unknown domain

Question

unknown domain

Closed this issue a year ago · 8 comments

Fastly error: unknown domain: github.com. Please check that this domain has been added to a service.
Details: cache-bfi-kbfi7400045-BFI

Access often appears unknown domain prompt, but the corresponding domain name has been added to the list of domains

Answer 1 · 2023-06-20T03:44:28.000Z

image version used: ghcr.io/mosajjal/sniproxy:v2.0.2

Answer 2 · 2023-06-20T03:46:29.000Z

general:
  # Upsteam DNS URI. examples: Upstream DNS URI. examples: udp://1.1.1.1:53, tcp://1.1.1.1:53, tcp-tls://1.1.1.1:853, https://dns.google/dns-query
  upstream_dns: udp://1.1.1.1:53
  # Use a SOCKS proxy for upstream HTTP/HTTPS traffic. Example: socks5://admin:
  upstream_socks5:
  # DNS Port to listen on. Should remain 53 in most cases. MUST NOT be empty
  bind_dns_over_udp: "0.0.0.0:53"
  # enable DNS over TCP. empty disables it. example: "127.0.0.1:53"
  bind_dns_over_tcp: "0.0.0.0:53"
  # enable DNS over TLS. empty disables it. example: "127.0.0.1:853"
  bind_dns_over_tls:
  # enable DNS over QUIC. empty disables it. example: "127.0.0.1:8853"
  bind_dns_over_quic:
  # Path to the certificate for DoH, DoT and DoQ. eg: /tmp/mycert.pem
  tls_cert:
  # Path to the certificate key for DoH, DoT and DoQ. eg: /tmp/mycert.key
  tls_key:
  # HTTP Port to listen on. Should remain 80 in most cases
  bind_http: "0.0.0.0:80"
  # HTTPS Port to listen on. Should remain 443 in most cases
  bind_https: "0.0.0.0:443"
  # Enable prometheus endpoint on IP:PORT. example: 127.0.0.1:8080. Always exposes /metrics and only supports HTTP
  bind_prometheus:
  # Interface used for outbound TLS connections. uses OS prefered one if empty
  interface:
  # Public IPv4 of the server, reply address of DNS A queries
  public_ipv4: "100.106.241.93"
  # Public IPv6 of the server, reply address of DNS AAAA queries
  public_ipv6: "fd7a:115c:a1e0:ab12:4843:cd96:626a:f15d"
  # log level for the application. choices: debug, info, warn, error
  # by default, the logs are colored so they are not suited for logging to a file.
  # in order to disable colors, set NO_COLOR=true in the environment variables
  log_level: info

acl:
  # geoip filtering
  #
  # the logic is as follows:
  # 1. if mmdb is not loaded or not available, it's fail-open (allow by default)
  # 2. if the IP can't be resolved to a country, it's rejected
  # 3. if the country is in the blocked list, it's rejected
  # 4. if the country is in the allowed list, it's allowed
  # note that the reject list is checked first and takes priority over the allow list
  # if the IP's country doesn't match any of the above, it's allowed if the blocked list is not empty
  # for example, if the blockedlist is [US] and the allowedlist is empty, a connection from
  # CA will be allowed. but if blockedlist is empty and allowedlist is [US], a connection from
  # CA will be rejected.
  geoip:
    enabled: false
    # priority of the geoip filter. lower priority means it's checked first, meaning it can be ovveriden by other ACLs with higehr priority number. 
    priority: 10
    # strictly blocked countries
    blocked:
    # allowed countries 
    allowed:
    # Path to the MMDB file. eg: /tmp/Country.mmdb, https://raw.githubusercontent.com/Loyalsoldier/geoip/release/Country.mmdb
    path: /opt/sniproxy/Country.mmdb
    # Interval to re-fetch the MMDB file
    refresh_interval: 24h0m0s
  # domain filtering
  domain:
    enabled: true # false means ALL domains will be allowed to go through the proxy
    # priority of the domain filter. lower priority means it's checked first. if multiple filters have the same priority, they're checked in random order
    priority: 20
    # Path to the domain list. eg: /tmp/domainlist.csv. Look at the example file for the format.
    path: /opt/sniproxy/domains.csv
    # Interval to re-fetch the domain list
    refresh_interval: 1h0m0s
  # IP/CIDR filtering
  cidr:
    enabled: true
    # priority of the cidr filter. lower priority means it's checked first. if multiple filters have the same priority, they're checked in random order
    priority: 30
    # Path to the CIDR list. eg: /tmp/cidr.csv. Look at the example file for the format.
    path: /opt/sniproxy/cidr.csv
    # Interval to re-fetch the domain list
    refresh_interval: 1h0m0s
  # FQDN override. This ACL is used to override the destination IP to not be the one resolved by the upstream DNS or the proxy itself, rather a custom IP and port
  # if the destination is HTTP, it uses tls_cert and tls_key certificate to terminate the original connection. 
  override:
    enabled: false
    # priority of the override filter. lower priority means it's checked first. if multiple filters have the same priority, they're checked in random order
    priority: 40
    # override rules. unlike others, this one does not require a path to a file. it's a map of FQDNs wildcards to IPs and ports. only HTTPS is supported
    # currently, these rules are checked with a simple for loop and string matching,
    # so it's not suited for a large number of rules. if you have a big list of rules
    # use a reverse proxy in front of sniproxy rather than using sniproxy as a reverse proxy
    rules:
      "one.one.one.one": "1.1.1.1:443"
      "google.com": "8.8.8.8:443"
    # enable listening on DoH on a specific SNI. example: "myawesomedoh.example.com". empty disables it. If you need DoH to be enabled and don't want
    # any other overrides, enable this ACL with empty rules. DoH SNI will add a default rule and start. 
    doh_sni: "myawesomedoh.example.com"
    # Path to the certificate for handling tls decryption. eg: /tmp/mycert.pem
    tls_cert:
    # Path to the certificate key handling tls decryption. eg: /tmp/mycert.key
    tls_key:

Answer 3 · 2023-06-20T04:15:57.000Z

hi. what are you trying to do? can't understand what fastly is doing in there?

Answer 4 · 2023-06-20T08:21:12.000Z

I have the domain github.com configured in my service, but I am constantly prompted with unknown domain.I have the domain github.com configured in my service, but I am often prompted with unknown domain, which works fine after I configure "domain: enabled: false". Is there a matching issue with this piece, I restarted the service and it works fine.

Answer 5 · 2023-06-20T21:14:45.000Z

I don't believe you can add a domain you don't own in Fastly. Might that be the issue?

Answer 6 · 2023-06-21T00:14:44.000Z

I have now turned off the service of the ACL domain name list, but similar errors still occur frequently.

Answer 7 · 2023-06-21T00:21:49.000Z

Is there a similar QOS restriction, because I see that api.github.com is always requesting.

Answer 8 · 2023-06-21T02:19:13.000Z

Found that the problem seems to occur after reloading the domain list every hour