Cannot use container's name as --server-addr in configuration.

[d0u9]

I use kcptun and sslocal together to speed up network access. Both of these two services run in containers (two separate containers).

I can ping kcp server from ss by the container name, say con_kcp.

However, using this con_kcp as --server-addr in the configure file fails the connection to kcp.

It works fine to use container's address instead of con_kcp domain name.

How could I resolve this?

[zonyitoo]

So, what does con_kcp resolve? Run dig con_kcp or nslookup con_kcp in shadowsocks' container.

[d0u9]

# nslookup con_kcp

Server:		127.0.0.11
Address:	127.0.0.11:53

Non-authoritative answer:
*** Can't find con_kcp: No answer

Non-authoritative answer:
Name:	con_kcp
Address: 172.20.0.3

172.20.0.3 is the correct IP that kcp service listens on.

[d0u9]

This is the config file:

{
    "server": "con_kcp",
    "server_port": 1090,
    "local_address": "0.0.0.0",
    "local_port": 1080,
    "password": "mypass",
    "timeout":120,
    "method":"chacha20-ietf-poly1305",
    "fast_open": false,

    "log": {
        "level": 1
    }
}

[zonyitoo]

What did you see from logs? Try to set log.level to 3 and then see what exactly IP was resolved when connecting.

[d0u9]

Name resolution seems to take no effect:

TRACE [1:139669394105008] [shadowsocks_rust::service::local] Config { log: LogConfig { level: 3, format: LogFormatConfig { without_time: true }, config_path: None }, runtime: RuntimeConfig { worker_count: None, mode: MultiThread } }
INFO  [1:139669394105008] [shadowsocks_rust::service::local] shadowsocks local 1.13.3 build 2022-02-20T09:29:56.355673253+00:00
TRACE [1:139669394105008] [shadowsocks_service::local] Config { server: [ServerConfig { addr: DomainName("con_kcp", 1090), password: "mypass", method: CHACHA20_POLY1305, enc_key: [x, x, x, x, x, x], timeout: Some(120s), plugin: None, plugin_addr: None, remarks: None, id: None, mode: TcpOnly, weight: ServerWeight { tcp_weight: 1.0, udp_weight: 1.0 } }], local: [LocalConfig { addr: Some(SocketAddr(0.0.0.0:1080)), protocol: Socks, mode: TcpOnly, udp_addr: None, forward_addr: None, tcp_redir: Redirect, udp_redir: TProxy, tun_interface_name: None, tun_interface_address: None, tun_device_fd: None, tun_device_fd_from_path: None, ipv6_only: false }], dns: System, ipv6_first: false, ipv6_only: false, no_delay: false, fast_open: false, keep_alive: None, nofile: None, outbound_fwmark: None, outbound_bind_interface: None, outbound_bind_addr: None, inbound_send_buffer_size: None, inbound_recv_buffer_size: None, outbound_send_buffer_size: None, outbound_recv_buffer_size: None, manager: None, config_type: Local, udp_timeout: None, udp_max_associations: None, acl: None, security: SecurityConfig { replay_attack: SecurityReplayAttackConfig { policy: Ignore } }, balancer: BalancerConfig { max_server_rtt: None, check_interval: None, check_best_interval: None }, config_path: Some("/etc/shadowsocks-rust/config.json") }
TRACE [1:139669394105008] [shadowsocks::dns_resolver::trust_dns_resolver] initializing DNS resolver with system-config ResolverConfig { domain: None, search: [Name { is_fqdn: false, label_data: [108, 97, 110], label_ends: [3] }], name_servers: NameServerConfigGroup([NameServerConfig { socket_addr: 127.0.0.11:53, protocol: Udp, tls_dns_name: None, trust_nx_responses: false }, NameServerConfig { socket_addr: 127.0.0.11:53, protocol: Tcp, tls_dns_name: None, trust_nx_responses: false }]) } opts ResolverOpts { ndots: 0, timeout: 5s, attempts: 2, rotate: false, check_names: true, edns0: false, validate: false, ip_strategy: Ipv4AndIpv6, cache_size: 32, use_hosts_file: true, positive_min_ttl: None, negative_min_ttl: None, positive_max_ttl: None, negative_max_ttl: None, num_concurrent_reqs: 2, preserve_intermediates: false }
TRACE [1:139669394105008] [shadowsocks_service::local::loadbalancing::ping_balancer] init chose TCP server con_kcp:1090
INFO  [1:139669394105008] [shadowsocks_service::local::socks::server] shadowsocks socks TCP listening on 0.0.0.0:1080

[zonyitoo]

You have to make a request. The remote server will only be resolved when creating new tunnels.

[d0u9]

Well, my log dumps as:

TRACE [1:281473830871040] [shadowsocks_service::local::loadbalancing::ping_balancer] init chose TCP server con_kcp:1090
INFO  [1:281473830871040] [shadowsocks_service::local::socks::server] shadowsocks socks TCP listening on 0.0.0.0:1080
TRACE [1:281473830852704] [shadowsocks_service::local::socks::server::socks5::tcprelay] socks5 HandshakeRequest { methods: [0] }
TRACE [1:281473830852704] [shadowsocks_service::local::socks::server::socks5::tcprelay] reply handshake HandshakeResponse { chosen_method: 0 }
TRACE [1:281473826633824] [shadowsocks_service::local::socks::server::socks5::tcprelay] socks5 HandshakeRequest { methods: [0] }
TRACE [1:281473826633824] [shadowsocks_service::local::socks::server::socks5::tcprelay] reply handshake HandshakeResponse { chosen_method: 0 }
TRACE [1:281473830852704] [shadowsocks_service::local::socks::server::socks5::tcprelay] socks5 TcpRequestHeader { command: TcpConnect, address: www.google.com:443 } peer: 172.20.0.1:63306
DEBUG [1:281473830852704] [shadowsocks_service::local::socks::server::socks5::tcprelay] CONNECT www.google.com:443
TRACE [1:281473826633824] [shadowsocks_service::local::socks::server::socks5::tcprelay] socks5 TcpRequestHeader { command: TcpConnect, address: www.google.com:443 } peer: 172.20.0.1:63308
DEBUG [1:281473826633824] [shadowsocks_service::local::socks::server::socks5::tcprelay] CONNECT www.google.com:443
TRACE [1:281473830852704] [shadowsocks::dns_resolver::resolver] DNS resolved con_kcp:1090 with trust-dns 0.000039708s
TRACE [1:281473826633824] [shadowsocks::dns_resolver::resolver] DNS resolved con_kcp:1090 with trust-dns 0.000005583s

The ping command resolves domain name correctly:

ping con_kcp

PING con_kcp (172.20.0.3): 56 data bytes
64 bytes from 172.20.0.3: seq=0 ttl=64 time=0.322 ms
64 bytes from 172.20.0.3: seq=1 ttl=64 time=0.431 ms

Everything works fine after changing the server address from using the domain name to IP address:

TRACE [1:281472994926592] [shadowsocks_service::local::loadbalancing::ping_balancer] init chose TCP server 172.20.0.3:1090
INFO  [1:281472994926592] [shadowsocks_service::local::socks::server] shadowsocks socks TCP listening on 0.0.0.0:1080
TRACE [1:281472994908256] [shadowsocks_service::local::socks::server::socks5::tcprelay] socks5 HandshakeRequest { methods: [0] }
TRACE [1:281472994908256] [shadowsocks_service::local::socks::server::socks5::tcprelay] reply handshake HandshakeResponse { chosen_method: 0 }
TRACE [1:281472994908256] [shadowsocks_service::local::socks::server::socks5::tcprelay] socks5 TcpRequestHeader { command: TcpConnect, address: www.google.com:443 } peer: 172.20.0.1:63482
DEBUG [1:281472994908256] [shadowsocks_service::local::socks::server::socks5::tcprelay] CONNECT www.google.com:443
TRACE [1:281472994908256] [shadowsocks::relay::tcprelay::proxy_stream::client] connected tcp remote 172.20.0.3:1090 (outbound: 172.20.0.3:1090) with ConnectOpts { fwmark: None, bind_local_addr: None, bind_interface: None, tcp: TcpSocketOpts { send_buffer_size: None, recv_buffer_size: None, nodelay: false, fastopen: false, keepalive: Some(15s) } }

[zonyitoo]

TRACE [1:281473830852704] [shadowsocks::dns_resolver::resolver] DNS resolved con_kcp:1090 with trust-dns 0.000039708s
TRACE [1:281473826633824] [shadowsocks::dns_resolver::resolver] DNS resolved con_kcp:1090 with trust-dns 0.000005583s

Yes. It didn't show the actual resolved IP in log. :(

TRACE [1:139669394105008] [shadowsocks::dns_resolver::trust_dns_resolver] initializing DNS resolver with system-config ResolverConfig { domain: None, search: [Name { is_fqdn: false, label_data: [108, 97, 110], label_ends: [3] }], name_servers: NameServerConfigGroup([NameServerConfig { socket_addr: 127.0.0.11:53, protocol: Udp, tls_dns_name: None, trust_nx_responses: false }, NameServerConfig { socket_addr: 127.0.0.11:53, protocol: Tcp, tls_dns_name: None, trust_nx_responses: false }]) } opts ResolverOpts { ndots: 0, timeout: 5s, attempts: 2, rotate: false, check_names: true, edns0: false, validate: false, ip_strategy: Ipv4AndIpv6, cache_size: 32, use_hosts_file: true, positive_min_ttl: None, negative_min_ttl: None, positive_max_ttl: None, negative_max_ttl: None, num_concurrent_reqs: 2, preserve_intermediates: false }

Is the con_kcp defined in the /etc/hosts? If not, then it will try to send DNS requests to 127.0.0.11:53.

This line of TRACE log should be shown if it receives DNS respond:

shadowsocks-rust/crates/shadowsocks/src/dns_resolver/mod.rs

Line 142 in 2c85eef

trace!("trying connect {}:{} {}", $addr, $port, $resolved_addr);

How to reproduce? Could I reproduce it locally with my laptop?

[dev4u]

@zonyitoo 会不会因为
b06391c
的改动，导致本地域名，发到外网去解析？

[d0u9]

I have narrowed the scope of this issue to the problem of whether a domain name is valid or not.

For a simple POC, I use the docker compose file and configuration files of ss:

ssserver config file /tmp/poc/server.json:

{
    "server": "0.0.0.0",
    "server_port": 1090,
    "password": "mypass",
    "timeout": 120,
    "method": "chacha20-ietf-poly1305",
    "fast_open": false,

    "log": {
        "level": 3
    }
}

sslocal config file /tmp/poc/client.json:

{
    "server": "server.ss.invalid",
    "server_port": 1090,
    "local_address": "0.0.0.0",
    "local_port": 1080,
    "password": "mypass",
    "timeout":120,
    "method":"chacha20-ietf-poly1305",
    "fast_open": false,

    "log": {
        "level": 3
    }
}

docker compose file:

version: '3.5'

services:

  server.ss.invalid:
    image: ghcr.io/shadowsocks/ssserver-rust:latest
    container_name: server.ss.invalid
    restart: always
    ports:
      - 127.0.0.1:1090:1090
    volumes:
      - type: bind
        source: /tmp/poc/server.json
        target: /etc/shadowsocks-rust/config.json
        read_only: true

  local.ss.invalid:
    image: ghcr.io/shadowsocks/sslocal-rust:latest
    container_name: local.ss.invalid
    restart: always
    ports:
      - 127.0.0.1:1080:1080
    volumes:
      - type: bind
        source: /tmp/poc/client.json
        target: /etc/shadowsocks-rust/config.json
        read_only: true

• Case 1:

  The container name of the server, server.ss.invalid, is an invalid domain name because that invalid is not a top-level domain name.

  Log of the client:

  TRACE [1:281473519208544] [shadowsocks_service::local::socks::server::socks5::tcprelay] socks5 HandshakeRequest { methods: [0] }
  TRACE [1:281473519208544] [shadowsocks_service::local::socks::server::socks5::tcprelay] reply handshake HandshakeResponse { chosen_method: 0 }
  TRACE [1:281473519208544] [shadowsocks_service::local::socks::server::socks5::tcprelay] socks5 TcpRequestHeader { command: TcpConnect, address: www.bing.com:443 } peer: 172.22.0.1:58646
  DEBUG [1:281473519208544] [shadowsocks_service::local::socks::server::socks5::tcprelay] CONNECT www.bing.com:443
  DEBUG [1:281473519208544] [trust_dns_resolver::lookup_ip] both of ipv4 or ipv6 lookup failed in ipv4_and_ipv6 strategy e1: no record found for name: server.ss.invalid type: A class: IN, e2: no record found for name: server.ss.invalid type: AAAA class: IN
  TRACE [1:281473519208544] [shadowsocks::dns_resolver::resolver] DNS resolved server.ss.invalid:1090 with trust-dns 0.0000975s
  

• case 2:

  The con_kcp name, which I use as an example in the first post of this thread, is absolutely an invalid domain name - it contains no top-level domain name and _ is not permitted in domain names.

I think this problem is related to the verification of domain name format which is done before the actual resolution. For container circumstances, the container name, which is a superset of valid domain names, acts as a domain name in most situations.

[zonyitoo]

It's irrelevent. This change is only for local-dns.

[zonyitoo]

Insterestingly, nslookup can resolve server.ss.invalid:

$ nslookup server.ss.invalid
Server:		127.0.0.11
Address:	127.0.0.11:53

Non-authoritative answer:
*** Can't find server.ss.invalid: No answer

Non-authoritative answer:
Name:	server.ss.invalid
Address: 172.18.0.3

Run tcpdump in the sslocal container, an interesting found:

11:08:47.514337 IP 198e2a62e0d5.60757 > 192.168.65.5.53: 20305+ PTR? 1.0.18.172.in-addr.arpa. (41)
11:08:47.515750 IP 172.18.0.1.56878 > 198e2a62e0d5.1080: Flags [F.], seq 25, ack 14, win 512, options [nop,nop,TS val 1653360542 ecr 3903728622], length 0
11:08:47.515779 IP 198e2a62e0d5.1080 > 172.18.0.1.56878: Flags [.], ack 26, win 510, options [nop,nop,TS val 3903728624 ecr 1653360542], length 0
11:08:47.520744 IP 192.168.65.5.53 > 198e2a62e0d5.60757: 20305 NXDomain 0/0/0 (41)
11:08:47.620719 IP 198e2a62e0d5.37324 > 192.168.65.5.53: 5499+ PTR? 5.65.168.192.in-addr.arpa. (43)
11:08:47.626358 IP 192.168.65.5.53 > 198e2a62e0d5.37324: 5499 NXDomain 0/0/0 (43)

So there was a DNS query sent to 192.168.65.5:53 for 1.0.18.172.in-addr.arpa. with PTR record, but it replied NXDomain.

There is no packet could be captured by tcpdump when running nslookup server.ss.invalid.

[d0u9]

DNS server address for containers which use custom network is 127.0.0.11:53. Container
engine has an embedded DNS server for such containers that don’t explicitly set dns server.

Try to capture packets on lo interface to see if any clue can be found.

[zonyitoo]

Try to capture packets on lo interface to see if any clue can be found.

Tried and captured nothing.

[d0u9]

:( sad...

[zonyitoo]

$ dig server.ss.invalid @192.168.65.5

; <<>> DiG 9.16.25 <<>> server.ss.invalid @192.168.65.5
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 41266
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: 67a10a23dc40df47 (echoed)
;; QUESTION SECTION:
;server.ss.invalid.		IN	A

;; Query time: 23 msec
;; SERVER: 192.168.65.5#53(192.168.65.5)
;; WHEN: Thu Feb 24 16:44:53 UTC 2022
;; MSG SIZE  rcvd: 58

Sending queries directly to the 192.168.65.5 will get NXDOMAIN.

But it is actually working well for other valid domains, like:

$ dig www.baidu.com @192.168.65.5

; <<>> DiG 9.16.25 <<>> www.baidu.com @192.168.65.5
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 13391
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: 9aa59fed1c642d74 (echoed)
;; QUESTION SECTION:
;www.baidu.com.			IN	A

;; ANSWER SECTION:
www.baidu.com.		17	IN	CNAME	www.a.shifen.com.
www.a.shifen.com.	150	IN	A	14.215.177.38

;; Query time: 21 msec
;; SERVER: 192.168.65.5#53(192.168.65.5)
;; WHEN: Thu Feb 24 16:45:51 UTC 2022
;; MSG SIZE  rcvd: 129

So I think the sslocal's DNS query was actually sent to 192.168.65.5, which of course returned NXDOMAIN for server.ss.invalid. But 127.0.0.11 can handle it:

$ dig server.ss.invalid @127.0.0.11

; <<>> DiG 9.16.25 <<>> server.ss.invalid @127.0.0.11
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 25033
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;server.ss.invalid.		IN	A

;; ANSWER SECTION:
server.ss.invalid.	600	IN	A	172.18.0.2

;; Query time: 1 msec
;; SERVER: 127.0.0.11#53(127.0.0.11)
;; WHEN: Thu Feb 24 16:47:58 UTC 2022
;; MSG SIZE  rcvd: 68

When sending queries to 127.0.0.1 with www.baidu.com, the request was actually sent to 192.168.65.5:

$ dig www.baidu.com @127.0.0.11

; <<>> DiG 9.16.25 <<>> www.baidu.com @127.0.0.11
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 56964
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: efb15f5874b1f23e (echoed)
;; QUESTION SECTION:
;www.baidu.com.			IN	A

;; ANSWER SECTION:
www.baidu.com.		752	IN	CNAME	www.a.shifen.com.
www.a.shifen.com.	518	IN	A	14.215.177.39

;; Query time: 5 msec
;; SERVER: 127.0.0.11#53(127.0.0.11)
;; WHEN: Thu Feb 24 16:51:14 UTC 2022
;; MSG SIZE  rcvd: 97

tcpdump shows:

16:51:37.422280 IP 198e2a62e0d5.53506 > 192.168.65.5.53: 32344+ [1au] A? www.baidu.com. (54)
16:51:37.426110 IP 192.168.65.5.53 > 198e2a62e0d5.53506: 32344 2/0/1 CNAME www.a.shifen.com., A 14.215.177.39 (129)

[zonyitoo]

trust-dns will check the invalid. at the top level and then returns NXDOMAIN directly.

[zonyitoo]

Everything works fine after changing containers' name to local.ss and server.ss:

version: '3.5'

services:

  server.ss:
    image: ghcr.io/shadowsocks/ssserver-rust:latest
    container_name: server.ss
    restart: always
    ports:
      - 127.0.0.1:1090:1090
    volumes:
      - type: bind
        source: /tmp/poc/server.json
        target: /etc/shadowsocks-rust/config.json
        read_only: true

  local.ss:
    image: ghcr.io/shadowsocks/sslocal-rust:latest
    container_name: local.ss
    restart: always
    ports:
      - 127.0.0.1:1080:1080
    volumes:
      - type: bind
        source: /tmp/poc/client.json
        target: /etc/shadowsocks-rust/config.json
        read_only: true

But why trust-dns's resolver returns empty directly when resolving con_kcp? Hmm, I will look deeper.

ResolveError { kind: Proto(ProtoError { kind: Msg("Label contains invalid characters: Err(Errors { invalid_mapping, disallowed_by_std3_ascii_rules })") }) }

Well, trust-dns-resolver rejects con_kcp because it is not a valid DNS name.

[d0u9]

I think this problem is related to the verification of domain name format which is done before the actual resolution. For container circumstances, the container name, which is a superset of valid domain names, acts as a domain name in most situations.

Yes, I have mentioned that earlier. That is why I used .invalid suffix. ss is a valid TOP-LEVEL domain name. Things work great if that container just is named in a valid domain name format.

Should we opt to use some more 'naive' name resolution method before the action that is taken by trust-dns-resolver?

[zonyitoo]

It can be done by removing trust-dns feature while compiling. But the native resolver getaddrinfo would have worse performance than trust-dns.

[d0u9]

Maybe, providing a fallback strategy is more compatible. For domain names that are obviously not valid, or domain names that cannot be handled by trust-dns, use getaddrinfo() instead.

[zonyitoo]

https://github.com/shadowsocks/shadowsocks-rust/releases/tag/v1.13.4

Add a "dns": "system" in client.json with v1.13.4 should fix this issue.

[d0u9]

Seems still not working.

DEBUG [1:281473351993392] [shadowsocks_service::local::socks::server::socks5::tcprelay] CONNECT baidu.com:80
DEBUG [1:281473351993392] [trust_dns_resolver::lookup_ip] both of ipv4 or ipv6 lookup failed in ipv4_and_ipv6 strategy e1: no record found for name: server.ss.invalid type: A class: IN, e2: no record found for name: server.ss.invalid type: AAAA class: IN
TRACE [1:281473351993392] [shadowsocks::dns_resolver::resolver] DNS resolved server.ss.invalid:1090 with trust-dns 0.000120709s

I have updated my client config in which "DNS" is now pointed to "system":

{
    "server": "server.ss.invalid",
    "server_port": 1090,
    "local_address": "0.0.0.0",
    "local_port": 1080,
    "password": "mypass",
    "timeout":120,
    "method":"chacha20-ietf-poly1305",
    "fast_open": false,
    "dns": "system",

    "log": {
        "level": 3
    }
}

NOTE: Don't test by accessing "baidu.com" in non-incognito mode. The web seems to be cached and shows the result correctly.

[zonyitoo]

Set SS_SYSTEM_DNS_RESOLVER_FORCE_BUILTIN: 1 in the sslocal container.

[dev4u]

Set SS_SYSTEM_DNS_RESOLVER_FORCE_BUILTIN: 1 in the sslocal container.

打扰一下，我觉得这样做，并不太优雅。为什么不能先做hosts文件解析，没结果再扔应用定义的dns服务做处理？

[zonyitoo]

It doesn't related to host file.

[d0u9]

It works now. Close this issue.

[zonyitoo]

BTW, why not just make the container name to be a valid domain name?

[d0u9]

Well, the main reason is that we haven't encountered such a problem before by using shadowsocks-libev. It works perfectly and functionally as expected, and the whole infrastructure is built based on this prerequisite.

Shifting from old container names to new ones requires some time, and we are now making the process to do that.