大量的循环DNS解析导致CPU过高

[shayulei]

版本：
[root@v2ray ~]# systemctl stop v2ray
[root@v2ray ~]# v2ray --version
V2Ray 4.45.0 (V2Fly, a community-driven edition of V2Ray.) Custom (go1.18.1 linux/amd64)
A unified platform for anti-censorship.
配置：
{
"log": {
"access": "/var/log/v2ray/access.log",
"error": "/var/log/v2ray/error.log",
"loglevel": "warning"
},
"levels": {
"1": {
// "handshake": 4,
"connIdle": 10,
// "uplinkOnly": 2,
// "downlinkOnly": 5,
// "statsUserUplink": false,
// "statsUserDownlink": false,
"bufferSize": 1
},
"2": {
// "handshake": 4,
"connIdle": 600
// "uplinkOnly": 2,
// "downlinkOnly": 5,
// "statsUserUplink": false,
// "statsUserDownlink": false,
// "bufferSize": 1
}
},

"inbounds": [
{
	"listen": "0.0.0.0",
	"port": 1080,
	"protocol": "socks",
	"settings": {
		"auth": "noauth",
		"udp": true
	},
	"streamSettings": {
            	"sockopt": {
                    	"mark": 255
            	}
        	}

},
{
	
	"listen": "0.0.0.0",
	"port": 8081,
	"protocol": "http",
	"settings": {
		"auth": "noauth",
		"udp": true
	},
	"streamSettings": {
            	"sockopt": {
                    	"mark": 255
            	}
        	}
},
{
        "port": 53,
    "listemm": "0.0.0.0",
        "tag": "dns-in",
        "protocol": "dokodemo-door",
        "settings": {
            "address":"8.8.8.8",
	"port": 53,
	"level": "1",
            "network": "tcp,udp",
	"followRedirect": true
        },
    "streamSettings": {
	"sockopt": {
		"mark": 255
	}
    }
},
{
	"tag":"transparent",
	"port": 12345, 
	"listen": "127.0.0.1",
	"protocol": "dokodemo-door",
	"settings": {
	  "network": "tcp,udp",
	  "level": "2",
	  "followRedirect": true
	},
	"sniffing": {
	  "enabled": true,
	  "destOverride": ["http", "tls"]
	},
	"streamSettings": {
		"sockopt": {
		  "tproxy": "tproxy",
		  "mark":255
		}
	  }
  }
],
"outbounds": [
{
	"tag":"v2",
	"protocol": "vless",
	"settings": {
		"domainStrategy": "UseIP",
		"vnext": [
    	  	  {
      			"address": "123.xxxxx.com",
      			"port": 443,
      			"users": [
			  {
				"id": "fsfewfdsggfdgdffffasdfb38cdc6",
				"flow": "xtls-rprx-origin",
				"level": 2,
				"encryption":"none"
			  }
			]
		  }
		]
		},
    	"streamSettings":{
		"network": "tcp",
		"security": "xtls",
		"xtlsSettings": {
			"serverName": "123.xxxxx.com",
			"allowInsecure": true
		},
		"sockopt": {
			"mark": 255
		  }
	},
	"mux": {
	  "enabled": false
	}
},
{
	"tag":"frp",
	"protocol": "vless",
	"settings": {
		"domainStrategy": "UseIP",
		"vnext": [
    	  	  {
      			"address": "4566.xxxx.com",
      			"port": 443,
      			"users": [
			  {
				   "id": "b916dfwefregdffb91b4f6ac",
				   "flow": "xtls-rprx-origin",
				   "level": 2,
				   "encryption":"none"
			  }
			]
		  }
		]
		},
    	"streamSettings":{
		"network": "tcp",
		"security": "xtls",
		"xtlsSettings": {
			"serverName": "4566.xxxx.com",
			"allowInsecure": true
		},
		"sockopt": {
			"mark": 255
		}
	},
	"mux": {
	  "enabled": false
	}
},
{
	"tag": "direct",
	"protocol": "freedom",
	"settings": {
	  "level": "2",
	  "domainStrategy": "UseIP"
	},
	"streamSettings": {
	  "sockopt": {
		"mark": 255
	  }
	}      
},
{
	"tag": "block",
	"protocol": "blackhole",
	"settings": {
	  "response": {
		"type": "http"
	  }
	}
},
{
	"tag":"dns-out",
	"protocol":"dns",
	"settings": {
		"level": "1"
	},
	"streamSettings": {
		"sockopt": {
			"mark": 255
		}
	}
   }
],
"dns": 
{
	"hosts":{
		
	},
	"servers": [
  	  {
		"address": "223.5.5.5",
		"port":53,
		"skipFallback": true,
		"domains": [
			"geosite:cn",
			"ntp.org"
		],
		"expectIPs": [
    			"geoip:cn"
   			]
	  },
	  {
  			"address": "8.8.8.8",
   			"port": 53,
		"skipFallback": true,
   			"domains": [
				 "geosite:geolocation-!cn"
   			]
	  },
	  "114.114.114.114"
	]
},
"routing": 
  {
	"domainStrategy": "IPOnDemand",
	"balancers": 
	[
	  {
		"tag": "b1",
		"selector": [
		  "frp",
		  "v2"
		]
	  }
	],
	"rules": 
	  [
		{ 
			"type": "field",
			"inboundTag": [
			  "dns-in"
			],
			"outboundTag": "dns-out"
		},
		{
			"type": "field",
			"inboundTag": [
				"transparent"
			],
			"port": 123,
			"network": "udp",
			"outboundTag": "direct" 
		},
		{
			"type":"field",
			"ip": [
				"8.8.8.8",
				"1.1.1.1"
			],
			"balancerTag": "b1"
		},
		{
			"type": "field", 
			"ip": [
				"223.5.5.5",
				"114.114.114.114"
			],
			"outboundTag": "direct"
		},
		{
			"type": "field", 
			"domain": [
				"geosite:category-ads-all"
			],
			"outboundTag": "block"
		},
		{// BT 流量直连
			"type": "field",
			"protocol":["bittorrent"], 
			"outboundTag": "direct"
		},
		{
			"type": "field", 
			"ip": [
				"geoip:private",
				"geoip:cn"
			],
			"outboundTag": "direct"
		},
		{
			"type": "field",
			"balancerTag": "b1", 
			"domain": "github.com"
		},
		{
			"type": "field", 
			"domain": [
				"geosite:cn",
				"ghproxy.com",
			],
			"outboundTag": "direct"
		}
	]
}

}
iptables:

iptables -t mangle -A V2RAY -s 127.0.0.1/32 -j RETURN
iptables -t mangle -A V2RAY -d 127.0.0.1/32 -j RETURN
iptables -t mangle -A V2RAY -d 224.0.0.0/4 -j RETURN
iptables -t mangle -A V2RAY -d 255.255.255.255/32 -j RETURN
iptables -t mangle -A V2RAY -d 192.168.0.0/16 -j RETURN
iptables -t mangle -A V2RAY -d 172.16.0.0/12 -j RETURN
iptables -t mangle -A V2RAY -d 10.0.0.0/8 -j RETURN
iptables -t mangle -A V2RAY -p udp --dport 53 -j RETURN
iptables -t mangle -A V2RAY -p udp --dport 123 -j RETURN
iptables -t mangle -A V2RAY -m mark --mark 0xff -j RETURN
iptables -t mangle -A V2RAY -p udp -j TPROXY --on-ip 127.0.0.1 --on-port 12345 --tproxy-mark 1
iptables -t mangle -A V2RAY -p tcp -j TPROXY --on-ip 127.0.0.1 --on-port 12345 --tproxy-mark 1
iptables -t mangle -A PREROUTING -j V2RAY

iptables -t mangle -A V2RAY_MASK -d 224.0.0.0/4 -j RETURN
iptables -t mangle -A V2RAY_MASK -s 127.0.0.1/32 -j RETURN
iptables -t mangle -A V2RAY_MASK -d 127.0.0.1/32 -j RETURN
iptables -t mangle -A V2RAY_MASK -d 255.255.255.255/32 -j RETURN
iptables -t mangle -A V2RAY_MASK -d 192.168.0.0/16 -j RETURN
iptables -t mangle -A V2RAY_MASK -d 172.16.0.0/12 -j RETURN
iptables -t mangle -A V2RAY_MASK -d 10.0.0.0/8 -j RETURN
iptables -t mangle -A V2RAY_MASK -s 192.168.50.6/32 -j RETURN
iptables -t mangle -A V2RAY_MASK -p udp --dport 123 -j RETURN
iptables -t mangle -A V2RAY_MASK -p udp --sport 123 -j RETURN
iptables -t mangle -A V2RAY_MASK -j RETURN -m mark --mark 0xff
iptables -t mangle -A V2RAY_MASK -p udp -j MARK --set-mark 1
iptables -t mangle -A V2RAY_MASK -p tcp -j MARK --set-mark 1
iptables -t mangle -A OUTPUT -j V2RAY_MASK

iptables -t mangle -A DIVERT -j MARK --set-mark 1
iptables -t mangle -A DIVERT -j ACCEPT
iptables -t mangle -I PREROUTING -p tcp -m socket -j DIVERT
日志：
2022/05/20 13:56:59 192.168.50.6:39190 accepted udp:192.168.50.6:53 [dns-out]
2022/05/20 13:56:59 192.168.50.6:36765 accepted udp:192.168.50.6:53 [dns-out]
2022/05/20 13:56:59 192.168.50.6:43278 accepted udp:192.168.50.6:53 [dns-out]
2022/05/20 13:56:59 192.168.50.6:59756 accepted udp:192.168.50.6:53 [dns-out]
2022/05/20 13:56:59 192.168.50.6:43345 accepted udp:192.168.50.6:53 [dns-out]
2022/05/20 13:56:59 192.168.50.6:42892 accepted udp:192.168.50.6:53 [dns-out]
2022/05/20 13:56:59 192.168.50.6:52687 accepted udp:192.168.50.6:53 [dns-out]
2022/05/20 13:56:59 192.168.50.6:56064 accepted udp:192.168.50.6:53 [dns-out]
2022/05/20 13:56:59 192.168.50.6:57520 accepted udp:192.168.50.6:53 [dns-out]
2022/05/20 13:56:59 192.168.50.6:43684 accepted udp:192.168.50.6:53 [dns-out]
2022/05/20 13:56:59 192.168.50.6:47065 accepted udp:192.168.50.6:53 [dns-out]
2022/05/20 13:56:59 192.168.50.6:47443 accepted udp:192.168.50.6:53 [dns-out]
2022/05/20 13:56:59 192.168.50.6:49894 accepted udp:192.168.50.6:53 [dns-out]
2022/05/20 13:56:59 192.168.50.6:54372 accepted udp:192.168.50.6:53 [dns-out]
2022/05/20 13:56:59 192.168.50.6:39915 accepted udp:192.168.50.6:53 [dns-out]
2022/05/20 13:56:59 192.168.50.6:42407 accepted udp:192.168.50.6:53 [dns-out]
2022/05/20 13:56:59 192.168.50.6:41978 accepted udp:192.168.50.6:53 [dns-out]
2022/05/20 13:56:59 192.168.50.6:33355 accepted udp:192.168.50.6:53 [dns-out]
2022/05/20 13:56:59 192.168.50.6:42947 accepted udp:192.168.50.6:53 [dns-out]
2022/05/20 13:56:59 192.168.50.6:41201 accepted udp:192.168.50.6:53 [dns-out]
2022/05/20 13:56:59 192.168.50.6:50273 accepted udp:192.168.50.6:53 [dns-out]
2022/05/20 13:56:59 192.168.50.6:55484 accepted udp:192.168.50.6:53 [dns-out]
2022/05/20 13:56:59 192.168.50.6:44314 accepted udp:192.168.50.6:53 [dns-out]
2022/05/20 13:56:59 192.168.50.6:50827 accepted udp:192.168.50.6:53 [dns-out]
2022/05/20 13:56:59 192.168.50.6:49305 accepted udp:192.168.50.6:53 [dns-out]
2022/05/20 13:56:59 192.168.50.6:49850 accepted udp:192.168.50.6:53 [dns-out]
2022/05/20 13:56:59 192.168.50.6:50322 accepted udp:192.168.50.6:53 [dns-out]
2022/05/20 13:56:59 192.168.50.6:33745 accepted udp:192.168.50.6:53 [dns-out]
2022/05/20 13:56:59 192.168.50.6:58298 accepted udp:192.168.50.6:53 [dns-out]
2022/05/20 13:56:59 192.168.50.6:39663 accepted udp:192.168.50.6:53 [dns-out]
2022/05/20 13:56:59 192.168.50.6:48249 accepted udp:192.168.50.6:53 [dns-out]
2022/05/20 13:56:59 192.168.50.6:60106 accepted udp:192.168.50.6:53 [dns-out]
2022/05/20 13:56:59 192.168.50.6:49807 accepted udp:192.168.50.6:53 [dns-out]
2022/05/20 13:56:59 192.168.50.6:55673 accepted udp:192.168.50.6:53 [dns-out]
2022/05/20 13:56:59 192.168.50.6:59335 accepted udp:192.168.50.6:53 [dns-out]
2022/05/20 13:56:59 192.168.50.6:41051 accepted udp:192.168.50.6:53 [dns-out]
2022/05/20 13:57:10 192.168.50.98:54501 accepted udp:192.168.50.6:53 [dns-out]
2022/05/20 13:57:49 192.168.50.98:60503 accepted udp:192.168.50.6:53 [dns-out]

[dongxicc]

一开始google找的教材,也是有dns解析回流 ,后来我按照这个官方白话文档 一步一步配置的 透明代理 ,没有这个问题了
https://guide.v2fly.org/app/tproxy.html 你可以看看

[shayulei]

本来是想直接开放53端口，现在已经改成对53端口的UDP包抓包转发。改成CPU低了不少

[kulongwangzhi85]

我在v2ray的上游，使用其它dns服务器。
"inbounds": [
{
"tag": "dns-in",
"port": 53,
"timeout": 6,
"followRedirect": false,
"protocol": "dokodemo-door",
"settings": {
"address": "127.0.0.1",
"port": 5353,
"network": "tcp,udp"
}
},
{}
],
"outbounds": [
{
"protocol": "dns",
"tag": "dns-out",
"address": "127.0.0.1",
"port": 5353,
"proxySettings": {
"tag": "direct",
"transportLayer": true
}
},
{}
],
"routing": {
"settings": {
"rules": [
{
"type": "field",
"inboundTag": [
"dns-in"
],
"network": "udp,tcp",
"outboundTag": "dns-out"
},
{}
}

[oit63]

它dns循环有很多种原因，最好就是不要用它作为dns服务器。
另外加这两条的原因不知道你是不是想不代理本机流量
iptables -t mangle -A V2RAY -s 127.0.0.1/32 -j RETURN
iptables -t mangle -A V2RAY_MASK -s 127.0.0.1/32 -j RETURN
第二条会把本机流量返回到第一条的位置，然后第一条又会返回，就是等于不代理本机流量

[oit63]

iptables -t mangle -A V2RAY -p udp --dport 53 -j RETURN
首先能从这条看出来你没有代理53端口
那么为什么循环了，
我猜测你resolve.conf 里面设置的nameserver 127.0.0.1
以下论述基于以上假设

		{ 
			"type": "field",
			"inboundTag": [
			  "dns-in"
			],
			"outboundTag": "dns-out"
		},

这一条路由

{
	"tag":"dns-out",
	"protocol":"dns",
	"settings": {
		"level": "1"
	},
	"streamSettings": {
		"sockopt": {
			"mark": 255
		}
	}
   }

加上这个设置，它的意思是给dns出口流量打上标签，直接走系统的路由
客户端请求-53->v2ray:53->本机->本机:53端口->v2ray:53->本机:53端口
看出来循环没有