Leaking DNS and I don't know what's wrong with my config #4299

iopq · 2025-01-17T08:05:50Z

iopq
Jan 17, 2025

{
    "log": {
        "loglevel": "info",
        "dnsLog": true
    },
    "inbounds": [
        {
            "tag": "all-in",
            "port": 12345,
            "listen": "127.0.0.1",
            "sniffing": {
                "enabled": true,
                "destOverride": [
                "http",
                "tls"
                ],
                "metadataOnly": false
            },
            "protocol": "dokodemo-door",
            "settings": {
                "network": "tcp,udp",
                "followRedirect": true
            },
            "streamSettings": {
                "sockopt": {
                    "tproxy": "tproxy"
                }
            }
        }
    ],
    "outbounds": [ {
      "protocol": "vless",
      "domainStrategy": "AsIs",
      "settings": {
        "vnext": [
          {
            "address": "my.domain",
            "port": 443,
            "users": [
              {
                "id": "id",
                "encryption": "none"
              }
            ]
          }
        ]
      },
      "tag": "proxy",
      "streamSettings": {
        "network": "xhttp",
        "security": "reality",
        "realitySettings": {
          "serverName": "yahoo.com",
          "alpn": ["h2"],
          "fingerprint": "chrome",
          "publicKey": "publickey",
          "shortId": "shortid"
        },
        "xhttpSettings": {
          "path": "path",
          "mode": "auto"
        },
        "sockopt": {
            "mark": 2
        }

      }
    },
        {
            "tag": "direct",
            "protocol": "freedom",
            "settings": {
                "domainStrategy": "UseIPv4"
            },
            "streamSettings": {
                "sockopt": {
                    "mark": 2
                }
            }
        },
        {
            "tag": "block",
            "protocol": "blackhole",
            "settings": {
                "response": {
                    "type": "http"
                }
            }
        },
        {
            "tag": "dns-out",
            "protocol": "dns",
            "settings": {
                "address": "8.8.8.8"
            },
            "proxySettings": {
                "tag": "proxy"
            }
        }
    ],
    "dns": {
        "servers": [
            "8.8.8.8",
            {
                "address": "223.6.6.6",
                "domains": [
                    "domain:my.domain"
                ]
            }
        ]
    },
    "routing": {
        "domainStrategy": "AsIs",
        "rules": [{
                "type": "field",
                "domains": [
                    "domain:my.domain"
                ],
                "port": 443,
                "outboundTag": "direct"
            },{
                "type": "field",
                "ip": [
                    "223.6.6.6"
                ],
                "port": 53,
                "outboundTag": "direct"
            },{
                "type": "field",
                "inboundTag": [
                    "all-in"
                ],
                "port": 53,
                "outboundTag": "dns-out"
            }]}
}

my router advertises itself as a DNS server so my default DNS server is 192.168.2.1

when I go here I see my ISP along with the DNS of the VPS

https://browserleaks.com/dns

How can I only look up my domain with alidns and the rest all go directly to the proxy?

Diligence0743 · 2025-01-17T16:30:43Z

Diligence0743
Jan 17, 2025

{
    "log": {
        "loglevel": "info",
        "dnsLog": true
    },
    "inbounds": [
        {
            "tag": "all-in",
            "port": 12345,
            "listen": "127.0.0.1",
            "sniffing": {
                "enabled": true,
                "destOverride": [
                    "http",
                    "tls"
                ],
                "metadataOnly": false
            },
            "protocol": "dokodemo-door",
            "settings": {
                "network": "tcp,udp",
                "followRedirect": true
            },
            "streamSettings": {
                "sockopt": {
                    "tproxy": "tproxy"
                }
            }
        }
    ],
    "outbounds": [
        {
            "protocol": "vless",
            "domainStrategy": "AsIs",
            "settings": {
                "vnext": [
                    {
                        "address": "my.domain",
                        "port": 443,
                        "users": [
                            {
                                "id": "id",
                                "encryption": "none"
                            }
                        ]
                    }
                ]
            },
            "tag": "proxy",
            "streamSettings": {
                "network": "xhttp",
                "security": "reality",
                "realitySettings": {
                    "serverName": "yahoo.com",
                    "alpn": [
                        "h2"
                    ],
                    "fingerprint": "chrome",
                    "publicKey": "publickey",
                    "shortId": "shortid"
                },
                "xhttpSettings": {
                    "path": "path",
                    "mode": "auto"
                },
                "sockopt": {
                    "mark": 2
                }
            }
        },
        {
            "tag": "direct",
            "protocol": "freedom",
            "settings": {
                "domainStrategy": "UseIPv4"
            },
            "streamSettings": {
                "sockopt": {
                    "mark": 2
                }
            }
        },
        {
            "tag": "block",
            "protocol": "blackhole",
            "settings": {
                "response": {
                    "type": "http"
                }
            }
        },
        {
            "tag": "dns-out",
            "protocol": "dns",
            "settings": {}
        }
    ],
    "dns": {
        "servers": [
            {
                "address": "223.6.6.6",
                "domains": [
                    "domain:my.domain"
                ],
                "skipFallback": true
            },
            "8.8.8.8",
            "https+local://8.8.8.8/dns-query"
        ]
    },
    "routing": {
        "domainStrategy": "AsIs",
        "rules": [
            {
                "type": "field",
                "domain": [
                    "geosite:category-ads-all"
                ],
                "outboundTag": "block"
            },
            {
                "type": "field",
                "inboundTag": [
                    "all-in"
                ],
                "network": "udp",
                "port": 53,
                "outboundTag": "dns-out"
            },
            {
                "type": "field",
                "domain": [
                    "domain:my.domain"
                ],
                "port": 443,
                "outboundTag": "direct"
            },
            {
                "type": "field",
                "outboundTag": "proxy",
                "domain": [
                    "geosite:private",
                    "regexp:\\.\\d+$"
                ],
                "invert": true
            }
        ]
    }
}

0 replies

iopq · 2025-01-18T18:54:19Z

iopq
Jan 18, 2025
Author

@Diligence0743

Thanks, this solves the issue of alidns showing up as a fallback, but my ISP DNS is still showing up as leaking

these are my nft rules

#!/usr/sbin/nft -f

flush ruleset

define RESERVED_IP = {
    10.0.0.0/8,
    100.64.0.0/10,
    127.0.0.0/8,
    169.254.0.0/16,
    172.16.0.0/12,
    224.0.0.0/4,
    240.0.0.0/4,
    255.255.255.255/32
}

table ip xray {
    chain prerouting {
        type filter hook prerouting priority mangle; policy accept;
        ip daddr $RESERVED_IP return
        ip saddr $RESERVED_IP return
        ip daddr 192.168.0.0/16 tcp dport != 53 return
        ip daddr 192.168.0.0/16 udp dport != 53 return
        ip protocol tcp tproxy to 127.0.0.1:12345 meta mark set 1
        ip protocol udp tproxy to 127.0.0.1:12345 meta mark set 1
    }
    chain output {
        type route hook output priority mangle; policy accept;
        ip daddr $RESERVED_IP return
        ip saddr $RESERVED_IP return
        ip daddr 192.168.0.0/16 tcp dport != 53 return
        ip daddr 192.168.0.0/16 udp dport != 53 return
        meta mark 2 return
        ip protocol tcp meta mark set 1
        ip protocol udp meta mark set 1
    }
}

0 replies

iopq · 2025-01-20T06:57:52Z

iopq
Jan 20, 2025
Author

I went back and changed my setup more closely to yours, it works now

0 replies

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Leaking DNS and I don't know what's wrong with my config #4299

{{title}}

Replies: 3 comments

{{title}}

{{title}}

{{editor}}'s edit

{{editor}}'s edit

{{title}}

Select a reply

Leaking DNS and I don't know what's wrong with my config #4299

iopq Jan 17, 2025

Replies: 3 comments

Diligence0743 Jan 17, 2025

iopq Jan 18, 2025 Author

iopq Jan 20, 2025 Author

iopq
Jan 17, 2025

Diligence0743
Jan 17, 2025

iopq
Jan 18, 2025
Author

iopq
Jan 20, 2025
Author