search

XTLS / Xray-core

Xray, Penetrates Everything. Also the best v2ray-core, with XTLS support. Fully compatible configuration.
https://t.me/projectXray
Mozilla Public License 2.0
25.46k stars 3.94k forks source link

DNS分流问题,请帮忙解惑一下 #1238

Closed zhfish closed 2 years ago

zhfish commented 2 years ago

旁路由TProxy透明代理 预期是 解析白名单域名用8.8.8.8 解析其他域名用主路由

目前遇到的问题是,无论怎么尝试,dns解析只走

 "settings": {
          "address": "1.2.3.4",

这里的address, 比如

nslookup www.baidu.com 192.168.0.1
返回结果为两个国内IP
nslookup www.baidu.com 192.168.0.2
返回结果为一个海外CDN的IP
accepted udp:8.8.8.8:53 [dns-in -> sg-out]
accepted udp:8.8.8.8:53 [dns-in -> sg-out]

配置如下

{
  "log": {
    "loglevel": "warning",
    "error": "/opt/xray/logs/error.log",
    "access": "/opt/xray/logs/access.log"
  },
  "inbounds": [
    {
      "listen": "127.0.0.1",
      "tag": "all-in",
      "port": 12345,
      "protocol": "dokodemo-door",
      "settings": {
        "network": "tcp,udp",
        "followRedirect": true
      },
      "sniffing": {
        "enabled": true,
        "destOverride": [
          "http",
          "tls"
        ]
      },
      "streamSettings": {
        "sockopt": {
          "tproxy": "tproxy"
        }
      }
    },
    {
      "port": 1088,
      "tag": "socks-in",
      "protocol": "socks",
      "sniffing": {
        "enabled": true,
        "destOverride": [
          "http",
          "tls"
        ]
      },
      "settings": {
        "udp": true
      }
    },
    {
      "port": 1080,
      "tag": "http-in",
      "protocol": "http",
      "sniffing": {
        "enabled": true,
        "destOverride": [
          "http",
          "tls"
        ]
      },
      "settings": {
        "udp": false
      }
    },
    {
      "tag": "dns-in",
      "port": 53,
      "protocol": "dokodemo-door",
      "settings": {
          "address": "8.8.8.8",
          "port": 53,
          "network": "udp",
          "userLevel": 1
      }
  }
  ],
  "outbounds": [
    {
      "tag": "default-out",
      "protocol": "freedom",
      "streamSettings": {
        "sockopt": {
          "mark": 2
        }
      }
    },
    {
      "tag": "sg-out",
      "protocol": "vless",
      "settings": {
        "vnext": [
          {
          }
        ]
      },
      "streamSettings": {
        "network": "tcp",
        "security": "xtls",
        "sockopt": {
          "mark": 2
        }
      }
    },
    {
      "tag": "block-out",
      "protocol": "blackhole",
      "settings": {
        "response": {
          "type": "http"
        }
      }
    },
    {
      "tag": "dns-out",
      "protocol": "dns",
      "streamSettings": {
        "sockopt": {
          "mark": 2
        }
      }
    }
  ],
  "dns": {
    "hosts": {
      "xxxx.xxxx.xxxx": "100.100.100.100"
    },
    "servers": [
      "192.168.0.1",
      "223.5.5.5",
      {
        "address": "8.8.8.8",
        "port": 53,
        "domains": [
          "geosite:google",
          "geosite:netflix",
          "geosite:amazon",
          "geosite:facebook",
          "geosite:facebook-dev",
          "geosite:twitter",
          "geosite:telegram",
          "geosite:github",
          "geosite:pornhub"
        ],
        "expectIPs": [
          "geoip:telegram"
        ]
      }
    ]
  },
  "routing": {
    "domainStrategy": "IPIfNonMatch",
    "rules": [
      {
        "type": "field",
        "domain": [
          "geosite:google",
          "geosite:netflix",
          "geosite:amazon",
          "geosite:facebook",
          "geosite:facebook-dev",
          "geosite:twitter",
          "geosite:telegram",
          "geosite:github",
          "geosite:pornhub",
          "cip.cc"
        ],
        "outboundTag": "sg-out"
      },
      {
        "type": "field",
        "ip": [
          "geoip:telegram",
          "8.8.8.8"
        ],
        "outboundTag": "sg-out"
      },
      {
        "type": "field",
        "ip": [
          "192.168.0.1",
          "223.5.5.5"
        ],
        "outboundTag": "default-out"
      },
      {
        "type": "field",
        "inboundTag": ["dns-in"],
        "outboundTag": "dns-out"
      }
    ]
  }
}
azzvx commented 2 years ago 
"servers": [
      "192.168.0.1",
      "223.5.5.5",
      {
        "address": "8.8.8.8",
        "port": 53,
        "domains": [
          "geosite:google",
          "geosite:netflix",
          "geosite:amazon",
          "geosite:facebook",
          "geosite:facebook-dev",
          "geosite:twitter",
          "geosite:telegram",
          "geosite:github",
          "geosite:pornhub"
        ],
        "expectIPs": [
          "geoip:telegram" <-- 这行有问题,不应该有期望IP。而且你裸连8.8.8.8大概率返回污染IP。
        ]
      }
    ]
  },
zhfish commented 2 years ago 
"servers": [
      "192.168.0.1",
      "223.5.5.5",
      {
        "address": "8.8.8.8",
        "port": 53,
        "domains": [
          "geosite:google",
          "geosite:netflix",
          "geosite:amazon",
          "geosite:facebook",
          "geosite:facebook-dev",
          "geosite:twitter",
          "geosite:telegram",
          "geosite:github",
          "geosite:pornhub"
        ],
        "expectIPs": [
          "geoip:telegram" <-- 这行有问题,不应该有期望IP。而且你裸连8.8.8.8大概率返回污染IP。
        ]
      }
    ]
  },

并没有裸连,8.8.8.8,会走sg-out出去 看来是我对expectIPs的理解有误,我再试试

zxbiao commented 2 years ago

这是我的DNS分流和负载均衡代码,也备注了。应该能给你一个参考。


// 内置DNS服务器设置,详见:https://xtls.github.io/config/dns.html
    "dns":
    {
        //hosts文件,静态域名-IP对应列表
        "hosts":
        {
            //GOOGLE DNS
            "dns.google":
            [
                "8.8.8.8",
                "8.8.4.4"
            ],
            //DNSPOD DNS
            "dns.pub": "119.29.29.29",
            //ALI DNS
            "dns.alidns.com":
            [
                "223.5.5.5",
                "223.6.6.6"
            ]
        },
        //DNS上游查询服务器组
        "servers":
        [
            //国外域名使用国外DNS查询
            {
                //使用DNS-over-TLS(DOT)查询
                "address": "1.1.1.1",
                //域名列表,此列表包含的域名,将优先使用此服务器进行查询。
                "domains":
                [
                    //查询CN以外的域名
                    "geosite:geolocation-!cn",
                    //Google中国地区
                    "geosite:google@cn"
                ],
                //DNS校验,只返回非中国IP查询
                "expectIPs": ["geoip:!cn"]
            },
            //国内域名使用国内DNS查询,并期待返回国内的IP,若不是国内IP则舍弃,用下一个查询
            {
                "address": "223.5.5.5",
                "domains": ["geosite:cn"],
                //DNS校验,只返回中国IP查询
                "expectIPs": ["geoip:cn"]
            },
            //备份,对国内网站进行二次查询
            {
                "address": "114.114.114.114",
                "domains": ["geosite:cn"]
            },
            //最后的备份,上面全部失败时,用指定DNS查询
            "localhost"
        ],
        //查询的记录类型,UseIPv4 只查询 A 记录;UseIPv6 只查询 AAAA 记录。默认值为 UseIP,即查询 A 和 AAAA 记录。
        "queryStrategy": "UseIPv4"
    },
    // 路由设置
    "routing":
    {
        //domainStrategy: "AsIs" | "IPIfNonMatch" | "IPOnDemand"
        //"AsIs":只使用域名进行路由选择。默认值。
        //"IPIfNonMatch":当域名没有匹配任何规则时,将域名解析成 IP(A 记录或 AAAA 记录)再次进行匹配;
        //    当一个域名有多个 A 记录时,会尝试匹配所有的 A 记录,直到其中一个与某个规则匹配为止;
        //    解析后的 IP 仅在路由选择时起作用,转发的数据包中依然使用原始域名;
        //"IPOnDemand":当匹配时碰到任何基于 IP 的规则,将域名立即解析为 IP 进行匹配;
        "domainStrategy": "IPIfNonMatch",
        // 路由规则
        "rules":
        [
            // API接口路由
            {
                "inboundTag": ["api"],
                "outboundTag": "api",
                "type": "field"
            },
            // 屏蔽广告网址,如与ADGuard Home合用可以删除此规则
            {
                "type": "field",
                "domain":
                [
                    "geosite:category-ads-all",
                    "*-toutiao.com",
                    ".pglstatp-toutiao.com",
                    ".pangolin-sdk-toutiao.com",
                    ".appsflyer.com",
                    ".umengcloud.com",
                    ".bugly.qq.com",
                    "nadvideo2.baidu.com",
                    "sofire.baidu.com",
                    "tcbox.baidu.com",
                    "hmmb.baidu.com",
                    "himg.baidu.com",
                    ".gepush.com",
                    ".kuaishou.com",
                    ".yximgs.com",
                    ".jiguang.cn"
                ],
                // 出站代理标识:屏蔽
                "outboundTag": "adblock"
            },
            // 特定域名走代理
            {
                "type": "field",
                "domain": [
                    "geosite:abema",
                    "geosite:dmm",
                    ".google.com.hk",
                    ".google.com.tw",
                    ".google.co.jp"
                ],
                "outboundTag": "proxy-ss-hk"
            },
            {
                "type": "field",
                "ip": [
                    "geoip:netflix",
                    "geoip:hk",
                    "geoip:jp",
                    "geoip:tw"
                ],
                "outboundTag": "proxy-ss-hk"
            },
            // 负载均衡路由
            {
                "type": "field",
                "domain":
                [
                    "geosite:steam",
                    ".googlevideo.com",
                    "geosite:category-social-media-!cn",
                    "git.openwrt.org",
                    "full:.uploadhaven.com"
                ],
                "balancerTag": "proxy-ss"
            },
            {
                "type": "field",
                "ip":
                [
                    "geoip:telegram",
                    "geoip:twitter"
                ],
                "balancerTag": "proxy-ss"
            },
            // 中国IP直连,国内中转建议开启
            {
                "type": "field",
                "ip": [
                    "geoip:cn"
                ],
                "outboundTag": "direct"
            },
            // 屏蔽私有IP
            {
                "type": "field",
                "ip":
                [
                    "geoip:private"
                ],
                "outboundTag": "block"
            },
            // BT协议流量屏蔽
            {
                "type": "field",
                "protocol":
                [
                    "bittorrent"
                ],
                "outboundTag": "block"
            }
        ],
        //负载均衡设置
        "balancers":
        [
            {

"tag": "proxy-ss",
                "selector":
                [
//outbound的标签               
"proxy-ss"
                ],
                "strategy":
                {
//随机选择                    
"type": "random"
                }
            }
        ]
    },

……

// 出站代理设置,详见:https://xtls.github.io/config/outbounds/#协议列表
    "outbounds": [
        // 国际流量转发到国外服务器
        {
            "tag": "proxy-29",
            "protocol": "vless",
            "settings":
            {
                "vnext": [
                    {
                        "address": "xxxxx.xxxxx.xxxxx",
                        //"address": "xxx.xxx.xxx.xxx",
                        "port": 443,
                        "users": [
                            {
                                "id": "",
                                "flow": "xtls-rprx-direct",
                                "encryption": "none",
                                "level": 0
                            }
                        ]
                    }
                ]
            },
            "streamSettings":
            {
                "network": "tcp",
                //"security": "tls",
                //"tlsSettings": {
                "security": "xtls",
                "xtlsSettings":
                {
                    "serverName": "xxxx.xxxxx.xxxxx" // 换成你的域名
                }
            },
            //流量探测
            "sniffing":
            {
                //是否开启。值:true | false
                "enabled": true,
                //当流量为指定类型时,按其中包括的目标地址重置当前连接的目标。
                //其中 ["fakedns+others"] 相当于 ["http", "tls", "quic", "fakedns"],
                //当 IP 地址处于 FakeIP 区间内但没有命中域名记录时会使用 http、tls 和 quic 进行匹配。
                //此项仅在 metadataOnly 为 false 时有效。
                "destOverride": ["http", "tls"],
                //当启用时,将仅使用连接的元数据嗅探目标地址。
                //此时,除 fakedns 以外的 sniffer 将不能激活(包括 fakedns+others)。
                //值:true | false
                "metadataOnly": false,
                //如果流量探测结果在这个列表中时,将 不会 重置目标地址。
                "domainsExcluded": [],
                //将嗅探得到的域名仅用于路由,代理目标地址仍为 IP。默认值为 false。值:true | false
                "routeOnly": false
            }
        },
        //ss服务器组
        {
            "tag": "proxy-ss-29",
            "protocol": "shadowsocks",
            "settings":
            {
                "servers": [
                    {
                        "address": "XXX.XXX.XXX.XXX",
                        "port": 41475,
                        "method": "2022-blake3-aes-256-gcm",
                        "password": "{PSK}"
                        //"uot": true
                    }
                ]
            }
        },
        {
            "tag": "proxy-ss-247",
            "protocol": "shadowsocks",
            "settings":
            {
                "servers": [
                    {
                        "address": "xxx.xxx.xxx.247",
                        "port": 39103,
                        "method": "2022-blake3-aes-256-gcm",
                        "password": "{PSK}"
                        //"uot": true
                    }
                ]
            }
        },
        {
            "tag": "proxy-ss-248",
            "protocol": "shadowsocks",
            "settings":
            {
                "servers": [
                    {
                        "address": "xxx.xxx.xxx.248",
                        "port": 39103,
                        "method": "2022-blake3-aes-256-gcm",
                        "password": "{PSK}"
                        //"uot": true
                    }
                ]
            }
        },
        {
            "tag": "proxy-ss-hk",
            "protocol": "shadowsocks",
            "settings":
            {
                "servers": [
                    {
                        "address": "xxx.xxx.xxx.xxx",
                        "port": 391XX,
                        "method": "2022-blake3-aes-256-gcm",
                        "password": "{PSK}"
                        //"uot": true
                    }
                ]
            }
        },
        {
            "tag": "proxy-ss-jp",
            "protocol": "shadowsocks",
            "settings":
            {
                "servers": [
                    {
                        "address": "xxx.xxx.xxx.xxx",
                        "port": 391XX,
                        "method": "2022-blake3-aes-256-gcm",
                        "password": "{PSK}"
                        //"uot": true
                    }
                ]
            }
        },
        {
            "tag": "proxy-cdn-247",
            "protocol": "vless",
            "settings":
            {
                "vnext": [
                    {
                        "address": "xxxx.xxxxx.xxxxxx",
                        "port": 443,
                        "users": [
                            {
                                "id": "",
                                //"flow": "xtls-rprx-direct",
                                "encryption": "none",
                                "level": 0
                            }
                        ]
                    }
                ]
            },
            "streamSettings":
            {
                "network": "tcp",
                "security": "tls",
                "tlsSettings":
                {
                    "serverName": "www.xxxx.xxxx"
                }
            },
            //流量探测
            "sniffing":
            {
                //是否开启。值:true | false
                "enabled": true,
                //当流量为指定类型时,按其中包括的目标地址重置当前连接的目标。
                //其中 ["fakedns+others"] 相当于 ["http", "tls", "quic", "fakedns"],
                //当 IP 地址处于 FakeIP 区间内但没有命中域名记录时会使用 http、tls 和 quic 进行匹配。
                //此项仅在 metadataOnly 为 false 时有效。
                "destOverride": ["http", "tls"],
                //当启用时,将仅使用连接的元数据嗅探目标地址。
                //此时,除 fakedns 以外的 sniffer 将不能激活(包括 fakedns+others)。
                //值:true | false
                "metadataOnly": false,
                //如果流量探测结果在这个列表中时,将 不会 重置目标地址。
                "domainsExcluded": [],
                //将嗅探得到的域名仅用于路由,代理目标地址仍为 IP。默认值为 false。值:true | false
                "routeOnly": false
            }
        },
        {
            "protocol": "freedom",
            "settings":
            {
                "domainStrategy": "UseIPv4"
            },
            "tag": "direct"
        },
        {
            "protocol": "blackhole",
            "settings":
            {
                "response":
                {
                    "type": "http"
                }
            },
            "tag": "block"
        },
        {
            "protocol": "blackhole",
            "settings":
            {
                "response":
                {
                    "type": "http"
                }
            },
            "tag": "adblock"
        }
    ],

自己实践出来可行的分流和负载方案

zhfish commented 2 years ago

这是我的DNS分流和负载均衡代码,也备注了。应该能给你一个参考。


// 内置DNS服务器设置,详见:https://xtls.github.io/config/dns.html
    "dns":
    {
        //hosts文件,静态域名-IP对应列表
        "hosts":
        {
            //GOOGLE DNS
            "dns.google":
            [
                "8.8.8.8",
                "8.8.4.4"
            ],
            //DNSPOD DNS
            "dns.pub": "119.29.29.29",
            //ALI DNS
            "dns.alidns.com":
            [
                "223.5.5.5",
                "223.6.6.6"
            ]
        },
        //DNS上游查询服务器组
        "servers":
        [
            //国外域名使用国外DNS查询
            {
                //使用DNS-over-TLS(DOT)查询
                "address": "1.1.1.1",
                //域名列表,此列表包含的域名,将优先使用此服务器进行查询。
                "domains":
                [
                    //查询CN以外的域名
                    "geosite:geolocation-!cn",
                    //Google中国地区
                    "geosite:google@cn"
                ],
                //DNS校验,只返回非中国IP查询
                "expectIPs": ["geoip:!cn"]
            },
            //国内域名使用国内DNS查询,并期待返回国内的IP,若不是国内IP则舍弃,用下一个查询
            {
                "address": "223.5.5.5",
                "domains": ["geosite:cn"],
                //DNS校验,只返回中国IP查询
                "expectIPs": ["geoip:cn"]
            },
            //备份,对国内网站进行二次查询
            {
                "address": "114.114.114.114",
                "domains": ["geosite:cn"]
            },
            //最后的备份,上面全部失败时,用指定DNS查询
            "localhost"
        ],
        //查询的记录类型,UseIPv4 只查询 A 记录;UseIPv6 只查询 AAAA 记录。默认值为 UseIP,即查询 A 和 AAAA 记录。
        "queryStrategy": "UseIPv4"
    },
    // 路由设置
    "routing":
    {
        //domainStrategy: "AsIs" | "IPIfNonMatch" | "IPOnDemand"
        //"AsIs":只使用域名进行路由选择。默认值。
        //"IPIfNonMatch":当域名没有匹配任何规则时,将域名解析成 IP(A 记录或 AAAA 记录)再次进行匹配;
        //    当一个域名有多个 A 记录时,会尝试匹配所有的 A 记录,直到其中一个与某个规则匹配为止;
        //    解析后的 IP 仅在路由选择时起作用,转发的数据包中依然使用原始域名;
        //"IPOnDemand":当匹配时碰到任何基于 IP 的规则,将域名立即解析为 IP 进行匹配;
        "domainStrategy": "IPIfNonMatch",
        // 路由规则
        "rules":
        [
            // API接口路由
            {
                "inboundTag": ["api"],
                "outboundTag": "api",
                "type": "field"
            },
            // 屏蔽广告网址,如与ADGuard Home合用可以删除此规则
            {
                "type": "field",
                "domain":
                [
                    "geosite:category-ads-all",
                    "*-toutiao.com",
                    ".pglstatp-toutiao.com",
                    ".pangolin-sdk-toutiao.com",
                    ".appsflyer.com",
                    ".umengcloud.com",
                    ".bugly.qq.com",
                    "nadvideo2.baidu.com",
                    "sofire.baidu.com",
                    "tcbox.baidu.com",
                    "hmmb.baidu.com",
                    "himg.baidu.com",
                    ".gepush.com",
                    ".kuaishou.com",
                    ".yximgs.com",
                    ".jiguang.cn"
                ],
                // 出站代理标识:屏蔽
                "outboundTag": "adblock"
            },
            // 特定域名走代理
            {
                "type": "field",
                "domain": [
                    "geosite:abema",
                    "geosite:dmm",
                    ".google.com.hk",
                    ".google.com.tw",
                    ".google.co.jp"
                ],
                "outboundTag": "proxy-ss-hk"
            },
            {
                "type": "field",
                "ip": [
                    "geoip:netflix",
                    "geoip:hk",
                    "geoip:jp",
                    "geoip:tw"
                ],
                "outboundTag": "proxy-ss-hk"
            },
            // 负载均衡路由
            {
                "type": "field",
                "domain":
                [
                    "geosite:steam",
                    ".googlevideo.com",
                    "geosite:category-social-media-!cn",
                    "git.openwrt.org",
                    "full:.uploadhaven.com"
                ],
                "balancerTag": "proxy-ss"
            },
            {
                "type": "field",
                "ip":
                [
                    "geoip:telegram",
                    "geoip:twitter"
                ],
                "balancerTag": "proxy-ss"
            },
            // 中国IP直连,国内中转建议开启
            {
                "type": "field",
                "ip": [
                    "geoip:cn"
                ],
                "outboundTag": "direct"
            },
            // 屏蔽私有IP
            {
                "type": "field",
                "ip":
                [
                    "geoip:private"
                ],
                "outboundTag": "block"
            },
            // BT协议流量屏蔽
            {
                "type": "field",
                "protocol":
                [
                    "bittorrent"
                ],
                "outboundTag": "block"
            }
        ],
        //负载均衡设置
        "balancers":
        [
            {

"tag": "proxy-ss",
                "selector":
                [
//outbound的标签               
"proxy-ss"
                ],
                "strategy":
                {
//随机选择                    
"type": "random"
                }
            }
        ]
    },

……

// 出站代理设置,详见:https://xtls.github.io/config/outbounds/#协议列表
    "outbounds": [
        // 国际流量转发到国外服务器
        {
            "tag": "proxy-29",
            "protocol": "vless",
            "settings":
            {
                "vnext": [
                    {
                        "address": "xxxxx.xxxxx.xxxxx",
                        //"address": "xxx.xxx.xxx.xxx",
                        "port": 443,
                        "users": [
                            {
                                "id": "",
                                "flow": "xtls-rprx-direct",
                                "encryption": "none",
                                "level": 0
                            }
                        ]
                    }
                ]
            },
            "streamSettings":
            {
                "network": "tcp",
                //"security": "tls",
                //"tlsSettings": {
                "security": "xtls",
                "xtlsSettings":
                {
                    "serverName": "xxxx.xxxxx.xxxxx" // 换成你的域名
                }
            },
            //流量探测
            "sniffing":
            {
                //是否开启。值:true | false
                "enabled": true,
                //当流量为指定类型时,按其中包括的目标地址重置当前连接的目标。
                //其中 ["fakedns+others"] 相当于 ["http", "tls", "quic", "fakedns"],
                //当 IP 地址处于 FakeIP 区间内但没有命中域名记录时会使用 http、tls 和 quic 进行匹配。
                //此项仅在 metadataOnly 为 false 时有效。
                "destOverride": ["http", "tls"],
                //当启用时,将仅使用连接的元数据嗅探目标地址。
                //此时,除 fakedns 以外的 sniffer 将不能激活(包括 fakedns+others)。
                //值:true | false
                "metadataOnly": false,
                //如果流量探测结果在这个列表中时,将 不会 重置目标地址。
                "domainsExcluded": [],
                //将嗅探得到的域名仅用于路由,代理目标地址仍为 IP。默认值为 false。值:true | false
                "routeOnly": false
            }
        },
        //ss服务器组
        {
            "tag": "proxy-ss-29",
            "protocol": "shadowsocks",
            "settings":
            {
                "servers": [
                    {
                        "address": "XXX.XXX.XXX.XXX",
                        "port": 41475,
                        "method": "2022-blake3-aes-256-gcm",
                        "password": "{PSK}"
                        //"uot": true
                    }
                ]
            }
        },
        {
            "tag": "proxy-ss-247",
            "protocol": "shadowsocks",
            "settings":
            {
                "servers": [
                    {
                        "address": "xxx.xxx.xxx.247",
                        "port": 39103,
                        "method": "2022-blake3-aes-256-gcm",
                        "password": "{PSK}"
                        //"uot": true
                    }
                ]
            }
        },
        {
            "tag": "proxy-ss-248",
            "protocol": "shadowsocks",
            "settings":
            {
                "servers": [
                    {
                        "address": "xxx.xxx.xxx.248",
                        "port": 39103,
                        "method": "2022-blake3-aes-256-gcm",
                        "password": "{PSK}"
                        //"uot": true
                    }
                ]
            }
        },
        {
            "tag": "proxy-ss-hk",
            "protocol": "shadowsocks",
            "settings":
            {
                "servers": [
                    {
                        "address": "xxx.xxx.xxx.xxx",
                        "port": 391XX,
                        "method": "2022-blake3-aes-256-gcm",
                        "password": "{PSK}"
                        //"uot": true
                    }
                ]
            }
        },
        {
            "tag": "proxy-ss-jp",
            "protocol": "shadowsocks",
            "settings":
            {
                "servers": [
                    {
                        "address": "xxx.xxx.xxx.xxx",
                        "port": 391XX,
                        "method": "2022-blake3-aes-256-gcm",
                        "password": "{PSK}"
                        //"uot": true
                    }
                ]
            }
        },
        {
            "tag": "proxy-cdn-247",
            "protocol": "vless",
            "settings":
            {
                "vnext": [
                    {
                        "address": "xxxx.xxxxx.xxxxxx",
                        "port": 443,
                        "users": [
                            {
                                "id": "",
                                //"flow": "xtls-rprx-direct",
                                "encryption": "none",
                                "level": 0
                            }
                        ]
                    }
                ]
            },
            "streamSettings":
            {
                "network": "tcp",
                "security": "tls",
                "tlsSettings":
                {
                    "serverName": "www.xxxx.xxxx"
                }
            },
            //流量探测
            "sniffing":
            {
                //是否开启。值:true | false
                "enabled": true,
                //当流量为指定类型时,按其中包括的目标地址重置当前连接的目标。
                //其中 ["fakedns+others"] 相当于 ["http", "tls", "quic", "fakedns"],
                //当 IP 地址处于 FakeIP 区间内但没有命中域名记录时会使用 http、tls 和 quic 进行匹配。
                //此项仅在 metadataOnly 为 false 时有效。
                "destOverride": ["http", "tls"],
                //当启用时,将仅使用连接的元数据嗅探目标地址。
                //此时,除 fakedns 以外的 sniffer 将不能激活(包括 fakedns+others)。
                //值:true | false
                "metadataOnly": false,
                //如果流量探测结果在这个列表中时,将 不会 重置目标地址。
                "domainsExcluded": [],
                //将嗅探得到的域名仅用于路由,代理目标地址仍为 IP。默认值为 false。值:true | false
                "routeOnly": false
            }
        },
        {
            "protocol": "freedom",
            "settings":
            {
                "domainStrategy": "UseIPv4"
            },
            "tag": "direct"
        },
        {
            "protocol": "blackhole",
            "settings":
            {
                "response":
                {
                    "type": "http"
                }
            },
            "tag": "block"
        },
        {
            "protocol": "blackhole",
            "settings":
            {
                "response":
                {
                    "type": "http"
                }
            },
            "tag": "adblock"
        }
    ],

自己实践出来可行的分流和负载方案

谢谢,我参考您的配置ok了 我最后又折腾了一版前置mosdns 还在试验哪个更好一些