search

GFW-knocker / gfw_resist_HTTPS_proxy

HTTPS proxy with Fragment and DoH
GNU General Public License v3.0
441 stars 50 forks source link

serverless json #48

Open pulsarice opened 1 month ago

pulsarice commented 1 month ago

Hi What's the purpose of forwarding all packets with destination port of 8443 to internal DNS server?

        "inboundTag": [
          "socks-in",
          "http-in"
        ],
        "type": "field",
        "port": "8443",
        "outboundTag": "dns-out",
        "enabled": true
      },

I changed it to port 53 and now all of the udp dns traffic generated by system and apps, will go through Xray-core's internal dns server and I can actually open many websites that were blocked by dns+sni filtering, like google play.

GFW-knocker commented 1 month ago

Hi What's the purpose of forwarding all packets with destination port of 8443 to internal DNS server?

        "inboundTag": [
          "socks-in",
          "http-in"
        ],
        "type": "field",
        "port": "8443",
        "outboundTag": "dns-out",
        "enabled": true
      },

I changed it to port 53 and now all of the udp dns traffic generated by system and apps, will go through Xray-core's internal dns server and I can actually open many websites that were blocked by dns+sni filtering, like google play.

thank you very much for your suggestion i haven't notice that before. can you please test if this this routing rule actually do anything? i mean if you delete that , still you able to open those site or not?

pulsarice commented 1 month ago

Yes I have tested it.

  1. If I keep the original one, on v2rayNG with default configuration of VPN DNS=1.1.1.1, dns requests directly go out to UDP 1.1.1.1:53 and the censorship system sees the plain request and poisons it. it returns the answer 10.10.34.36 or something in 10.10.0.0/16 range for some blocked domains. (I tested it using Net Analyzer app by querying dns).
  2. If I delete the rule, the same happens.
    • in both previous cases, google play application fails to load. (play.google.com website works but not the app)
  3. If I change 8443 to 53 in the aforementioned part, when I try to resolve dns, correct answers return and dns poisoning is bypassed and I can use google play to download and update apps.
GFW-knocker commented 2 weeks ago

@pulsarice nice! fixed. thank you