feat(tun): try to match hostnames when clash dns used

.github/workflows/ci.yml

@@ -201,7 +201,7 @@ jobs:
 
       - uses: dtolnay/rust-toolchain@master
         with:
-          toolchain: ${{ matrix.toolchain || 'nightly' }}
+          toolchain: ${{ matrix.toolchain || 'nightly-2024-09-20' }} # until https://github.com/rust-lang/rust-clippy/issues/13457
           target: ${{ matrix.target }}
           components: ${{ matrix.components || 'rustfmt, clippy' }}
 

clash/tests/data/config/rules.yaml

@@ -6,7 +6,7 @@ mixed-port: 8899
 tun:
   enable: true
   device-id: "dev://utun1989"
-  route-all: true
+  route-all: false
   gateway: "198.19.0.1/32"
   so-mark: 3389
   # routes:
@@ -53,7 +53,7 @@ dns:
 
 allow-lan: true
 mode: rule
-log-level: debug
+log-level: trace
 external-controller: :9090
 external-ui: "public"
 # secret: "clash-rs"

clash_lib/src/app/dispatcher/dispatcher_impl.rs

@@ -10,7 +10,7 @@ use crate::{
         internal::proxy::{PROXY_DIRECT, PROXY_GLOBAL},
     },
     proxy::{datagram::UdpPacket, AnyInboundDatagram},
-    session::Session,
+    session::{Session, SocksAddr},
 };
 use futures::{SinkExt, StreamExt};
 use std::{
@@ -75,40 +75,51 @@ impl Dispatcher {
     }
 
     #[instrument(skip(self, sess, lhs))]
-    pub async fn dispatch_stream<S>(&self, sess: Session, mut lhs: S)
+    pub async fn dispatch_stream<S>(&self, mut sess: Session, mut lhs: S)
     where
         S: AsyncRead + AsyncWrite + Unpin + Send,
     {
-        let sess = if self.resolver.fake_ip_enabled() {
-            match sess.destination {
-                crate::session::SocksAddr::Ip(addr) => {
-                    let ip = addr.ip();
+        let dest: SocksAddr = match &sess.destination {
+            crate::session::SocksAddr::Ip(socket_addr) => {
+                if self.resolver.fake_ip_enabled() {
+                    trace!("looking up fake ip: {}", socket_addr.ip());
+                    let ip = socket_addr.ip();
                     if self.resolver.is_fake_ip(ip).await {
                         let host = self.resolver.reverse_lookup(ip).await;
                         match host {
-                            Some(host) => {
-                                let mut sess = sess;
-                                sess.destination = crate::session::SocksAddr::Domain(
-                                    host,
-                                    addr.port(),
-                                );
-                                sess
-                            }
+                            Some(host) => (host, socket_addr.port())
+                                .try_into()
+                                .expect("must be valid domain"),
                             None => {
                                 error!("failed to reverse lookup fake ip: {}", ip);
                                 return;
                             }
                         }
                     } else {
-                        sess
+                        (*socket_addr).into()
+                    }
+                } else {
+                    trace!("looking up resolve cache ip: {}", socket_addr.ip());
+                    if let Some(resolved) =
+                        self.resolver.cached_for(socket_addr.ip()).await
+                    {
+                        (resolved, socket_addr.port())
+                            .try_into()
+                            .expect("must be valid domain")
+                    } else {
+                        (*socket_addr).into()
                     }
                 }
-                crate::session::SocksAddr::Domain(..) => sess,
             }
-        } else {
-            sess
+            crate::session::SocksAddr::Domain(host, port) => {
+                (host.to_owned(), *port)
+                    .try_into()
+                    .expect("must be valid domain")
+            }
         };
 
+        sess.destination = dest.clone();
+
         let mode = *self.mode.lock().unwrap();
         let (outbound_name, rule) = match mode {
             RunMode::Global => (PROXY_GLOBAL, None),
@@ -253,28 +264,17 @@ impl Dispatcher {
             while let Some(packet) = local_r.next().await {
                 let mut sess = sess.clone();
                 sess.source = packet.src_addr.clone().must_into_socket_addr();
-                sess.destination = packet.dst_addr.clone();
-
-                // populate fake ip for route matching
-                let sess = if resolver.fake_ip_enabled() {
-                    trace!("looking up fake ip for {sess}");
-                    match sess.destination {
-                        crate::session::SocksAddr::Ip(addr) => {
-                            let ip = addr.ip();
+
+                let dest: SocksAddr = match &packet.dst_addr {
+                    crate::session::SocksAddr::Ip(socket_addr) => {
+                        if resolver.fake_ip_enabled() {
+                            let ip = socket_addr.ip();
                             if resolver.is_fake_ip(ip).await {
-                                trace!("fake ip detected");
                                 let host = resolver.reverse_lookup(ip).await;
                                 match host {
-                                    Some(host) => {
-                                        trace!("fake ip resolved to {}", host);
-                                        let mut sess = sess;
-                                        sess.destination =
-                                            crate::session::SocksAddr::Domain(
-                                                host,
-                                                addr.port(),
-                                            );
-                                        sess
-                                    }
+                                    Some(host) => (host, socket_addr.port())
+                                        .try_into()
+                                        .expect("must be valid domain"),
                                     None => {
                                         error!(
                                             "failed to reverse lookup fake ip: {}",
@@ -284,18 +284,32 @@ impl Dispatcher {
                                     }
                                 }
                             } else {
-                                sess
+                                (*socket_addr).into()
                             }
+                        } else if let Some(resolved) =
+                            resolver.cached_for(socket_addr.ip()).await
+                        {
+                            (resolved, socket_addr.port())
+                                .try_into()
+                                .expect("must be valid domain")
+                        } else {
+                            (*socket_addr).into()
                         }
-                        crate::session::SocksAddr::Domain(..) => sess,
                     }
-                } else {
-                    sess
+                    crate::session::SocksAddr::Domain(host, port) => {
+                        (host.to_owned(), *port)
+                            .try_into()
+                            .expect("must be valid domain")
+                    }
                 };
+                sess.destination = dest.clone();
 
                 // mutate packet for fake ip
                 let mut packet = packet;
-                packet.dst_addr = sess.destination.clone();
+                // resolve is done in OutboundDatagramImpl so it's fine to have
+                // (Domain, port) here. ideally the OutboundDatagramImpl should only
+                // do Ip though?
+                packet.dst_addr = dest;
 
                 let mode = *mode.lock().unwrap();
 

clash_lib/src/app/dns/dummy_keys.rs

@@ -1,6 +1,6 @@
-/// Test certificate and key
-/// host: dns.example.com
-/// TODO(#51): use real certificate and key
+//! Test certificate and key
+//! host: dns.example.com
+//! TODO(#51): use real certificate and key
 
 pub static TEST_CERT: &str = include_str!("test/test.cert");
 

clash_lib/src/app/dns/mod.rs

@@ -63,6 +63,9 @@ pub trait ClashResolver: Sync + Send {
         enhanced: bool,
     ) -> anyhow::Result<Option<std::net::Ipv6Addr>>;
 
+    async fn cached_for(&self, ip: std::net::IpAddr) -> Option<String>;
+
+    /// Used for DNS Server
     async fn exchange(&self, message: op::Message) -> anyhow::Result<op::Message>;
 
     /// Only used for look up fake IP

clash_lib/src/app/dns/resolver/enhanced.rs

@@ -10,7 +10,7 @@ use std::{
     time::Duration,
 };
 use tokio::sync::RwLock;
-use tracing::{debug, error, instrument, warn};
+use tracing::{debug, error, instrument, trace, warn};
 
 use hickory_proto::{op, rr};
 
@@ -46,6 +46,9 @@ pub struct EnhancedResolver {
     policy: Option<trie::StringTrie<Vec<ThreadSafeDNSClient>>>,
 
     fake_dns: Option<ThreadSafeFakeDns>,
+
+    reverse_lookup_cache:
+        Option<Arc<RwLock<lru_time_cache::LruCache<net::IpAddr, String>>>>,
 }
 
 impl EnhancedResolver {
@@ -75,6 +78,8 @@ impl EnhancedResolver {
             policy: None,
 
             fake_dns: None,
+
+            reverse_lookup_cache: None,
         }
     }
 
@@ -94,6 +99,8 @@ impl EnhancedResolver {
             policy: None,
 
             fake_dns: None,
+
+            reverse_lookup_cache: None,
         });
 
         Self {
@@ -199,6 +206,17 @@ impl EnhancedResolver {
                 }
                 _ => None,
             },
+
+            reverse_lookup_cache: Some(Arc::new(RwLock::new(
+                lru_time_cache::LruCache::with_expiry_duration_and_capacity(
+                    Duration::from_secs(3), /* should be shorter than TTL so
+                                             * client won't be connecting to a
+                                             * different server after the ip is
+                                             * reverse mapped to hostname and
+                                             * being resolved again */
+                    4096,
+                ),
+            ))),
         }
     }
 
@@ -251,7 +269,7 @@ impl EnhancedResolver {
         m.add_query(q);
         m.set_recursion_desired(true);
 
-        match self.exchange(m).await {
+        match self.exchange(&m).await {
             Ok(result) => {
                 let ip_list = EnhancedResolver::ip_list_of_message(&result);
                 if !ip_list.is_empty() {
@@ -264,14 +282,14 @@ impl EnhancedResolver {
         }
     }
 
-    async fn exchange(&self, message: op::Message) -> anyhow::Result<op::Message> {
+    async fn exchange(&self, message: &op::Message) -> anyhow::Result<op::Message> {
         if let Some(q) = message.query() {
             if let Some(lru) = &self.lru_cache {
                 if let Some(cached) = lru.read().await.peek(q.to_string().as_str()) {
                     return Ok(cached.clone());
                 }
             }
-            self.exchange_no_cache(&message).await
+            self.exchange_no_cache(message).await
         } else {
             Err(anyhow!("invalid query"))
         }
@@ -436,6 +454,13 @@ impl EnhancedResolver {
             })
             .collect()
     }
+
+    async fn save_reverse_lookup(&self, ip: net::IpAddr, domain: String) {
+        if let Some(lru) = &self.reverse_lookup_cache {
+            trace!("reverse lookup cache insert: {} -> {}", ip, domain);
+            lru.write().await.insert(ip, domain);
+        }
+    }
 }
 
 #[async_trait]
@@ -545,8 +570,27 @@ impl ClashResolver for EnhancedResolver {
         }
     }
 
+    async fn cached_for(&self, ip: net::IpAddr) -> Option<String> {
+        if let Some(lru) = &self.reverse_lookup_cache {
+            if let Some(cached) = lru.read().await.peek(&ip) {
+                trace!("reverse lookup cache hit: {} -> {}", ip, cached);
+                return Some(cached.clone());
+            }
+        }
+
+        None
+    }
+
     async fn exchange(&self, message: op::Message) -> anyhow::Result<op::Message> {
-        self.exchange(message).await
+        let rv = self.exchange(&message).await?;
+        let hostname = message.query().unwrap().name().to_ascii();
+        let ip_list = EnhancedResolver::ip_list_of_message(&rv);
+        if !ip_list.is_empty() {
+            for ip in ip_list {
+                self.save_reverse_lookup(ip, hostname.clone()).await;
+            }
+        }
+        Ok(rv)
     }
 
     fn ipv6(&self) -> bool {

clash_lib/src/app/dns/resolver/system_linux.rs

@@ -56,6 +56,10 @@ impl ClashResolver for SystemResolver {
         Ok(response.iter().map(|x| x.0).choose(&mut rand::thread_rng()))
     }
 
+    async fn cached_for(&self, _: std::net::IpAddr) -> Option<String> {
+        None
+    }
+
     async fn exchange(
         &self,
         _: hickory_proto::op::Message,

clash_lib/src/app/dns/resolver/system_non_linux.rs

@@ -75,6 +75,10 @@ impl ClashResolver for SystemResolver {
         Ok(response.into_iter().choose(&mut rand::thread_rng()))
     }
 
+    async fn cached_for(&self, _: std::net::IpAddr) -> Option<String> {
+        None
+    }
+
     async fn exchange(
         &self,
         _: hickory_proto::op::Message,

clash_lib/src/app/router/mod.rs

@@ -16,7 +16,7 @@ use crate::app::router::rules::final_::Final;
 use std::{collections::HashMap, path::PathBuf, sync::Arc, time::Duration};
 
 use hyper::Uri;
-use tracing::{debug, error, info};
+use tracing::{error, info};
 
 use super::{
     dns::ThreadSafeDNSResolver,
@@ -93,10 +93,6 @@ impl Router {
                 && r.should_resolve_ip()
                 && !sess_resolved
             {
-                debug!(
-                    "rule `{r}` resolving domain {} locally",
-                    sess.destination.domain().unwrap()
-                );
                 if let Ok(Some(ip)) = self
                     .dns_resolver
                     .resolve(sess.destination.domain().unwrap(), false)
@@ -114,7 +110,6 @@ impl Router {
                     r.target(),
                     r.type_name()
                 );
-                debug!("matched rule details: {}", r);
                 return (r.target(), Some(r));
             }
         }