求助关于AdguardHome+PAOPAODNS Docker+OPENCLASH设置问题 #73

TOPGUUN · 2023-11-26T07:17:40Z

TOPGUUN
Nov 26, 2023

现在环境是在OPENWRT下AdguardHome占用53，Dnsmasq改成了54，AdguardHome上游接127.0.0.1:7777(docker的PAOPAODNS端口映射7777:53),PAOPAODNS的CUSTOM_FORWARD设置192.168.50.1:7874转到OPENCLASH用FAKEIP增强关闭DNS劫持自定义NAMESERVER:127.0.0.1:7777，这么设置国内国外都走代理了，后来参考网上别人心得在OPENCLASH开发者选项里加入了这段话就变内外分流了：
en_mode=$(uci -q get openclash.config.en_mode)
proxy_port=$(uci -q get openclash.config.proxy_port)
http_port=$(uci -q get openclash.config.http_port)

if [ "$en_mode" == "fake-ip" ]; then
LOG_OUT "limit route to only fake ips with proxy port $proxy_port"
iptables -t nat -D openclash -p tcp -j REDIRECT --to-ports $proxy_port
LOG_OUT "update telegram ipset"
/etc/mosdns/rule/geoip2ipset.sh /etc/openclash/GeoIP.dat telegram
iptables -t nat -A openclash -m set --match-set telegram dst -p tcp -j REDIRECT --to-ports $proxy_port
fi

LOG_OUT "restart adguardhome"
/etc/init.d/AdGuardHome restart
出处: https://songchenwen.com/tproxy-split-by-dns
现在用起来很正常，网页秒开，内外分流正常，国内返回真是IP,国外显示FAKEIP.就是在debug.sh里看到了一个DNS劫持不知道是哪里问题。

/data # debug.sh

== debug.sh : docker exec -it paopaodns sh ==

-> debug start 1700981848

[INFO] images build time : 2023-11-23 16:48:29 UTC
[OK]DATA_writeable
[OK]DATA_readable
[INFO] NETWORK
*********************************************************************************

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1000
    inet 127.0.0.1/8 scope host lo
15: eth0@if16: <BROADCAST,MULTICAST,UP,LOWER_UP,M-DOWN> mtu 1500 qdisc noqueue state UP 
    inet 172.17.0.2/16 brd 172.17.255.255 scope global eth0
default via 172.17.0.1 dev eth0 
172.17.0.0/16 dev eth0 scope link  src 172.17.0.2 
PING 223.5.5.5 (223.5.5.5): 56 data bytes
64 bytes from 223.5.5.5: seq=0 ttl=115 time=7.921 ms

--- 223.5.5.5 ping statistics ---
1 packets transmitted, 1 packets received, 0% packet loss
round-trip min/avg/max = 7.921/7.921/7.921 ms
PING 119.29.29.29 (119.29.29.29): 56 data bytes
64 bytes from 119.29.29.29: seq=0 ttl=50 time=11.163 ms

--- 119.29.29.29 ping statistics ---
1 packets transmitted, 1 packets received, 0% packet loss
round-trip min/avg/max = 11.163/11.163/11.163 ms
Server:         223.5.5.5
Address:        223.5.5.5#53

Non-authoritative answer:
www.taobao.com  canonical name = www.taobao.com.danuoyi.tbcache.com.
Name:   www.taobao.com.danuoyi.tbcache.com
Address: 121.11.2.101
Name:   www.taobao.com.danuoyi.tbcache.com
Address: 121.11.2.100
Name:   www.taobao.com.danuoyi.tbcache.com
Address: 240e:97f:2000:100:3::3cd
Name:   www.taobao.com.danuoyi.tbcache.com
Address: 240e:97f:2000:100:3::3cc

Server:         119.29.29.29
Address:        119.29.29.29#53

Non-authoritative answer:
www.qq.com      canonical name = ins-r23tsuuf.ias.tencent-cloud.net.
Name:   ins-r23tsuuf.ias.tencent-cloud.net
Address: 121.14.77.221
Name:   ins-r23tsuuf.ias.tencent-cloud.net
Address: 121.14.77.201
;; communications error to 119.29.29.29#53: timed out
Name:   ins-r23tsuuf.ias.tencent-cloud.net
Address: 240e:97c:2f:2::4c
Name:   ins-r23tsuuf.ias.tencent-cloud.net
Address: 240e:97c:2f:1::5c

*********************************************************************************

[INFO] ENV
*********************************************************************************

====ENV TEST====
[OK]DATA_writeable-
[OK]DATA_readable-
MEM:50m 100m 200 100mb
prefPC:9
CORES:-1-
POWCORES:-1-
ulimit :-1048576-
FDLIM :-1-
TZ:-Asia/Shanghai-
UPDATE:-weekly-
DNS_SERVERNAME:-PaoPaoDNS,blog.03k.org-
SERVER_IP:-none-
ETHIP:-172.17.0.2-
DNSPORT:-53-
SOCKS5:-IP:PORT-
CNAUTO:-yes-
IPV6:-no-
CNFALL:-yes-
CUSTOM_FORWARD:-192.168.50.1:7874-
AUTO_FORWARD:-yes-
AUTO_FORWARD_CHECK:-yes-
USE_MARK_DATA:-yes-
RULES_TTL:-604800-
CUSTOM_FORWARD_TTL:-0-
SHUFFLE:-yes-
CN_TRACKER:-yes-
USE_HOSTS:-no-
HTTP_FILE:-no-
SAFEMODE:--
QUERY_TIME:-2000ms-
ADDINFO:-yes-
PLATFORM:-Linux paopaodns 5.10.176 #0 SMP Fri Oct 27 02:26:50 2023 x86_64 Linux-
====ENV TEST====
mosdns kkkgo/mosdns:231115.1
*********************************************************************************

[INFO] PS
*********************************************************************************

PID   USER     TIME  COMMAND
    1 root      0:00 {init.sh} /bin/sh /usr/sbin/init.sh
   12 root      0:00 crond
   44 root      0:10 redis-server unixsocket:/tmp/redis.sock
  231 root      0:01 dnscrypt-proxy -config /data/dnscrypt-resolvers/dnscrypt.toml
  243 root      0:06 mosdns start -d /tmp -c /tmp/mosdns.yaml
  251 root      0:00 {watch_list.sh} /bin/sh /usr/sbin/watch_list.sh
  255 root      0:00 unbound -c /tmp/unbound_forward.conf -p
  265 root      0:00 tail -f /dev/null
  283 root      0:02 unbound -c /tmp/unbound_raw.conf -p
  301 root      0:00 inotifywait -e modify,delete /etc/unbound/named.cache /data/Country-only-cn-private.mmdb /data/force_cn_list.txt /data/force_nocn_list.txt /data/custom_env.ini /data/global_mark.dat /data/trackerslist.txt /d
  395 root      0:00 /bin/sh
  719 root      0:00 /bin/sh
  998 root      0:00 /bin/sh
 1207 root      0:00 /bin/sh
 1213 root      0:00 {debug.sh} /bin/sh /usr/sbin/debug.sh
 1226 root      0:00 ps -ef
*********************************************************************************

[INFO] TOP
*********************************************************************************

CPU:   0% usr   0% sys   0% nic  98% idle   0% io   0% irq   1% sirq
  PID  PPID USER     STAT   VSZ %VSZ CPU %CPU COMMAND
  243     1 root     S    1212m  60%   2   0% mosdns start -d /tmp -c /tmp/mosdn
  231     1 root     S    1212m  60%   3   0% dnscrypt-proxy -config /data/dnscr
   44     1 root     S    22916   1%   4   0% redis-server unixsocket:/tmp/redis
  283     1 root     S    11936   1%   1   0% unbound -c /tmp/unbound_raw.conf -
  255     1 root     S    11308   1%   2   0% unbound -c /tmp/unbound_forward.co
  998     0 root     S     1720   0%   3   0% /bin/sh
  719     0 root     S     1720   0%   5   0% /bin/sh
  395     0 root     S     1720   0%   5   0% /bin/sh
  251     1 root     S     1704   0%   2   0% {watch_list.sh} /bin/sh /usr/sbin/
 1207     0 root     S     1692   0%   3   0% /bin/sh
    1     0 root     S     1628   0%   1   0% {init.sh} /bin/sh /usr/sbin/init.s
 1213  1207 root     S     1624   0%   0   0% {debug.sh} /bin/sh /usr/sbin/debug
 1227  1213 root     R     1620   0%   1   0% top -n1
  265     1 root     S     1612   0%   0   0% tail -f /dev/null
 1228  1213 root     S     1608   0%   5   0% grep %
  301   251 root     S     1068   0%   4   0% inotifywait -e modify,delete /etc/
   12     1 root     S      856   0%   2   0% crond
*********************************************************************************

[INFO] REDIS
*********************************************************************************

used_memory_human:1.41M
used_memory_rss_human:4.63M
used_memory_peak_human:1.42M
total_system_memory_human:1.95G
used_memory_lua_human:31.00K
used_memory_vm_total_human:63.00K
used_memory_scripts_human:181B
maxmemory_human:100.00M
(integer) 1159
*********************************************************************************

[TEST] IP ROUTE
*********************************************************************************

CN IP URL:
公网IP
公网IP
公网IP
CN RAW-IP URL:
公网IP
------------------
Non-CN IP URL:
185.241.42.21
185.241.42.21
185.241.42.21
Non-CN RAW-IP URL:
公网IP
公网IP
公网IP
公网IP
------------------
IP INFO:
公网IP
CN,Foshan,Guangdong
ASN4134/China Telecom
HTTP/1.1 
Mozilla/5.0 Gecko/20100101 Firefox/120.0 https://github.com/kkkgo/PaoPaoDNS
Asia/Shanghai Time: 11/26/2023, 2:57:37 PM
[INFO] force_cn_list
domain:whoami.ds.akahelp.net
domain:whoami.03k.org
MOSDNS WHOAMI :
akahelp: "ns" "公网IP"
03k: 公网IP
UNBOUND WHOAMI:
akahelp: "ns" "公网IP"
03k: 公网IP
*********************************************************************************

[TEST] HIJACK
*********************************************************************************

;; communications error to 9.8.7.5#53: timed out
;; no servers could be reached

;; communications error to 9.8.7.6#53: timed out
;; no servers could be reached

HIJACK 127.0.0.1 = 58.217.249.177
*********************************************************************************

[TEST] DIG-CN [taobao]
*********************************************************************************

MOSDNS CN:
www.taobao.com.danuoyi.tbcache.com.
121.11.2.100
121.11.2.101
UNBOUND CN:
www.taobao.com.danuoyi.tbcache.com.
121.11.2.100
121.11.2.101
[TEST] DIG-NOCN [youtube]
MOSDNS NOCN:
198.18.0.10
DNSCRYPT-UNBOUND NOCN:
youtube-ui.l.google.com.
142.250.115.136
142.250.115.91
DNSCRYPT NOCN:
youtube-ui.l.google.com.
142.250.138.93
142.250.138.190
DNSCRYPT-SOCKS5 NOCN:
;; communications error to 127.0.0.1#5303: connection refused
;; no servers could be reached

*********************************************************************************

[TEST] DUAL CN [IPv6=YES will have aaaa,taobao]
*********************************************************************************

[TEST] DUAL NOCN [IPv6=YES will block aaaa,youtube]
[TEST] ONLY6 [IPv6=only6 will block aaaa if a ok]
checkipv6.synology.com : ip6.03k.org : 6.ipw.cn : 
*********************************************************************************

[info] ALL TEST FINISH.

-> debug end 1700981860

Answered by kkkgo

Nov 26, 2023

测试通过，只有HIJACK 127.0.0.1 = 127.0.0.1才是劫持。

View full answer

kkkgo · 2023-11-26T07:26:01Z

kkkgo
Nov 26, 2023
Maintainer

测试通过，只有HIJACK 127.0.0.1 = 127.0.0.1才是劫持。

5 replies

tonebean Dec 1, 2023

我也是这条测试结果，为什么hijack是58.217.249.177这个ip呢？

kkkgo Dec 1, 2023
Maintainer

该测试执行了dig whether.114dns.com @114.114.114.114

114在自己的域名（114dns.com）的管理中，添加了A记录，主机名为whether，IP为127.0.0.1，
而114在自家的DNS服务器库中手动改了这条A记录的IP,并不自动与根服务器之类的服务器更新。
所以当你用其它DNS的时候，只能看到127.0.0.1
而用114的DNS时，可以解析到其它IP。

因此，该测试只要解析结果不是127.0.0.1，则表明与114DNS的通讯过程中没有被劫持，表明可以正常进行DNS通讯。

tonebean Dec 1, 2023

还有个疑问，之前我的dokcer环境是富强的，所以IP INFO:是我的国外ip，现在看了文档，镜像不走代理，开了sock5参数，但以下四个ip全是我的宽带ip，不知道是不是正常。
CN IP URL:
CN RAW-IP URL:
Non-CN IP URL:
Non-CN RAW-IP URL:

kkkgo Dec 1, 2023
Maintainer

正常的。在不配合PPGW之类的FAKEIP网关使用的情况下，预期就应该是宽带IP。
如果配合PPGW使用，开了AUTO_FORWARD，Non-CN IP URL应该就是代理IP，其他是宽带IP。

tonebean Dec 1, 2023

多谢解答，大佬早点睡。

TOPGUUN · 2023-11-26T07:27:34Z

TOPGUUN
Nov 26, 2023
Author

谢谢大神回复这么快，那我就这么用了

0 replies

XZ1314XZ · 2023-12-19T18:40:23Z

XZ1314XZ
Dec 19, 2023

@TOPGUUN 老哥，我的情况跟你一样，我也是adh+paopao+openclash，照抄你的都有问题反而国内国外网站打开都有问题。另外正常情况你能打开pan.quark.cn网站吗

adguardhome唯一上游dns：127.0.0.1:7777

openclash->覆写设置->DNS设置->自定义上游DNS服务器（开关打开），default-nameserver和nameserver都只填127.0.0.1 7777 udp

paopaodns配置照抄，只是custom_forward的IP相应改成我的paopaodns容器所在的网关IP，172.17.0.1。

14 replies

kkkgo Dec 25, 2023
Maintainer

你装PaoPaoDNS的机器不是x86吗，不知道你是底层系统是什么，反正直接虚拟化就可以了，装PVE或者EXSI什么的都可以。

XZ1314XZ Dec 25, 2023

是X86，没有用到pve和exsi装的istoreos，直装的官网教程就几步，我也不清楚它是什么系统

kkkgo Dec 25, 2023
Maintainer

你是裸机直接装istoreos么，啥配置啊，配置不是很差直接简单装个win10开hyperv虚拟机得了。

XZ1314XZ Dec 26, 2023

是裸机，都是捡的垃圾奔腾G840(比J1900好点)，内存ddr3 2G，华硕主板P8H61，配置差。除了网关，科学，容器什么都塞这里了，就不刷win了，有考虑弄PVE了，感谢大佬耐心回答

kkkgo Dec 27, 2023
Maintainer

PVE可以参考：kkkgo/PaoPaoGateWay#23

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

求助关于AdguardHome+PAOPAODNS Docker+OPENCLASH设置问题 #73

{{title}}

{{editor}}'s edit

{{editor}}'s edit

Replies: 3 comments 19 replies

{{title}}

{{title}}

{{title}}

{{title}}

{{title}}

{{title}}

{{title}}

{{title}}

{{title}}

{{title}}

{{title}}

{{title}}

{{title}}

Select a reply

求助关于AdguardHome+PAOPAODNS Docker+OPENCLASH设置问题 #73

TOPGUUN Nov 26, 2023

== debug.sh : docker exec -it paopaodns sh ==

Replies: 3 comments · 19 replies

kkkgo Nov 26, 2023 Maintainer

tonebean Dec 1, 2023

kkkgo Dec 1, 2023 Maintainer

tonebean Dec 1, 2023

kkkgo Dec 1, 2023 Maintainer

tonebean Dec 1, 2023

TOPGUUN Nov 26, 2023 Author

XZ1314XZ Dec 19, 2023

kkkgo Dec 25, 2023 Maintainer

XZ1314XZ Dec 25, 2023

kkkgo Dec 25, 2023 Maintainer

XZ1314XZ Dec 26, 2023

kkkgo Dec 27, 2023 Maintainer

TOPGUUN
Nov 26, 2023

Replies: 3 comments 19 replies

kkkgo
Nov 26, 2023
Maintainer

kkkgo Dec 1, 2023
Maintainer

kkkgo Dec 1, 2023
Maintainer

TOPGUUN
Nov 26, 2023
Author

XZ1314XZ
Dec 19, 2023

kkkgo Dec 25, 2023
Maintainer

kkkgo Dec 25, 2023
Maintainer

kkkgo Dec 27, 2023
Maintainer