContext(ctx, "transport not found: ", detour)
 				continue
 			}
-			if _, isFakeIP := transport.(adapter.FakeIPTransport); isFakeIP && metadata.FakeIP {
+			if _, isFakeIP := transport.(adapter.FakeIPTransport); isFakeIP && !allowFakeIP {
 				continue
 			}
 			r.dnsLogger.DebugContext(ctx, "match[", i, "] ", rule.String(), " => ", detour)
@ -97,7 +97,7 @@ func (r *Router) Exchange(ctx context.Context, message *mDNS.Msg) (*mDNS.Msg, er
 			}
 			metadata.Domain = fqdnToDomain(message.Question[0].Name)
 		}
-		ctx, transport, strategy := r.matchDNS(ctx)
+		ctx, transport, strategy := r.matchDNS(ctx, true)
 		ctx, cancel := context.WithTimeout(ctx, C.DNSTimeout)
 		defer cancel()
 		response, err = r.dnsClient.Exchange(ctx, transport, message, strategy)
@ -125,7 +125,7 @@ func (r *Router) Lookup(ctx context.Context, domain string, strategy dns.DomainS
 	r.dnsLogger.DebugContext(ctx, "lookup domain ", domain)
 	ctx, metadata := adapter.AppendContext(ctx)
 	metadata.Domain = domain
-	ctx, transport, transportStrategy := r.matchDNS(ctx)
+	ctx, transport, transportStrategy := r.matchDNS(ctx, false)
 	if strategy == dns.DomainStrategyAsIS {
 		strategy = transportStrategy
 	}