逻辑总览

数据路径怎么走

为什么“加了就能访问”

关键点回顾

效果

需要的话,我可以再帮你加上 IPv4 优先、备用 DoH(如 Cloudflare)或仅对特定域名定向走 Google DoH。

当然,我们来把整个DNS解析逻辑的核心要点梳理一下,这会帮你更好地记住它。

这个配置的精髓可以总结为以下四点:

目标:默认加密解析 (为了隐私)

所有常规的DNS查询,最终都会被送到 google-doh。因为它是 DNS-over-HTTPS 服务,并且流量走了 warp-out 隧道,所以你的DNS查询是被加密的,能有效保护隐私。

前提:“引导”程序 (解决“鸡生蛋”问题)

google-doh 本身是个域名,程序需要先知道它的IP地址才能连接。所以配置了一个 bootstrap 服务器,它的唯一任务就是用最原始的方式(直连 8.8.8.8)查到 google-doh 的IP地址。

难题:“死循环” (最关键的问题)

warp-out 隧道自己也需要连接到一个域名 (engage.cloudflareclient.com) 才能工作。如果解析这个域名的请求也按照默认流程走了隧道,就会陷入一个死循环:为了连接隧道,我需要解析域名,但解析域名又需要先连上隧道。

解决:特殊规则 (打破死循环的“例外条款”)

为了解决这个死循环,rules 里设置了一条特殊规则。这条规则强制所有 cloudflareclient.com 的域名解析请求,必须走 direct-dns(一个完全不经过隧道的直连出口),从而为隧道的建立扫清了障碍。

{ "inbounds": [ { "type": "vless", "tag": "vless-reality", "listen": "0.0.0.0", "listen_port": 44445, "sniff": true, "sniff_override_destination": true, "users": [ { "uuid": "180213f6-249c-4e4b-98e6-8eb38cf98a34", "flow": "xtls-rprx-vision" } ], "tls": { "enabled": true, "server_name": "www.microsoft.com", "alpn": [ "h2" ], "reality": { "enabled": true, "handshake": { "server": "www.microsoft.com", "server_port": 443 }, "private_key": "QJakd2pgTQxSepsxrRZcmeKwsK6iLVsnEwQKCYX7lEI", "short_id": [ "67cced73" ] } } }, { "type": "trojan", "tag": "trojan-in", "listen": "0.0.0.0", "listen_port": 10111, "sniff": true, "sniff_override_destination": true, "users": [ { "password": "720c65ca3964080cd78744ccfc3688f2" } ], "tls": { "enabled": true, "certificate_path": "/etc/trojan/certificate.crt", "key_path": "/etc/trojan/private.key", "alpn": [ "http/1.1" ], "server_name": "racknerd-a5f4772" } }, { "type": "hysteria2", "tag": "hysteria-in", "listen": "0.0.0.0", "listen_port": 10003, "sniff": true, "sniff_override_destination": true, "users": [ { "name": "user", "password": "Q29jb251dDIwMTAwOTAyQA==" } ], "tls": { "enabled": true, "certificate_path": "/etc/hysteria/cert.crt", "key_path": "/etc/hysteria/private.key" }, "up_mbps": 100, "down_mbps": 100 }, { "type": "tuic", "tag": "tuic-in", "listen": "0.0.0.0", "listen_port": 10005, "sniff": true, "sniff_override_destination": true, "users": [ { "uuid": "9a3c0f4b-3b8d-4a0f-9a4c-5a3e9b1d8f21", "password": "X4rJm8qP2sT1wL9v" } ], "congestion_control": "bbr", "auth_timeout": "3s", "zero_rtt_handshake": true, "heartbeat": "10s", "tls": { "enabled": true, "certificate_path": "/etc/hysteria/cert.crt", "key_path": "/etc/hysteria/private.key", "alpn": [ "h3" ] } }, { "type": "socks", "tag": "socks-in", "listen": "127.0.0.1", "listen_port": 40000, "udp_timeout": 300 }, { "type": "socks", "tag": "socks-warp", "listen": "127.0.0.1", "listen_port": 40001, "udp_timeout": 300 } ], "route": { "auto_detect_interface": true, "rules": [ { "inbound": [ "vless-reality", "trojan-in", "hysteria-in", "tuic-in" ], "outbound": "warp-out" }, { "inbound": [ "socks-warp" ], "outbound": "warp-out" } ], "final": "warp-out" }, "outbounds": [ { "type": "direct", "tag": "direct" }, { "type": "wireguard", "tag": "warp-out", "server": "engage.cloudflareclient.com", "server_port": 2408, "local_address": [ "172.16.0.2/32", "2606:4700:110:8b24:4223:82c4:7211:411f/128" ], "private_key": "WCC8SilkD+pt19z8dmFCcz5UGYdaj+t/ufCFwcjhn04=", "peer_public_key": "bmXOC+F1FxEMF9dyiK2H5/1SUtzH0JuVo51h2wPfgyo=", "mtu": 1280, "system_interface": true, "interface_name": "sb-warp0" } ], "dns": { "servers": [ { "tag": "direct-dns", "address": "8.8.8.8", "detour": "direct" }, { "tag": "bootstrap", "address": "8.8.8.8", "detour": "warp-out" }, { "tag": "google-doh", "address": "https://dns.google/dns-query", "address_resolver": "bootstrap", "detour": "warp-out" } ], "rules": [ { "domain_suffix": ["cloudflareclient.com"], "server": "direct-dns" } ], "final": "google-doh" } }