Hello. sing-box is the most promising project I have ever seen.Thanks for your amazing work.
But there is one last pitfall, though almost all other tools share the same problem: directly proxy connection to target domain.
Its useful for dumb proxy tools to forward http/socks proxy directly without caring about dns, but for tools like this with builtin dns and domain based routing, it void the meaning of using a DoT/DoH resolver at all.
For such tools we implemented DoT/DoH client, and we already use builtin resolver to get the corresponding IP address of nearly every domain (except from some known list) for the routing purpose, we should just send target IP address instead of let the remote server to resolve that domain again at most cases.
This can sometimes circumvent filter rules or logging facility set by the proxy provider if the didn’t using DPI to inspect SNI name(which is relative expensive), or the last part of fully privacy of TLS after ECH being deployed.
Of course there are situations that remote DNS (hijack) is desired for certain functionality, so it should be configurable.
to get nearest CDN resource This can be done by correctly config the DNS service to use the same detour with the actual connection.
- To access certain service deployed by proxy provider, like internal media server, or SNI proxy to strictly geo-restricted website, AKA unlock(netfl1x,opena1)
- not use or only use known domain for routing that didn’t send dns query at all to reduce latency.
There is already a very similar configuration
The documentation says it only take effect for domain in request only for
direct outboud, not others.Consider make this take effect for all kind out outbound, or create another option with same effect should be enough.
Maybe this is what you want:
Thank you. I have seen that field, resolve domain name to ip address before routing is definitely what i want.
But, if both domain name and ip address are already known, which one is used to send to remote server while dialing?
I haven’t review the code, but I remember clash was using domain name when the connection is initiate to domain name (via http/socks5 proxy or fake-ip), later things maybe changed, and clash.meta revert or ensure always send domain name, not very sure. (docs.metacubex dot one/function/dns/redirhost).
No matter which one is currently in use in sing-box, this option is needed: one for preventing domain name leak and ensuring DoT/DoH take effect, another for making the special DNS services deployed on remote server take effect (the very reason clash.meta did that, though in a non configurable way)
Since this is the specific dialing behavior, that should be an option in dial fields, IMO.
For consistency of sing-box.sagernet dot org/configuration/dns/server/#address_strategy , I suggest using
domain_strategy for controlling how to resolve domain name in request, and
address_strategy for controlling how to resolve domain name in server address, though it’s a breaking change that will slightly change the current behavior of the running user, if breaking change is unacceptable, maybe need another name.
PS: nearly all proxy protocol support directly encapsulate domain name inside the protocol, It’s a pretty conventional design inherited from the old dumb http/socks proxy tools to let the client don’t need consider DNS problem. It’s not really suited for these sophisticated tools and usages that deal with routing , transparent proxy and fully support udp, better to use fully DNS, plain or encrypted, then always send ip address. Implement this is to be compatible with others.
(the website remind me can’t include links)