feat: dns routing (#26)

2025-07-06 08:22:38 +07:00 · 2023-02-25 02:38:21 +08:00
parent 33ad434f8a
commit 8bd6a77398
48 changed files with 2758 additions and 1449 deletions
--- a/docs/dns.md
+++ b/docs/dns.md
@ -0,0 +1,49 @@
+# DNS
+
+## Examples:
+
+```shell
+dns {
+    upstream {
+        # Value can be scheme://host:port.
+        # Scheme list: tcp, udp, tcp+udp. Ongoing: https, tls, quic.
+        # If host is a domain and has both IPv4 and IPv6 record, dae will automatically choose
+        # IPv4 or IPv6 to use according to group policy (such as min latency policy).
+        # Please make sure DNS traffic will go through and be forwarded by dae, which is REQUIRED for domain routing.
+        # If dial_mode is "ip", the upstream DNS answer SHOULD NOT be polluted, so domestic public DNS is not recommended.
+
+        alidns: 'udp://dns.alidns.com:53'
+        googledns: 'tcp+udp://dns.google:53'
+    }
+    # The routing format of 'request' and 'response' is similar with section 'routing'.
+    # See https://github.com/v2rayA/dae/blob/main/docs/routing.md
+    request {
+        # Built-in upstream in 'request': asis.
+        # You can also use user-defined upstreams.
+
+        # Available functions: qname, qtype.
+
+        # DNS request name (omit suffix dot '.').
+        qname(suffix: abc.com, keyword: google) -> googledns
+        qname(full: ok.com, regex: '^yes') -> googledns
+        # DNS request type
+        qtype(a, aaaa) -> alidns
+        qtype(cname) -> googledns
+
+        # If no match, fallback to this upstream.
+        fallback: asis
+    }
+    response {
+        # No built-in upstream in 'response'.
+        # You can use user-defined upstreams.
+
+        # Available functions: qname, qtype, upstream, ip.
+        # Accept the response if the request is sent to upstream 'googledns'. This is useful to avoid loop.
+        upstream(googledns) -> accept
+        # If DNS request name is not in CN and response answers include private IP, which is most likely polluted
+        # in China mainland. Therefore, resend DNS request to 'googledns' to get correct result. 
+        !qname(geosite:cn) && ip(geoip:private) -> googledns
+        fallback: accept
+    }
+}
+```
--- a/docs/routing.md
+++ b/docs/routing.md
@ -0,0 +1,99 @@
+# Routing
+
+## Examples:
+
+```shell
+### Built-in outbounds: block, direct, must_direct
+# The difference between "direct" and "must_direct" is that "direct" will intercept and process DNS request (for traffic
+# split use), but "must_direct" will not. "must_direct" is useful when there are traffic loops of DNS requests.
+
+### fallback outbound
+# If no rule matches, traffic will go through the outbound defined by fallback.
+fallback: my_group
+
+### Domain rule
+domain(suffix: v2raya.org) -> my_group
+# equals to domain(v2raya.org) -> my_group
+domain(full: dns.google) -> my_group
+domain(keyword: facebook) -> my_group
+domain(regexp: '\.goo.*\.com$') -> my_group
+domain(geosite:category-ads) -> block
+domain(geosite:cn)->direct
+
+### Dest IP rule
+ip(8.8.8.8) -> direct
+ip(101.97.0.0/16) -> direct
+ip(geoip:private) -> direct
+
+### Source IP rule
+sip(192.168.0.0/24) -> my_group
+sip(192.168.50.0/24) -> direct
+
+### Dest port rule
+port(80) -> direct
+port(10080-30000) -> direct
+
+### Source port rule
+sport(38563) -> direct
+sport(10080-30000) -> direct
+
+### Level 4 protocol rule:
+l4proto(tcp) -> my_group
+l4proto(udp) -> direct
+
+### IP version rule:
+ipversion(4) -> block
+ipversion(6) -> ipv6_group
+
+### Source MAC rule
+mac('02:42:ac:11:00:02') -> direct
+
+### Process Name rule (only support localhost process when binding to WAN)
+pname(curl) -> direct
+
+### Multiple domains rule
+domain(keyword: google, suffix: www.twitter.com, suffix: v2raya.org) -> my_group
+### Multiple IP rule
+ip(geoip:cn, geoip:private) -> direct
+ip(9.9.9.9, 223.5.5.5) -> direct
+sip(192.168.0.6, 192.168.0.10, 192.168.0.15) -> direct
+
+### 'And' rule
+ip(geoip:cn) && port(80) -> direct
+ip(8.8.8.8) && l4proto(tcp) && port(1-1023, 8443) -> my_group
+ip(1.1.1.1) && sip(10.0.0.1, 172.20.0.0/16) -> direct
+
+### 'Not' rule
+!domain(geosite:google-scholar,
+        geosite:category-scholar-!cn,
+        geosite:category-scholar-cn
+    ) -> my_group
+
+### Little more complex rule
+domain(geosite:geolocation-!cn) &&
+    !domain(geosite:google-scholar,
+            geosite:category-scholar-!cn,
+            geosite:category-scholar-cn
+        ) -> my_group
+
+### Customized DAT file
+domain(ext:"yourdatfile.dat:yourtag")->direct
+ip(ext:"yourdatfile.dat:yourtag")->direct
+
+### Mark for direct/must_direct outbound
+# Mark is useful when you want to redirect traffic to specific interface (such as wireguard) or other advanced uses.
+# Traffic from LAN will not be forwarded by dae to archive higher performance if lan_nat_direct is off (you can set it
+# off only if you are sure dae is on a bridge device).
+
+# An example of redirecting Disney traffic to wg0 is given here.
+# You need set ip rule and ip table like this:
+# 1. Set all traffic with mark 0x800/0x800 to use route table 1145:
+# >> ip rule add fwmark 0x800/0x800 table 1145
+# >> ip -6 rule add fwmark 0x800/0x800 table 1145
+# 2. Set default route of route table 1145:
+# >> ip route add default dev wg0 scope global table 1145
+# >> ip -6 route add default dev wg0 scope global table 1145
+# Notice that interface wg0, mark 0x800, table 1145 can be set by preferences, but cannot conflict.
+# 3. Set routing rules in dae config file.
+domain(geosite:disney) -> direct(mark: 0x800)
+```