"sniff_override_destination": true时无法连接tor，改成false才可以

[GeorgeRudd]

Welcome

• [X] Yes, I'm using the latest major release. Only such installations are supported.
• [X] Yes, I'm using the latest Golang release. Only such installations are supported.
• [X] Yes, I've searched similar issues on GitHub and didn't find any.
• [X] Yes, I've included all information below (version, FULL config, FULL log, etc).

Description of the problem

文档中说sniff_override_destination如果域名无效（如 Tor），将不生效。可是"sniff_override_destination": true时无法连接tor，改成false才可以。

Version of sing-box

```console $ sing-box version sing-box version 1.1.1 Environment: go1.19.4 windows/amd64 Tags: with_gvisor,with_quic,with_wireguard,with_utls,with_clash_api Revision: 8afb8ca7eb8aa52e7a3b44253be0f3df9474fa64 CGO: disabled ```

Server and client configuration file

```console { "log": { "disabled": false, "level": "debug", "timestamp": true }, "dns": { "servers": [ { "tag": "1.1.1.1", "address": "1.1.1.1", "detour": "proxy-out" }, { "tag": "223.5.5.5", "address": "223.5.5.5", "detour": "direct-out" } ], "rules": [ { "domain_keyword": "services.googleapis.cn", "server": "1.1.1.1" }, { "domain_keyword": "www.msftconnecttest.com", "geosite": "cn", "server": "223.5.5.5" } ], "final": "1.1.1.1", "strategy": "ipv4_only" }, "inbounds": [ { "type": "tun", "tag": "tun-in", "inet4_address": "172.19.0.1/30", "inet6_address": "fdfe:dcba:9876::1/126", "auto_route": true, "strict_route": true, "sniff": true, "sniff_override_destination": true } ], "outbounds": [ { "type": "vmess", "tag": "proxy-out", "server": "ip", "server_port": 80, "uuid": "uuid", "security": "auto", "alter_id": 0, "packet_encoding": "xudp", "transport": { "type": "ws", "path": "/path", "headers": { "Host": "host.com" }, "max_early_data": 2048, "early_data_header_name": "Sec-WebSocket-Protocol" } }, { "type": "direct", "tag": "direct-out", "domain_strategy": "ipv4_only" }, { "type": "block", "tag": "block" }, { "type": "dns", "tag": "dns-out" } ], "route": { "geoip": { "path": "geoip.db" }, "geosite": { "path": "geosite.db" }, "rules": [ { "protocol": "dns", "outbound": "dns-out" }, { "network": "udp", "port": [ 443 ], "outbound": "block" }, { "domain_keyword": "www.msftconnecttest.com", "geoip": [ "cn", "private" ], "outbound": "direct-out" } ], "final": "proxy-out", "auto_detect_interface": true } } ```

Server and client log file

"sniff_override_destination": true时的日志，可以看到 www.5v45alod4tk37dznnxlcm2.com www.tf7c2.com 这些tor的域名被嗅探出来了。导致无法正常连接tor。改成false正常。

```console +0800 2022-12-26 16:25:46 [36mINFO[0m router: loaded geoip database: 250 codes +0800 2022-12-26 16:25:47 [36mINFO[0m router: loaded geosite database: 1327 codes +0800 2022-12-26 16:25:47 [36mINFO[0m router: updated default interface WLAN, index 17 +0800 2022-12-26 16:25:47 [36mINFO[0m inbound/tun[tun-in]: started at tun0 +0800 2022-12-26 16:25:47 [36mINFO[0m sing-box started (0.522s) +0800 2022-12-26 16:25:47 [36mINFO[0m [[38;5;72m2160166712[0m] inbound/tun[tun-in]: inbound packet connection from 172.19.0.1:137 +0800 2022-12-26 16:25:47 [36mINFO[0m [[38;5;72m2160166712[0m] inbound/tun[tun-in]: inbound packet connection to 172.19.0.3:137 +0800 2022-12-26 16:25:47 [37mDEBUG[0m [[38;5;72m2160166712[0m] router: sniffed packet protocol: dns +0800 2022-12-26 16:25:47 [37mDEBUG[0m [[38;5;72m2160166712[0m] router: match[0] protocol=dns => dns-out +0800 2022-12-26 16:25:47 [37mDEBUG[0m [[38;5;72m2160166712[0m] dns: exchange FHEPFCELEHFCEPFFFACACACACACACAAA. IN NIMLOC +0800 2022-12-26 16:25:47 [37mDEBUG[0m [[38;5;72m2160166712[0m] dns: exchange EEEFFDELFEEPFACNFEFDDGDEEFDGEGAA. IN NIMLOC +0800 2022-12-26 16:25:47 [37mDEBUG[0m [[38;5;72m2160166712[0m] dns: exchange EEEFFDELFEEPFACNFEFDDGDEEFDGEGCA. IN NIMLOC +0800 2022-12-26 16:25:47 [36mINFO[0m outbound/vmess[proxy-out]: outbound packet connection to 1.1.1.1:53 +0800 2022-12-26 16:25:47 [36mINFO[0m [[38;5;191m4277005567[0m] inbound/tun[tun-in]: inbound packet connection from [fdfe:dcba:9876::1]:57656 +0800 2022-12-26 16:25:47 [36mINFO[0m [[38;5;191m4277005567[0m] inbound/tun[tun-in]: inbound packet connection to [fdfe:dcba:9876::2]:53 +0800 2022-12-26 16:25:47 [37mDEBUG[0m [[38;5;191m4277005567[0m] router: sniffed packet protocol: dns +0800 2022-12-26 16:25:47 [37mDEBUG[0m [[38;5;191m4277005567[0m] router: match[0] protocol=dns => dns-out +0800 2022-12-26 16:25:47 [36mINFO[0m [[38;5;122m693125997[0m] inbound/tun[tun-in]: inbound packet connection from [fdfe:dcba:9876::1]:49915 +0800 2022-12-26 16:25:47 [36mINFO[0m [[38;5;122m693125997[0m] inbound/tun[tun-in]: inbound packet connection to [fdfe:dcba:9876::2]:53 +0800 2022-12-26 16:25:47 [37mDEBUG[0m [[38;5;191m4277005567[0m] dns: exchange www.msftconnecttest.com. IN A +0800 2022-12-26 16:25:47 [37mDEBUG[0m [[38;5;191m4277005567[0m] dns: match[1] domain_keyword=www.msftconnecttest.com geosite=cn => 223.5.5.5 +0800 2022-12-26 16:25:47 [37mDEBUG[0m [[38;5;122m693125997[0m] router: sniffed packet protocol: dns +0800 2022-12-26 16:25:47 [36mINFO[0m outbound/direct[direct-out]: outbound packet connection to 223.5.5.5:53 +0800 2022-12-26 16:25:47 [37mDEBUG[0m [[38;5;122m693125997[0m] router: match[0] protocol=dns => dns-out +0800 2022-12-26 16:25:47 [37mDEBUG[0m [[38;5;122m693125997[0m] dns: exchange www.msftconnecttest.com. IN AAAA +0800 2022-12-26 16:25:47 [37mDEBUG[0m [[38;5;122m693125997[0m] dns: match[1] domain_keyword=www.msftconnecttest.com geosite=cn => 223.5.5.5 +0800 2022-12-26 16:25:47 [36mINFO[0m [[38;5;206m2558713790[0m] inbound/tun[tun-in]: inbound packet connection from 172.19.0.1:49915 +0800 2022-12-26 16:25:47 [36mINFO[0m [[38;5;206m2558713790[0m] inbound/tun[tun-in]: inbound packet connection to 172.19.0.2:53 +0800 2022-12-26 16:25:47 [37mDEBUG[0m [[38;5;206m2558713790[0m] router: sniffed packet protocol: dns +0800 2022-12-26 16:25:47 [37mDEBUG[0m [[38;5;206m2558713790[0m] router: match[0] protocol=dns => dns-out +0800 2022-12-26 16:25:47 [37mDEBUG[0m [[38;5;206m2558713790[0m] dns: exchange www.msftconnecttest.com. IN AAAA +0800 2022-12-26 16:25:47 [37mDEBUG[0m [[38;5;206m2558713790[0m] dns: match[1] domain_keyword=www.msftconnecttest.com geosite=cn => 223.5.5.5 +0800 2022-12-26 16:25:47 [36mINFO[0m [[38;5;191m4277005567[0m] dns: exchanged www.msftconnecttest.com. CNAME www.msftconnecttest.com. 23 IN CNAME ncsi-geo.trafficmanager.net. +0800 2022-12-26 16:25:47 [36mINFO[0m [[38;5;191m4277005567[0m] dns: exchanged www.msftconnecttest.com. CNAME ncsi-geo.trafficmanager.net. 23 IN CNAME www.msftncsi.com.edgesuite.net. +0800 2022-12-26 16:25:47 [36mINFO[0m [[38;5;191m4277005567[0m] dns: exchanged www.msftconnecttest.com. CNAME www.msftncsi.com.edgesuite.net. 23 IN CNAME a1961.g2.akamai.net. +0800 2022-12-26 16:25:47 [36mINFO[0m [[38;5;191m4277005567[0m] dns: exchanged www.msftconnecttest.com. A a1961.g2.akamai.net. 23 IN A 184.26.43.82 +0800 2022-12-26 16:25:47 [36mINFO[0m [[38;5;191m4277005567[0m] dns: exchanged www.msftconnecttest.com. A a1961.g2.akamai.net. 23 IN A 184.26.43.73 +0800 2022-12-26 16:25:48 [36mINFO[0m [[38;5;134m2194486134[0m] inbound/tun[tun-in]: inbound connection from 172.19.0.1:14610 +0800 2022-12-26 16:25:48 [36mINFO[0m [[38;5;134m2194486134[0m] inbound/tun[tun-in]: inbound connection to 184.26.43.82:80 +0800 2022-12-26 16:25:48 [37mDEBUG[0m [[38;5;134m2194486134[0m] router: sniffed protocol: http, domain: www.msftconnecttest.com +0800 2022-12-26 16:25:48 [37mDEBUG[0m [[38;5;134m2194486134[0m] router: match[2] domain_keyword=www.msftconnecttest.com geoip=[cn private] => direct-out +0800 2022-12-26 16:25:48 [36mINFO[0m [[38;5;134m2194486134[0m] outbound/direct[direct-out]: outbound connection to www.msftconnecttest.com:80 +0800 2022-12-26 16:25:48 [37mDEBUG[0m [[38;5;134m2194486134[0m] dns: lookup domain www.msftconnecttest.com +0800 2022-12-26 16:25:48 [37mDEBUG[0m [[38;5;134m2194486134[0m] dns: match[1] domain_keyword=www.msftconnecttest.com geosite=cn => 223.5.5.5 +0800 2022-12-26 16:25:48 [36mINFO[0m [[38;5;134m2194486134[0m] dns: lookup succeed for www.msftconnecttest.com: 184.26.43.82 184.26.43.73 +0800 2022-12-26 16:25:48 [37mDEBUG[0m [[38;5;134m2194486134[0m] inbound/tun[tun-in]: connection closed: upload: readfrom tcp 192.168.2.170:14611->184.26.43.82:80: read tcp4 172.19.0.1:14607->172.19.0.2:10000: use of closed network connection +0800 2022-12-26 16:25:51 [36mINFO[0m [[38;5;224m2819411920[0m] inbound/tun[tun-in]: inbound packet connection from [fdfe:dcba:9876::1]:53077 +0800 2022-12-26 16:25:51 [36mINFO[0m [[38;5;224m2819411920[0m] inbound/tun[tun-in]: inbound packet connection to [fdfe:dcba:9876::2]:53 +0800 2022-12-26 16:25:51 [36mINFO[0m [[38;5;83m3943964052[0m] inbound/tun[tun-in]: inbound packet connection from [fdfe:dcba:9876::1]:59116 +0800 2022-12-26 16:25:51 [36mINFO[0m [[38;5;83m3943964052[0m] inbound/tun[tun-in]: inbound packet connection to [fdfe:dcba:9876::2]:53 +0800 2022-12-26 16:25:51 [37mDEBUG[0m [[38;5;224m2819411920[0m] router: sniffed packet protocol: dns +0800 2022-12-26 16:25:51 [37mDEBUG[0m [[38;5;83m3943964052[0m] router: sniffed packet protocol: dns +0800 2022-12-26 16:25:51 [37mDEBUG[0m [[38;5;83m3943964052[0m] router: match[0] protocol=dns => dns-out +0800 2022-12-26 16:25:51 [37mDEBUG[0m [[38;5;224m2819411920[0m] router: match[0] protocol=dns => dns-out +0800 2022-12-26 16:25:51 [37mDEBUG[0m [[38;5;83m3943964052[0m] dns: exchange go.microsoft.com. IN AAAA +0800 2022-12-26 16:25:51 [37mDEBUG[0m [[38;5;224m2819411920[0m] dns: exchange go.microsoft.com. IN A +0800 2022-12-26 16:25:51 [36mINFO[0m [[38;5;155m836610636[0m] inbound/tun[tun-in]: inbound packet connection from 172.19.0.1:59116 +0800 2022-12-26 16:25:51 [36mINFO[0m [[38;5;155m836610636[0m] inbound/tun[tun-in]: inbound packet connection to 172.19.0.2:53 +0800 2022-12-26 16:25:51 [37mDEBUG[0m [[38;5;155m836610636[0m] router: sniffed packet protocol: dns +0800 2022-12-26 16:25:51 [37mDEBUG[0m [[38;5;155m836610636[0m] router: match[0] protocol=dns => dns-out +0800 2022-12-26 16:25:51 [37mDEBUG[0m [[38;5;155m836610636[0m] dns: exchange go.microsoft.com. IN AAAA +0800 2022-12-26 16:25:51 [36mINFO[0m [[38;5;224m2819411920[0m] dns: exchanged go.microsoft.com. CNAME go.microsoft.com. 3590 IN CNAME go.microsoft.com.edgekey.net. +0800 2022-12-26 16:25:51 [36mINFO[0m [[38;5;224m2819411920[0m] dns: exchanged go.microsoft.com. CNAME go.microsoft.com.edgekey.net. 590 IN CNAME e11290.dspg.akamaiedge.net. +0800 2022-12-26 16:25:51 [36mINFO[0m [[38;5;224m2819411920[0m] dns: exchanged go.microsoft.com. A e11290.dspg.akamaiedge.net. 10 IN A 23.2.128.171 +0800 2022-12-26 16:25:51 [36mINFO[0m [[38;5;183m2408040103[0m] inbound/tun[tun-in]: inbound connection from 172.19.0.1:14613 +0800 2022-12-26 16:25:51 [36mINFO[0m [[38;5;183m2408040103[0m] inbound/tun[tun-in]: inbound connection to 23.2.128.171:80 +0800 2022-12-26 16:25:51 [37mDEBUG[0m [[38;5;183m2408040103[0m] router: sniffed protocol: http, domain: go.microsoft.com +0800 2022-12-26 16:25:51 [36mINFO[0m [[38;5;183m2408040103[0m] outbound/vmess[proxy-out]: outbound connection to go.microsoft.com:80 +0800 2022-12-26 16:25:52 [37mDEBUG[0m [[38;5;224m2819411920[0m] dns: exchange dmd.metaservices.microsoft.com. IN A +0800 2022-12-26 16:25:52 [36mINFO[0m [[38;5;118m3542561638[0m] inbound/tun[tun-in]: inbound packet connection from [fdfe:dcba:9876::1]:61102 +0800 2022-12-26 16:25:52 [36mINFO[0m [[38;5;118m3542561638[0m] inbound/tun[tun-in]: inbound packet connection to [fdfe:dcba:9876::2]:53 +0800 2022-12-26 16:25:52 [37mDEBUG[0m [[38;5;118m3542561638[0m] router: sniffed packet protocol: dns +0800 2022-12-26 16:25:52 [37mDEBUG[0m [[38;5;118m3542561638[0m] router: match[0] protocol=dns => dns-out +0800 2022-12-26 16:25:52 [37mDEBUG[0m [[38;5;118m3542561638[0m] dns: exchange dmd.metaservices.microsoft.com. IN AAAA +0800 2022-12-26 16:25:52 [36mINFO[0m [[38;5;195m1848930043[0m] inbound/tun[tun-in]: inbound packet connection from 172.19.0.1:61102 +0800 2022-12-26 16:25:52 [36mINFO[0m [[38;5;195m1848930043[0m] inbound/tun[tun-in]: inbound packet connection to 172.19.0.2:53 +0800 2022-12-26 16:25:52 [37mDEBUG[0m [[38;5;195m1848930043[0m] router: sniffed packet protocol: dns +0800 2022-12-26 16:25:52 [37mDEBUG[0m [[38;5;195m1848930043[0m] router: match[0] protocol=dns => dns-out +0800 2022-12-26 16:25:52 [37mDEBUG[0m [[38;5;195m1848930043[0m] dns: exchange dmd.metaservices.microsoft.com. IN AAAA +0800 2022-12-26 16:25:52 [37mDEBUG[0m [[38;5;183m2408040103[0m] inbound/tun[tun-in]: connection closed: upload: EOF | download: readfrom tcp4 172.19.0.1:14607->172.19.0.2:10001: use of closed network connection +0800 2022-12-26 16:25:52 [36mINFO[0m [[38;5;224m2819411920[0m] dns: exchanged dmd.metaservices.microsoft.com. CNAME dmd.metaservices.microsoft.com. 3509 IN CNAME devicemetadataservice.prod.trafficmanager.net. +0800 2022-12-26 16:25:52 [36mINFO[0m [[38;5;224m2819411920[0m] dns: exchanged dmd.metaservices.microsoft.com. CNAME devicemetadataservice.prod.trafficmanager.net. 5 IN CNAME vmss-prod-wus.westus.cloudapp.azure.com. +0800 2022-12-26 16:25:52 [36mINFO[0m [[38;5;224m2819411920[0m] dns: exchanged dmd.metaservices.microsoft.com. A vmss-prod-wus.westus.cloudapp.azure.com. 5 IN A 20.253.213.245 +0800 2022-12-26 16:25:52 [36mINFO[0m [[38;5;134m4265188470[0m] inbound/tun[tun-in]: inbound connection from 172.19.0.1:14616 +0800 2022-12-26 16:25:52 [36mINFO[0m [[38;5;134m4265188470[0m] inbound/tun[tun-in]: inbound connection to 20.253.213.245:80 +0800 2022-12-26 16:25:52 [37mDEBUG[0m [[38;5;134m4265188470[0m] router: sniffed protocol: http, domain: dmd.metaservices.microsoft.com +0800 2022-12-26 16:25:52 [36mINFO[0m [[38;5;134m4265188470[0m] outbound/vmess[proxy-out]: outbound connection to dmd.metaservices.microsoft.com:80 +0800 2022-12-26 16:25:56 [37mDEBUG[0m [[38;5;224m2819411920[0m] dns: exchange mobile.events.data.microsoft.com. IN A +0800 2022-12-26 16:25:56 [36mINFO[0m [[38;5;50m2288579618[0m] inbound/tun[tun-in]: inbound packet connection from [fdfe:dcba:9876::1]:50404 +0800 2022-12-26 16:25:56 [36mINFO[0m [[38;5;50m2288579618[0m] inbound/tun[tun-in]: inbound packet connection to [fdfe:dcba:9876::2]:53 +0800 2022-12-26 16:25:56 [37mDEBUG[0m [[38;5;50m2288579618[0m] router: sniffed packet protocol: dns +0800 2022-12-26 16:25:56 [37mDEBUG[0m [[38;5;50m2288579618[0m] router: match[0] protocol=dns => dns-out +0800 2022-12-26 16:25:56 [37mDEBUG[0m [[38;5;50m2288579618[0m] dns: exchange mobile.events.data.microsoft.com. IN AAAA +0800 2022-12-26 16:25:56 [36mINFO[0m [[38;5;32m2715855888[0m] inbound/tun[tun-in]: inbound packet connection from 172.19.0.1:50404 +0800 2022-12-26 16:25:56 [36mINFO[0m [[38;5;32m2715855888[0m] inbound/tun[tun-in]: inbound packet connection to 172.19.0.2:53 +0800 2022-12-26 16:25:56 [37mDEBUG[0m [[38;5;32m2715855888[0m] router: sniffed packet protocol: dns +0800 2022-12-26 16:25:56 [37mDEBUG[0m [[38;5;32m2715855888[0m] router: match[0] protocol=dns => dns-out +0800 2022-12-26 16:25:56 [37mDEBUG[0m [[38;5;32m2715855888[0m] dns: exchange mobile.events.data.microsoft.com. IN AAAA +0800 2022-12-26 16:25:56 [36mINFO[0m [[38;5;224m2819411920[0m] dns: exchanged mobile.events.data.microsoft.com. CNAME mobile.events.data.microsoft.com. 119 IN CNAME mobile.events.data.trafficmanager.net. +0800 2022-12-26 16:25:56 [36mINFO[0m [[38;5;224m2819411920[0m] dns: exchanged mobile.events.data.microsoft.com. CNAME mobile.events.data.trafficmanager.net. 59 IN CNAME onedscolprdeus10.eastus.cloudapp.azure.com. +0800 2022-12-26 16:25:56 [36mINFO[0m [[38;5;224m2819411920[0m] dns: exchanged mobile.events.data.microsoft.com. A onedscolprdeus10.eastus.cloudapp.azure.com. 9 IN A 52.168.117.169 +0800 2022-12-26 16:25:56 [36mINFO[0m [[38;5;200m2814436024[0m] inbound/tun[tun-in]: inbound connection from 172.19.0.1:14619 +0800 2022-12-26 16:25:56 [36mINFO[0m [[38;5;200m2814436024[0m] inbound/tun[tun-in]: inbound connection to 52.168.117.169:443 +0800 2022-12-26 16:25:56 [36mINFO[0m [[38;5;120m353409640[0m] inbound/tun[tun-in]: inbound connection from 172.19.0.1:14620 +0800 2022-12-26 16:25:56 [37mDEBUG[0m [[38;5;200m2814436024[0m] router: sniffed protocol: tls, domain: mobile.events.data.microsoft.com +0800 2022-12-26 16:25:56 [36mINFO[0m [[38;5;120m353409640[0m] inbound/tun[tun-in]: inbound connection to 52.168.117.169:443 +0800 2022-12-26 16:25:56 [36mINFO[0m [[38;5;200m2814436024[0m] outbound/vmess[proxy-out]: outbound connection to mobile.events.data.microsoft.com:443 +0800 2022-12-26 16:25:56 [37mDEBUG[0m [[38;5;120m353409640[0m] router: sniffed protocol: tls, domain: mobile.events.data.microsoft.com +0800 2022-12-26 16:25:56 [36mINFO[0m [[38;5;120m353409640[0m] outbound/vmess[proxy-out]: outbound connection to mobile.events.data.microsoft.com:443 +0800 2022-12-26 16:25:57 [37mDEBUG[0m [[38;5;122m693125997[0m] inbound/tun[tun-in]: connection closed: io: read/write on closed pipe | upstream: context canceled +0800 2022-12-26 16:25:57 [37mDEBUG[0m [[38;5;206m2558713790[0m] inbound/tun[tun-in]: connection closed: io: read/write on closed pipe | upstream: context canceled +0800 2022-12-26 16:25:57 [37mDEBUG[0m [[38;5;72m2160166712[0m] inbound/tun[tun-in]: connection closed: io: read/write on closed pipe | upstream: context canceled +0800 2022-12-26 16:25:58 [37mDEBUG[0m [[38;5;191m4277005567[0m] inbound/tun[tun-in]: connection closed: io: read/write on closed pipe | upstream: context canceled +0800 2022-12-26 16:26:01 [37mDEBUG[0m [[38;5;83m3943964052[0m] inbound/tun[tun-in]: connection closed: io: read/write on closed pipe | upstream: context canceled +0800 2022-12-26 16:26:01 [37mDEBUG[0m [[38;5;155m836610636[0m] inbound/tun[tun-in]: connection closed: io: read/write on closed pipe | upstream: context canceled +0800 2022-12-26 16:26:02 [37mDEBUG[0m [[38;5;195m1848930043[0m] inbound/tun[tun-in]: connection closed: io: read/write on closed pipe | upstream: context canceled +0800 2022-12-26 16:26:02 [37mDEBUG[0m [[38;5;118m3542561638[0m] inbound/tun[tun-in]: connection closed: io: read/write on closed pipe | upstream: context canceled +0800 2022-12-26 16:26:05 [36mINFO[0m [[38;5;44m3931453468[0m] inbound/tun[tun-in]: inbound connection from 172.19.0.1:14626 +0800 2022-12-26 16:26:05 [36mINFO[0m [[38;5;44m3931453468[0m] inbound/tun[tun-in]: inbound connection to 144.168.44.18:443 +0800 2022-12-26 16:26:05 [37mDEBUG[0m [[38;5;44m3931453468[0m] router: sniffed protocol: tls, domain: www.yldlkx.com +0800 2022-12-26 16:26:05 [36mINFO[0m [[38;5;44m3931453468[0m] outbound/vmess[proxy-out]: outbound connection to www.yldlkx.com:443 +0800 2022-12-26 16:26:06 [36mINFO[0m [[38;5;31m308575247[0m] inbound/tun[tun-in]: inbound connection from 172.19.0.1:14628 +0800 2022-12-26 16:26:06 [36mINFO[0m [[38;5;31m308575247[0m] inbound/tun[tun-in]: inbound connection to 46.4.66.188:8000 +0800 2022-12-26 16:26:06 [37mDEBUG[0m [[38;5;31m308575247[0m] router: sniffed protocol: tls, domain: www.hyxhxw6fivefgaqnxdx.com +0800 2022-12-26 16:26:06 [36mINFO[0m [[38;5;31m308575247[0m] outbound/vmess[proxy-out]: outbound connection to www.hyxhxw6fivefgaqnxdx.com:8000 +0800 2022-12-26 16:26:06 [37mDEBUG[0m [[38;5;50m2288579618[0m] inbound/tun[tun-in]: connection closed: io: read/write on closed pipe | upstream: context canceled +0800 2022-12-26 16:26:06 [37mDEBUG[0m [[38;5;32m2715855888[0m] inbound/tun[tun-in]: connection closed: io: read/write on closed pipe | upstream: context canceled +0800 2022-12-26 16:26:06 [37mDEBUG[0m [[38;5;224m2819411920[0m] inbound/tun[tun-in]: connection closed: io: read/write on closed pipe | upstream: context canceled +0800 2022-12-26 16:26:07 [37mDEBUG[0m [[38;5;44m3931453468[0m] inbound/tun[tun-in]: connection closed: download: EOF | upload: EOF +0800 2022-12-26 16:26:08 [37mDEBUG[0m [[38;5;31m308575247[0m] inbound/tun[tun-in]: connection closed: download: EOF | upload: EOF +0800 2022-12-26 16:26:08 [36mINFO[0m [[38;5;33m912849128[0m] inbound/tun[tun-in]: inbound connection from 172.19.0.1:14631 +0800 2022-12-26 16:26:08 [36mINFO[0m [[38;5;33m912849128[0m] inbound/tun[tun-in]: inbound connection to 148.251.41.235:9001 +0800 2022-12-26 16:26:08 [36mINFO[0m [[38;5;212m3328994500[0m] inbound/tun[tun-in]: inbound connection from 172.19.0.1:14632 +0800 2022-12-26 16:26:08 [36mINFO[0m [[38;5;212m3328994500[0m] inbound/tun[tun-in]: inbound connection to 157.90.92.115:9001 +0800 2022-12-26 16:26:08 [37mDEBUG[0m [[38;5;33m912849128[0m] router: sniffed protocol: tls, domain: www.tf7c2.com +0800 2022-12-26 16:26:08 [36mINFO[0m [[38;5;33m912849128[0m] outbound/vmess[proxy-out]: outbound connection to www.tf7c2.com:9001 +0800 2022-12-26 16:26:08 [37mDEBUG[0m [[38;5;212m3328994500[0m] router: sniffed protocol: tls, domain: www.5v45alod4tk37dznnxlcm2.com +0800 2022-12-26 16:26:08 [36mINFO[0m [[38;5;212m3328994500[0m] outbound/vmess[proxy-out]: outbound connection to www.5v45alod4tk37dznnxlcm2.com:9001 +0800 2022-12-26 16:26:09 [36mINFO[0m [[38;5;31m2550126863[0m] inbound/tun[tun-in]: inbound connection from 172.19.0.1:14635 +0800 2022-12-26 16:26:09 [36mINFO[0m [[38;5;31m2550126863[0m] inbound/tun[tun-in]: inbound connection to 185.44.81.4:20 +0800 2022-12-26 16:26:09 [37mDEBUG[0m [[38;5;31m2550126863[0m] router: sniffed protocol: tls, domain: www.rhea7rpf3k64v7byskvnoads7.com +0800 2022-12-26 16:26:09 [36mINFO[0m [[38;5;31m2550126863[0m] outbound/vmess[proxy-out]: outbound connection to www.rhea7rpf3k64v7byskvnoads7.com:20 +0800 2022-12-26 16:26:10 [37mDEBUG[0m [[38;5;212m3328994500[0m] inbound/tun[tun-in]: connection closed: download: EOF | upload: EOF +0800 2022-12-26 16:26:10 [37mDEBUG[0m [[38;5;33m912849128[0m] inbound/tun[tun-in]: connection closed: download: EOF | upload: EOF +0800 2022-12-26 16:26:10 [36mINFO[0m [[38;5;193m41706929[0m] inbound/tun[tun-in]: inbound connection from 172.19.0.1:14638 +0800 2022-12-26 16:26:10 [36mINFO[0m [[38;5;193m41706929[0m] inbound/tun[tun-in]: inbound connection to 185.117.82.68:9001 +0800 2022-12-26 16:26:10 [37mDEBUG[0m [[38;5;193m41706929[0m] router: sniffed protocol: tls, domain: www.32by77l3hh6w.com +0800 2022-12-26 16:26:10 [36mINFO[0m [[38;5;193m41706929[0m] outbound/vmess[proxy-out]: outbound connection to www.32by77l3hh6w.com:9001 +0800 2022-12-26 16:26:11 [36mINFO[0m [[38;5;121m2865284457[0m] inbound/tun[tun-in]: inbound packet connection from [fdfe:dcba:9876::1]:53077 +0800 2022-12-26 16:26:11 [36mINFO[0m [[38;5;121m2865284457[0m] inbound/tun[tun-in]: inbound packet connection to [fdfe:dcba:9876::2]:53 +0800 2022-12-26 16:26:11 [36mINFO[0m [[38;5;214m1532296390[0m] inbound/tun[tun-in]: inbound packet connection from [fdfe:dcba:9876::1]:62325 +0800 2022-12-26 16:26:11 [37mDEBUG[0m [[38;5;121m2865284457[0m] router: sniffed packet protocol: dns +0800 2022-12-26 16:26:11 [36mINFO[0m [[38;5;214m1532296390[0m] inbound/tun[tun-in]: inbound packet connection to [fdfe:dcba:9876::2]:53 +0800 2022-12-26 16:26:11 [37mDEBUG[0m [[38;5;121m2865284457[0m] router: match[0] protocol=dns => dns-out +0800 2022-12-26 16:26:11 [37mDEBUG[0m [[38;5;214m1532296390[0m] router: sniffed packet protocol: dns +0800 2022-12-26 16:26:11 [37mDEBUG[0m [[38;5;121m2865284457[0m] dns: exchange cdn.sstatic.net. IN A +0800 2022-12-26 16:26:11 [37mDEBUG[0m [[38;5;214m1532296390[0m] router: match[0] protocol=dns => dns-out +0800 2022-12-26 16:26:11 [37mDEBUG[0m [[38;5;214m1532296390[0m] dns: exchange cdn.sstatic.net. IN AAAA +0800 2022-12-26 16:26:11 [36mINFO[0m [[38;5;192m3564380336[0m] inbound/tun[tun-in]: inbound packet connection from 172.19.0.1:62325 +0800 2022-12-26 16:26:11 [36mINFO[0m [[38;5;192m3564380336[0m] inbound/tun[tun-in]: inbound packet connection to 172.19.0.2:53 +0800 2022-12-26 16:26:11 [37mDEBUG[0m [[38;5;192m3564380336[0m] router: sniffed packet protocol: dns +0800 2022-12-26 16:26:11 [37mDEBUG[0m [[38;5;192m3564380336[0m] router: match[0] protocol=dns => dns-out +0800 2022-12-26 16:26:11 [37mDEBUG[0m [[38;5;192m3564380336[0m] dns: exchange cdn.sstatic.net. IN AAAA +0800 2022-12-26 16:26:11 [36mINFO[0m [[38;5;121m2865284457[0m] dns: exchanged cdn.sstatic.net. A cdn.sstatic.net. 74 IN A 151.101.129.69 +0800 2022-12-26 16:26:11 [36mINFO[0m [[38;5;121m2865284457[0m] dns: exchanged cdn.sstatic.net. A cdn.sstatic.net. 74 IN A 151.101.1.69 +0800 2022-12-26 16:26:11 [36mINFO[0m [[38;5;121m2865284457[0m] dns: exchanged cdn.sstatic.net. A cdn.sstatic.net. 74 IN A 151.101.65.69 +0800 2022-12-26 16:26:11 [36mINFO[0m [[38;5;121m2865284457[0m] dns: exchanged cdn.sstatic.net. A cdn.sstatic.net. 74 IN A 151.101.193.69 +0800 2022-12-26 16:26:11 [36mINFO[0m [[38;5;195m2531727652[0m] inbound/tun[tun-in]: inbound connection from 172.19.0.1:14642 +0800 2022-12-26 16:26:11 [36mINFO[0m [[38;5;195m2531727652[0m] inbound/tun[tun-in]: inbound connection to 151.101.129.69:443 +0800 2022-12-26 16:26:11 [37mDEBUG[0m [[38;5;195m2531727652[0m] router: sniffed protocol: tls, domain: cdn.sstatic.net +0800 2022-12-26 16:26:11 [36mINFO[0m [[38;5;195m2531727652[0m] outbound/vmess[proxy-out]: outbound connection to cdn.sstatic.net:443 +0800 2022-12-26 16:26:11 [37mDEBUG[0m [[38;5;31m2550126863[0m] inbound/tun[tun-in]: connection closed: download: EOF | upload: EOF +0800 2022-12-26 16:26:11 [36mINFO[0m [[38;5;189m1473504173[0m] inbound/tun[tun-in]: inbound connection from 172.19.0.1:14644 +0800 2022-12-26 16:26:11 [36mINFO[0m [[38;5;189m1473504173[0m] inbound/tun[tun-in]: inbound connection to 213.239.213.190:443 +0800 2022-12-26 16:26:11 [37mDEBUG[0m [[38;5;189m1473504173[0m] router: sniffed protocol: tls, domain: www.v2vxhpbkj.com +0800 2022-12-26 16:26:11 [36mINFO[0m [[38;5;189m1473504173[0m] outbound/vmess[proxy-out]: outbound connection to www.v2vxhpbkj.com:443 +0800 2022-12-26 16:26:12 [37mDEBUG[0m [[38;5;193m41706929[0m] inbound/tun[tun-in]: connection closed: download: EOF | upload: EOF +0800 2022-12-26 16:26:12 [36mINFO[0m [[38;5;35m162712298[0m] inbound/tun[tun-in]: inbound connection from 172.19.0.1:14648 +0800 2022-12-26 16:26:12 [36mINFO[0m [[38;5;35m162712298[0m] inbound/tun[tun-in]: inbound connection to 87.120.8.91:9001 +0800 2022-12-26 16:26:12 [37mDEBUG[0m [[38;5;35m162712298[0m] router: sniffed protocol: tls, domain: www.qgzq75gl.com +0800 2022-12-26 16:26:12 [36mINFO[0m [[38;5;35m162712298[0m] outbound/vmess[proxy-out]: outbound connection to www.qgzq75gl.com:9001 +0800 2022-12-26 16:26:13 [37mDEBUG[0m [[38;5;189m1473504173[0m] inbound/tun[tun-in]: connection closed: download: EOF | upload: EOF +0800 2022-12-26 16:26:13 [36mINFO[0m [[38;5;50m906014133[0m] inbound/tun[tun-in]: inbound connection from 172.19.0.1:14651 +0800 2022-12-26 16:26:13 [36mINFO[0m [[38;5;50m906014133[0m] inbound/tun[tun-in]: inbound connection to 198.16.70.10:9001 +0800 2022-12-26 16:26:13 [37mDEBUG[0m [[38;5;50m906014133[0m] router: sniffed protocol: tls, domain: www.br36.com +0800 2022-12-26 16:26:13 [36mINFO[0m [[38;5;50m906014133[0m] outbound/vmess[proxy-out]: outbound connection to www.br36.com:9001 +0800 2022-12-26 16:26:14 [37mDEBUG[0m [[38;5;35m162712298[0m] inbound/tun[tun-in]: connection closed: download: EOF | upload: EOF +0800 2022-12-26 16:26:14 [36mINFO[0m [[38;5;186m3879049005[0m] inbound/tun[tun-in]: inbound connection from 172.19.0.1:14653 +0800 2022-12-26 16:26:14 [36mINFO[0m [[38;5;186m3879049005[0m] inbound/tun[tun-in]: inbound connection to 91.231.182.49:443 +0800 2022-12-26 16:26:14 [37mDEBUG[0m [[38;5;186m3879049005[0m] router: sniffed protocol: tls, domain: www.gmubjfz5oitdbron.com +0800 2022-12-26 16:26:14 [36mINFO[0m [[38;5;186m3879049005[0m] outbound/vmess[proxy-out]: outbound connection to www.gmubjfz5oitdbron.com:443 +0800 2022-12-26 16:26:15 [31mERROR[0m [[38;5;195m2531727652[0m] inbound/tun[tun-in]: upload: read tcp4 172.19.0.1:14607->172.19.0.2:10011: wsarecv: An existing connection was forcibly closed by the remote host. | download: EOF +0800 2022-12-26 16:26:15 [36mINFO[0m [[38;5;222m2291903694[0m] inbound/tun[tun-in]: inbound connection from 172.19.0.1:14655 +0800 2022-12-26 16:26:15 [36mINFO[0m [[38;5;222m2291903694[0m] inbound/tun[tun-in]: inbound connection to 5.9.14.30:143 +0800 2022-12-26 16:26:15 [37mDEBUG[0m [[38;5;222m2291903694[0m] router: sniffed protocol: tls, domain: www.2xym7kseggs2gewrokswp7.com +0800 2022-12-26 16:26:15 [36mINFO[0m [[38;5;222m2291903694[0m] outbound/vmess[proxy-out]: outbound connection to www.2xym7kseggs2gewrokswp7.com:143 +0800 2022-12-26 16:26:16 [37mDEBUG[0m [[38;5;186m3879049005[0m] inbound/tun[tun-in]: connection closed: download: EOF | upload: EOF +0800 2022-12-26 16:26:16 [37mDEBUG[0m [[38;5;50m906014133[0m] inbound/tun[tun-in]: connection closed: upload: EOF | download: use of closed network connection +0800 2022-12-26 16:26:16 [37mDEBUG[0m [[38;5;222m2291903694[0m] inbound/tun[tun-in]: connection closed: upload: EOF | download: use of closed network connection +0800 2022-12-26 16:26:16 [37mDEBUG[0m [[38;5;121m2865284457[0m] dns: exchange cdn.sstatic.net. IN AAAA +0800 2022-12-26 16:26:16 [36mINFO[0m [[38;5;222m208832736[0m] inbound/tun[tun-in]: inbound packet connection from 172.19.0.1:53077 +0800 2022-12-26 16:26:16 [36mINFO[0m [[38;5;222m208832736[0m] inbound/tun[tun-in]: inbound packet connection to 172.19.0.2:53 +0800 2022-12-26 16:26:16 [37mDEBUG[0m [[38;5;222m208832736[0m] router: sniffed packet protocol: dns +0800 2022-12-26 16:26:16 [37mDEBUG[0m [[38;5;222m208832736[0m] router: match[0] protocol=dns => dns-out +0800 2022-12-26 16:26:16 [37mDEBUG[0m [[38;5;222m208832736[0m] dns: exchange cdn.sstatic.net. IN AAAA +0800 2022-12-26 16:26:16 [36mINFO[0m [[38;5;72m3945172024[0m] inbound/tun[tun-in]: inbound connection from 172.19.0.1:14660 +0800 2022-12-26 16:26:16 [36mINFO[0m [[38;5;72m3945172024[0m] inbound/tun[tun-in]: inbound connection to 151.101.129.69:443 +0800 2022-12-26 16:26:16 [37mDEBUG[0m [[38;5;72m3945172024[0m] router: sniffed protocol: tls, domain: cdn.sstatic.net +0800 2022-12-26 16:26:16 [36mINFO[0m [[38;5;72m3945172024[0m] outbound/vmess[proxy-out]: outbound connection to cdn.sstatic.net:443 ```

[nekohasekai]

文档出错，tor 使用正常的随机 sni，无法区分。

注：不应该在没有 dns 污染的环境使用 sniff_override_destination，特别是像 tun 这样的透明代理。

[GeorgeRudd]

很奇怪，clash meta 的tun 模式，开启sniffer也可以连上tor

[nekohasekai]

上下文无关。