Panic due to DNS resolution failure of WireGuard endpoint #5053
Description
Integrity requirements
- I have read all the comments in the issue template and ensured that this issue meet the requirements.
- I confirm that I have read the documentation, understand the meaning of all the configuration items I wrote, and did not pile up seemingly useful options or default values.
- I provided the complete config and logs, rather than just providing the truncated parts based on my own judgment.
- I searched issues and did not find any similar issues.
- The problem can be successfully reproduced in the latest Release
Description
When looking up the IP addresses of a WireGuard endpoint, Xray will panic when the DNS module returns an empty response, whether due to temporary network connectivity issues or the domain being IPv6-only when Xray expects an IPv4 address and vice versa.
Reproduction Method
-
Run Xray with the config in the "Client config" section
-
Open another terminal and run
curl -v --proxy http://127.0.0.1:9999 http://example.org -
Observe the output
Client config
{
"log": {
"loglevel": "debug",
"dnsLog": true
},
"dns": {
"servers": [
{
"address": "tcp+local://8.8.8.8",
"finalQuery": false,
"skipFallback": false
}
],
"queryStrategy": "UseIP",
"disableCache": false,
"disableFallback": false,
"disableFallbackIfMatch": false,
"useSystemHosts": false,
"tag": "dns_inbound"
},
"routing": {
"domainStrategy": "AsIs",
"domainMatcher": "hybrid",
"rules": [
{
"type": "field",
"inboundTag": [
"http-inbound"
],
"outboundTag": "wireguard"
}
]
},
"outbounds": [
{
"protocol": "wireguard",
"tag": "wireguard",
"settings": {
"domainStrategy": "ForceIPv4",
"secretKey": "2EGRl2bumDmzUjcOVTjkPEO+QK0hT/CzzCJE3SGu50Y=",
"address": [
"10.8.0.6/32"
],
"peers": [
{
"endpoint": "nonexistent.testing.com:12345",
"publicKey": "2965N0NtiKwmMMyve/1A8lsc+UzlRWA3HNIel18Zv24=",
"preSharedKey": "H7GtV1Lp3BlR1vtoO4MUPdlwFMJe1x2jUkl03RXlUSg=",
"keepAlive": 0,
"allowedIPs": [
"0.0.0.0/0"
]
}
],
"noKernelTun": false,
"mtu": 1408
}
}
],
"inbounds": [
{
"port": 9999,
"listen": "127.0.0.1",
"protocol": "http",
"tag": "http-inbound",
"settings": {
"allowTransparent": false,
"userLevel": 0
}
}
]
}
Server config
Not applicable
Client log
$ sudo xray run -confdir /mnt/testing/xray/ Xray 25.8.3 (Xray, Penetrates Everything.) Custom (go1.24.5 linux/amd64) A unified platform for anti-censorship. 2025/08/24 02:45:39.618065 Using confdir from arg: /mnt/testing/xray/ 2025/08/24 02:45:39.618655 [Info] infra/conf/serial: Reading config: &{Name:/mnt/testing/xray/config.json Format:json} 2025/08/24 02:45:39.620433 [Debug] app/log: Logger started 2025/08/24 02:45:39.620673 [Debug] app/proxyman/inbound: creating stream worker on 127.0.0.1:9999 2025/08/24 02:45:39.621061 [Info] transport/internet/tcp: listening TCP on 127.0.0.1:9999 2025/08/24 02:45:39.621086 [Warning] core: Xray 25.8.3 started 2025/08/24 02:45:43.167069 from 127.0.0.1:53316 accepted http://example.org/ [http-inbound -> wireguard] 2025/08/24 02:45:43.167141 [Info] [3954028067] proxy/http: request to Method [GET] Host [example.org] with URL [http://example.org/] 2025/08/24 02:45:43.167280 [Info] [3954028067] app/dispatcher: taking detour [wireguard] for [tcp:example.org:80] 2025/08/24 02:45:43.167302 [Info] switching dialer 2025/08/24 02:45:43.167316 [Warning] proxy/wireguard: Using kernel TUN. 2025/08/24 02:45:43.170931 [Debug] app/dns: domain nonexistent.testing.com will use DNS in order: [TCPL//8.8.8.8:53] 2025/08/24 02:45:43.170969 [Debug] app/dns: TCPL//8.8.8.8:53 querying DNS for: nonexistent.testing.com. 2025/08/24 02:45:43.170976 [Debug] transport/internet: dialing to tcp:8.8.8.8:53 2025/08/24 02:45:43.387263 [Info] app/dns: TCPL//8.8.8.8:53 got answer: nonexistent.testing.com. TypeA -> [] 216.152126ms 2025/08/24 02:45:43.387326 [Info] app/dns: failed to lookup ip for domain nonexistent.testing.com at server TCPL//8.8.8.8:53 > rcode: 3 2025/08/24 02:45:43.387341 [Info] [3954028067] proxy/wireguard: createIPCRequest failed to lookup DNS > app/dns: returning nil for domain nonexistent.testing.com > rcode: 3 2025/08/24 02:45:43.387363 TCPL//8.8.8.8:53 got answer: nonexistent.testing.com -> [] 216.302237ms 2025/08/24 02:45:43.387440 [Debug] Routine: handshake worker 2 - started 2025/08/24 02:45:43.387448 [Debug] Routine: handshake worker 3 - started 2025/08/24 02:45:43.387451 [Debug] Routine: encryption worker 3 - started 2025/08/24 02:45:43.387455 [Debug] Routine: decryption worker 3 - started 2025/08/24 02:45:43.387458 [Debug] Routine: encryption worker 1 - started 2025/08/24 02:45:43.387461 [Debug] Routine: decryption worker 1 - started 2025/08/24 02:45:43.387464 [Debug] Routine: encryption worker 2 - started 2025/08/24 02:45:43.387467 [Debug] Routine: decryption worker 2 - started 2025/08/24 02:45:43.387470 [Debug] Routine: decryption worker 10 - started 2025/08/24 02:45:43.387473 [Debug] Routine: encryption worker 4 - started 2025/08/24 02:45:43.387476 [Debug] Routine: decryption worker 4 - started 2025/08/24 02:45:43.387479 [Debug] UAPI: Updating private key 2025/08/24 02:45:43.387495 [Debug] Routine: handshake worker 4 - started 2025/08/24 02:45:43.387501 [Debug] Routine: handshake worker 13 - started 2025/08/24 02:45:43.387504 [Debug] Routine: handshake worker 10 - started 2025/08/24 02:45:43.387508 [Debug] Routine: encryption worker 11 - started 2025/08/24 02:45:43.387544 [Debug] Routine: decryption worker 11 - started 2025/08/24 02:45:43.387550 [Debug] Routine: handshake worker 11 - started 2025/08/24 02:45:43.387554 [Debug] Routine: encryption worker 12 - started 2025/08/24 02:45:43.387559 [Debug] Routine: handshake worker 1 - started 2025/08/24 02:45:43.387569 [Debug] Routine: decryption worker 12 - started 2025/08/24 02:45:43.387574 [Debug] Routine: handshake worker 12 - started 2025/08/24 02:45:43.387579 [Debug] Routine: decryption worker 15 - started 2025/08/24 02:45:43.387584 [Debug] Routine: decryption worker 13 - started 2025/08/24 02:45:43.387588 [Debug] Routine: encryption worker 14 - started 2025/08/24 02:45:43.387592 [Debug] Routine: encryption worker 15 - started 2025/08/24 02:45:43.387596 [Debug] Routine: handshake worker 14 - started 2025/08/24 02:45:43.387603 [Debug] Routine: decryption worker 7 - started 2025/08/24 02:45:43.387606 [Debug] Routine: decryption worker 14 - started 2025/08/24 02:45:43.387612 [Debug] Routine: encryption worker 5 - started 2025/08/24 02:45:43.387616 [Debug] Routine: decryption worker 16 - started 2025/08/24 02:45:43.387619 [Debug] Routine: decryption worker 5 - started 2025/08/24 02:45:43.387627 [Debug] Routine: handshake worker 15 - started 2025/08/24 02:45:43.387635 [Debug] Routine: encryption worker 16 - started 2025/08/24 02:45:43.387639 [Debug] peer(AAAA…AAAA) - UAPI: Updating preshared key 2025/08/24 02:45:43.387643 [Debug] peer(AAAA…AAAA) - UAPI: Updating endpoint 2025/08/24 02:45:43.387647 [Debug] Routine: handshake worker 16 - started 2025/08/24 02:45:43.387651 [Debug] Routine: handshake worker 5 - started 2025/08/24 02:45:43.387665 [Debug] app/dns: domain nonexistent.testing.com will use DNS in order: [TCPL//8.8.8.8:53] 2025/08/24 02:45:43.387669 [Debug] Routine: encryption worker 6 - started 2025/08/24 02:45:43.387673 [Debug] Routine: handshake worker 8 - started 2025/08/24 02:45:43.387679 [Debug] Routine: decryption worker 6 - started 2025/08/24 02:45:43.387682 [Debug] Routine: handshake worker 7 - started 2025/08/24 02:45:43.387686 [Debug] Routine: encryption worker 8 - started 2025/08/24 02:45:43.387689 [Debug] Routine: handshake worker 6 - started 2025/08/24 02:45:43.387692 [Debug] Routine: decryption worker 8 - started 2025/08/24 02:45:43.387701 [Debug] app/dns: TCPL//8.8.8.8:53 cache HIT nonexistent.testing.com -> [] > rcode: 3 2025/08/24 02:45:43.387706 [Debug] Routine: encryption worker 13 - started 2025/08/24 02:45:43.387711 [Debug] Routine: encryption worker 7 - started 2025/08/24 02:45:43.387692 TCPL//8.8.8.8:53 cache HIT: nonexistent.testing.com -> [] 2025/08/24 02:45:43.387715 [Debug] Routine: TUN reader - started 2025/08/24 02:45:43.387737 [Debug] Routine: event worker - started 2025/08/24 02:45:43.387743 [Info] app/dns: failed to lookup ip for domain nonexistent.testing.com at server TCPL//8.8.8.8:53 > rcode: 3 2025/08/24 02:45:43.387747 [Debug] Interface up requested 2025/08/24 02:45:43.387749 [Debug] Routine: decryption worker 9 - started 2025/08/24 02:45:43.387751 [Debug] Routine: encryption worker 9 - started 2025/08/24 02:45:43.387757 [Error] IPC error -22: failed to set endpoint nonexistent.testing.com:12345: app/dns: returning nil for domain nonexistent.testing.com > rcode: 3 2025/08/24 02:45:43.387760 [Debug] Routine: handshake worker 9 - started 2025/08/24 02:45:43.387762 [Debug] Routine: encryption worker 10 - started 2025/08/24 02:45:43.387765 [Debug] UDP bind has been updated 2025/08/24 02:45:43.387843 [Debug] Interface state was Down, requested Up, now Up 2025/08/24 02:45:43.387887 [Debug] Device closing 2025/08/24 02:45:43.387928 [Debug] Interface up requested 2025/08/24 02:45:43.393618 [Debug] Routine: receive incoming Open - started 2025/08/24 02:45:43.395224 [Debug] Routine: TUN reader - stopped 2025/08/24 02:45:43.397725 [Debug] Failed to receive Open packet: channel closed 2025/08/24 02:45:43.731654 [Debug] Failed to receive Open packet: channel closed 2025/08/24 02:45:44.065240 [Debug] Failed to receive Open packet: channel closed 2025/08/24 02:45:44.398780 [Debug] Failed to receive Open packet: channel closed 2025/08/24 02:45:44.732345 [Debug] Failed to receive Open packet: channel closed 2025/08/24 02:45:45.065870 [Debug] Failed to receive Open packet: channel closed 2025/08/24 02:45:45.399476 [Debug] Failed to receive Open packet: channel closed 2025/08/24 02:45:45.733035 [Debug] Failed to receive Open packet: channel closed 2025/08/24 02:45:46.066641 [Debug] Failed to receive Open packet: channel closed 2025/08/24 02:45:46.400482 [Debug] Failed to receive Open packet: channel closed 2025/08/24 02:45:46.734865 [Debug] Failed to receive Open packet: channel closed 2025/08/24 02:45:46.734931 [Debug] Routine: receive incoming Open - stopped panic: close of closed channel
goroutine 31 [running]:
github.com/xtls/xray-core/proxy/wireguard.(*netBind).Close(...)
github.com/xtls/xray-core/proxy/wireguard/bind.go:118
github.com/xtls/xray-core/proxy/wireguard.(*Handler).processWireGuard.func1()
github.com/xtls/xray-core/proxy/wireguard/client.go:132 +0x2e
github.com/xtls/xray-core/proxy/wireguard.(*Handler).processWireGuard(0xc00039ca80, {0x5581224cb5a0, 0xc0003e6780}, {0x5581224c8d30, 0xc0003e4750})
github.com/xtls/xray-core/proxy/wireguard/client.go:138 +0x3c2
github.com/xtls/xray-core/proxy/wireguard.(*Handler).Process(0xc00039ca80, {0x5581224cb5a0, 0xc0003e6780}, 0xc00035e3e0, {0x5581224c8d30, 0xc0003e4750})
github.com/xtls/xray-core/proxy/wireguard/client.go:153 +0x113
github.com/xtls/xray-core/app/proxyman/outbound.(*Handler).Dispatch(0xc0003e4750, {0x5581224cb5a0, 0xc0003e6780}, 0xc00035e3e0)
github.com/xtls/xray-core/app/proxyman/outbound/handler.go:215 +0x388
github.com/xtls/xray-core/app/dispatcher.(*DefaultDispatcher).routedDispatch(0xc0003d2ff0, {0x5581224cb5a0, 0xc0003e6780}, 0xc00035e3e0, {{0x5581224cb338, 0xc0003d0190}, 0x50, 0x2})
github.com/xtls/xray-core/app/dispatcher/default.go:475 +0xa66
created by github.com/xtls/xray-core/app/dispatcher.(*DefaultDispatcher).Dispatch in goroutine 30
github.com/xtls/xray-core/app/dispatcher/default.go:264 +0x56c
If we replace nonexistent.testing.com with ip6only.me (an IPv6-only domain), we get the following output:
$ sudo xray run -confdir /mnt/testing/xray/ Xray 25.8.3 (Xray, Penetrates Everything.) Custom (go1.24.5 linux/amd64) A unified platform for anti-censorship. 2025/08/24 02:47:38.573967 Using confdir from arg: /mnt/testing/xray/ 2025/08/24 02:47:38.574420 [Info] infra/conf/serial: Reading config: &{Name:/mnt/testing/xray/config.json Format:json} 2025/08/24 02:47:38.576612 [Debug] app/log: Logger started 2025/08/24 02:47:38.576890 [Debug] app/proxyman/inbound: creating stream worker on 127.0.0.1:9999 2025/08/24 02:47:38.577234 [Info] transport/internet/tcp: listening TCP on 127.0.0.1:9999 2025/08/24 02:47:38.577254 [Warning] core: Xray 25.8.3 started 2025/08/24 02:47:41.933189 [Info] [820789559] proxy/http: request to Method [GET] Host [example.org] with URL [http://example.org/] 2025/08/24 02:47:41.933224 [Info] [820789559] app/dispatcher: taking detour [wireguard] for [tcp:example.org:80] 2025/08/24 02:47:41.933231 [Info] switching dialer 2025/08/24 02:47:41.933239 [Warning] proxy/wireguard: Using kernel TUN. 2025/08/24 02:47:41.933263 from 127.0.0.1:41880 accepted http://example.org/ [http-inbound -> wireguard] 2025/08/24 02:47:41.937628 [Debug] app/dns: domain ip6only.me will use DNS in order: [TCPL//8.8.8.8:53] 2025/08/24 02:47:41.937673 [Debug] app/dns: TCPL//8.8.8.8:53 querying DNS for: ip6only.me. 2025/08/24 02:47:41.937680 [Debug] transport/internet: dialing to tcp:8.8.8.8:53 2025/08/24 02:47:42.093982 [Info] app/dns: TCPL//8.8.8.8:53 got answer: ip6only.me. TypeA -> [] 156.250112ms 2025/08/24 02:47:42.094019 [Info] app/dns: failed to lookup ip for domain ip6only.me at server TCPL//8.8.8.8:53 > features/dns: empty response 2025/08/24 02:47:42.094030 [Info] [820789559] proxy/wireguard: createIPCRequest failed to lookup DNS > features/dns: empty response 2025/08/24 02:47:42.094161 TCPL//8.8.8.8:53 got answer: ip6only.me -> [] 156.354452ms 2025/08/24 02:47:42.094225 [Debug] Routine: decryption worker 1 - started 2025/08/24 02:47:42.094244 [Debug] Routine: encryption worker 1 - started 2025/08/24 02:47:42.094267 [Debug] Routine: encryption worker 8 - started 2025/08/24 02:47:42.094281 [Debug] Routine: encryption worker 12 - started 2025/08/24 02:47:42.094287 [Debug] Routine: decryption worker 8 - started 2025/08/24 02:47:42.094293 [Debug] UAPI: Updating private key 2025/08/24 02:47:42.094299 [Debug] Routine: handshake worker 8 - started 2025/08/24 02:47:42.094307 [Debug] Routine: encryption worker 9 - started 2025/08/24 02:47:42.094312 [Debug] Routine: decryption worker 9 - started 2025/08/24 02:47:42.094319 [Debug] Routine: handshake worker 9 - started 2025/08/24 02:47:42.094325 [Debug] Routine: encryption worker 10 - started 2025/08/24 02:47:42.094330 [Debug] Routine: decryption worker 10 - started 2025/08/24 02:47:42.094338 [Debug] Routine: handshake worker 10 - started 2025/08/24 02:47:42.094343 [Debug] Routine: encryption worker 11 - started 2025/08/24 02:47:42.094354 [Debug] Routine: decryption worker 11 - started 2025/08/24 02:47:42.094365 [Debug] Routine: handshake worker 11 - started 2025/08/24 02:47:42.094386 [Debug] Routine: encryption worker 3 - started 2025/08/24 02:47:42.094393 [Debug] Routine: handshake worker 1 - started 2025/08/24 02:47:42.094404 [Debug] Routine: encryption worker 2 - started 2025/08/24 02:47:42.094410 [Debug] Routine: decryption worker 2 - started 2025/08/24 02:47:42.094421 [Debug] Routine: handshake worker 4 - started 2025/08/24 02:47:42.094430 [Debug] Routine: handshake worker 2 - started 2025/08/24 02:47:42.094444 [Debug] Routine: encryption worker 4 - started 2025/08/24 02:47:42.094454 [Debug] Routine: decryption worker 3 - started 2025/08/24 02:47:42.094467 [Debug] Routine: decryption worker 4 - started 2025/08/24 02:47:42.094477 [Debug] Routine: handshake worker 3 - started 2025/08/24 02:47:42.094484 [Debug] Routine: decryption worker 6 - started 2025/08/24 02:47:42.094497 [Debug] Routine: encryption worker 5 - started 2025/08/24 02:47:42.094508 [Debug] Routine: encryption worker 6 - started 2025/08/24 02:47:42.094559 [Debug] Routine: handshake worker 5 - started 2025/08/24 02:47:42.094568 [Debug] Routine: decryption worker 5 - started 2025/08/24 02:47:42.094575 [Debug] Routine: handshake worker 6 - started 2025/08/24 02:47:42.094574 TCPL//8.8.8.8:53 cache HIT: ip6only.me -> [] 2025/08/24 02:47:42.094583 [Debug] Routine: handshake worker 14 - started 2025/08/24 02:47:42.094637 [Debug] Routine: decryption worker 16 - started 2025/08/24 02:47:42.094650 [Debug] Routine: encryption worker 15 - started 2025/08/24 02:47:42.094661 [Debug] Routine: handshake worker 15 - started 2025/08/24 02:47:42.094671 [Debug] peer(AAAA…AAAA) - UAPI: Updating preshared key 2025/08/24 02:47:42.094681 [Debug] peer(AAAA…AAAA) - UAPI: Updating endpoint 2025/08/24 02:47:42.094690 [Debug] Routine: encryption worker 16 - started 2025/08/24 02:47:42.094719 [Debug] app/dns: domain ip6only.me will use DNS in order: [TCPL//8.8.8.8:53] 2025/08/24 02:47:42.094730 [Debug] Routine: event worker - started 2025/08/24 02:47:42.094740 [Debug] Interface up requested 2025/08/24 02:47:42.094756 [Info] app/dns: TCPL//8.8.8.8:53 cache HIT ip6only.me -> [] > features/dns: empty response 2025/08/24 02:47:42.094773 [Info] app/dns: failed to lookup ip for domain ip6only.me at server TCPL//8.8.8.8:53 > features/dns: empty response 2025/08/24 02:47:42.094789 [Error] IPC error -22: failed to set endpoint ip6only.me:12345: features/dns: empty response 2025/08/24 02:47:42.094802 [Debug] UDP bind has been updated 2025/08/24 02:47:42.095305 [Debug] Interface state was Down, requested Up, now Up 2025/08/24 02:47:42.095339 [Debug] Routine: receive incoming Open - started 2025/08/24 02:47:42.095346 [Debug] Interface up requested 2025/08/24 02:47:42.095353 [Debug] Device closing 2025/08/24 02:47:42.097489 [Debug] Routine: TUN reader - stopped 2025/08/24 02:47:42.108713 [Debug] Failed to receive Open packet: channel closed 2025/08/24 02:47:42.442377 [Debug] Failed to receive Open packet: channel closed 2025/08/24 02:47:42.776249 [Debug] Failed to receive Open packet: channel closed 2025/08/24 02:47:43.109858 [Debug] Failed to receive Open packet: channel closed 2025/08/24 02:47:43.443508 [Debug] Failed to receive Open packet: channel closed 2025/08/24 02:47:43.777683 [Debug] Failed to receive Open packet: channel closed 2025/08/24 02:47:44.111587 [Debug] Failed to receive Open packet: channel closed 2025/08/24 02:47:44.445560 [Debug] Failed to receive Open packet: channel closed 2025/08/24 02:47:44.779236 [Debug] Failed to receive Open packet: channel closed 2025/08/24 02:47:45.112972 [Debug] Failed to receive Open packet: channel closed 2025/08/24 02:47:45.446706 [Debug] Failed to receive Open packet: channel closed 2025/08/24 02:47:45.446756 [Debug] Routine: receive incoming Open - stopped 2025/08/24 02:47:45.446767 [Debug] Device closed panic: close of closed channel
goroutine 36 [running]:
github.com/xtls/xray-core/proxy/wireguard.(*netBind).Close(...)
github.com/xtls/xray-core/proxy/wireguard/bind.go:118
github.com/xtls/xray-core/proxy/wireguard.(*Handler).processWireGuard.func1()
github.com/xtls/xray-core/proxy/wireguard/client.go:132 +0x2e
github.com/xtls/xray-core/proxy/wireguard.(*Handler).processWireGuard(0xc00039ca80, {0x558dfa99d5a0, 0xc000288390}, {0x558dfa99ad30, 0xc0003e4750})
github.com/xtls/xray-core/proxy/wireguard/client.go:138 +0x3c2
github.com/xtls/xray-core/proxy/wireguard.(*Handler).Process(0xc00039ca80, {0x558dfa99d5a0, 0xc000288390}, 0xc00035e3e0, {0x558dfa99ad30, 0xc0003e4750})
github.com/xtls/xray-core/proxy/wireguard/client.go:153 +0x113
github.com/xtls/xray-core/app/proxyman/outbound.(*Handler).Dispatch(0xc0003e4750, {0x558dfa99d5a0, 0xc000288390}, 0xc00035e3e0)
github.com/xtls/xray-core/app/proxyman/outbound/handler.go:215 +0x388
github.com/xtls/xray-core/app/dispatcher.(*DefaultDispatcher).routedDispatch(0xc0003d4ff0, {0x558dfa99d5a0, 0xc000288390}, 0xc00035e3e0, {{0x558dfa99d338, 0xc0002820d0}, 0x50, 0x2})
github.com/xtls/xray-core/app/dispatcher/default.go:475 +0xa66
created by github.com/xtls/xray-core/app/dispatcher.(*DefaultDispatcher).Dispatch in goroutine 35
github.com/xtls/xray-core/app/dispatcher/default.go:264 +0x56c
Server log
Not applicable