DNS config

[Pro100x3mal]

Hello. I want to use my own DNS resolver in xray. On the vps with Ubuntu, an xray server and the reality protocol (x-ui panel by alireza0) are installed and configured, and it also has the Unbound caching dns resolver installed. Unbound is configured as a system DNS resolver (127.0.0.1 in /etc/resolv.conf), access is allowed from 127.0.0.1/32 and the private network 10.0.0.0/8, port 53 is open to the private subnet 10.0.0.0/8. Wireguard server (10.10.10.0) is also installed on the vps. Wireguard client configurations indicate to use dns = 10.10.10.0. It turns out that all clients (ios, android, win, linux) are protected from DNS leaks, since domain name resolution occurs on the vps using Unbound. Please tell me how I can configure the xray-reality configuration so that all clients (ios, android, win, linux) also use my own Unbound dns resolver? At the same time, it is important that routing works with my configured routing rules on clients! At the moment, tests for dns leaks show that domain name resolution is not happening on the IP of my vps. I tried adding xray to the configuration:

"dns": { "servers": [ "127.0.0.1" ] },

but it doesn't work as it should

[Pro100x3mal]

{
  "dns": {
    "servers": [
      {
        "address": "127.0.0.1",
        "port": 53
      }
    ]
  },
  "routing": {
    "domainStrategy": "IPIfNonMatch",
    "rules": [
      {
        "type": "field",
        "inboundTag": ["dns-in"],
        "outboundTag": "dns-out"
      },
      // your other rules here
    ]
  },
  "inbounds": [
    {
      "port": 53,
      "tag": "dns-in",
      "protocol": "dokodemo-door",
      "settings": {
        "address": "127.0.0.1",
        "port": 53,
        "network": "tcp,udp"
      }
    },
    // your other inbounds here
  ],
  "outbounds": [
    {
      "tag": "dns-out",
      "protocol": "dns",
      "settings": {
        "network": "tcp,udp",
        "address": "127.0.0.1",
        "port": 53
      }
    },
    // your other outbounds here
  ]
}

the "dns" section is set to use your local Unbound DNS resolver (127.0.0.1 on port 53). An inbound with the "dokodemo-door" protocol is set up to listen for DNS requests on port 53, and a corresponding outbound is set up to handle these requests. The routing rules are set to route all DNS requests (tagged with "dns-in") through the "dns-out" outbound.

Thanks for the help! I will make changes to the Xray server configuration based on your example. But it didn't work, xray starts but clients don't get internet access. Here is the final server configuration:

{
  "api": {
    "services": [
      "HandlerService",
      "LoggerService",
      "StatsService"
    ],
    "tag": "api"
  },
  "dns": {
    "servers": [
      {
        "address": "127.0.0.1",
        "port": 53
      }
    ]
  },
  "fakeDns": null,
  "inbounds": [
    {
      "listen": null,
      "port": 53,
      "protocol": "dokodemo-door",
      "settings": {
        "address": "127.0.0.1",
        "network": "tcp,udp",
        "port": 53
      },
      "sniffing": null,
      "streamSettings": null,
      "tag": "dns-in"
    },
    {
      "listen": "127.0.0.1",
      "port": 62789,
      "protocol": "dokodemo-door",
      "settings": {
        "address": "127.0.0.1"
      },
      "sniffing": null,
      "streamSettings": null,
      "tag": "api"
    },
    {
      "listen": null,
      "port": 443,
      "protocol": "vless",
      "settings": {
        "clients": [
          {
            "email": "111",
            "flow": "xtls-rprx-vision",
            "id": "111"
          },
          {
            "email": "222",
            "flow": "xtls-rprx-vision",
            "id": "222"
          },
          {
            "email": "333",
            "flow": "xtls-rprx-vision",
            "id": "333"
          },
          {
            "email": "444",
            "flow": "xtls-rprx-vision",
            "id": "444"
          }
        ],
        "decryption": "none",
        "fallbacks": []
      },
      "sniffing": {
        "destOverride": [
          "http",
          "tls",
          "quic",
          "fakedns"
        ],
        "enabled": true
      },
      "streamSettings": {
        "network": "tcp",
        "realitySettings": {
          "dest": "www.microsoft.com:443",
          "maxClient": "",
          "maxTimediff": 0,
          "minClient": "",
          "privateKey": "000",
          "serverNames": [
            "microsoft.com",
            "www.microsoft.com"
          ],
          "settings": {
            "fingerprint": "firefox",
            "publicKey": "000",
            "serverName": "",
            "spiderX": "/"
          },
          "shortIds": [
            "111",
            "222",
            "333",
            "444"
          ],
          "show": false,
          "xver": 0
        },
        "security": "reality",
        "tcpSettings": {
          "acceptProxyProtocol": false,
          "header": {
            "type": "none"
          }
        }
      },
      "tag": "inbound-443"
    }
  ],
  "log": {
    "loglevel": "warning"
  },
  "outbounds": [
    {
      "protocol": "dns",
      "settings": {
        "address": "127.0.0.1",
        "network": "tcp,udp",
        "port": 53
      },
      "tag": "dns-out"
    },
    {
      "protocol": "freedom",
      "settings": {
        "domainStrategy": "AsIs"
      }
    },
    {
      "protocol": "blackhole",
      "settings": {},
      "tag": "blocked"
    }
  ],
  "policy": {
    "levels": {
      "0": {
        "statsUserDownlink": true,
        "statsUserUplink": true
      }
    },
    "system": {
      "statsInboundDownlink": true,
      "statsInboundUplink": true
    }
  },
  "reverse": null,
  "routing": {
    "domainStrategy": "IPIfNonMatch",
    "rules": [
      {
        "inboundTag": [
          "dns-in"
        ],
        "outboundTag": "dns-out",
        "type": "field"
      },
      {
        "inboundTag": [
          "api"
        ],
        "outboundTag": "api",
        "type": "field"
      }
    ]
  },
  "stats": {},
  "transport": null
}

Here are the xray server logs:

Nov 12 20:47:15 ubuntu /usr/local/x-ui/x-ui[756]: INFO - web server run http on 127.0.0.1:5000
Nov 12 20:47:15 ubuntu /usr/local/x-ui/x-ui[756]: INFO - Tg notify enabled,run at @weekly
Nov 12 20:47:15 ubuntu /usr/local/x-ui/x-ui[756]: INFO - Sub server run https on [::]:5001
Nov 12 20:47:15 ubuntu x-ui[756]: Tgbot connected!
Nov 12 20:47:15 ubuntu /usr/local/x-ui/x-ui[756]: INFO - Starting Telegram receiver ...
Nov 12 20:47:16 ubuntu x-ui[756]: 2023/11/12 20:47:16 Conflict: terminated by other getUpdates request; make sure that only one bot instance is running
Nov 12 20:47:16 ubuntu x-ui[756]: 2023/11/12 20:47:16 Failed to get updates, retrying in 3 seconds...

PS: Server: x-ui v1.6.0 by alireza0 + xray 1.8.4 Clients: Shadowrocket, Streisand (ios)

[Pro100x3mal]

You mentioned that Unbound is configured as a system DNS resolver, which is good, but you might need to adjust its configuration to listen on the Wireguard internal IP as well. Locate and Edit Unbound Configuration: typically located at /etc/unbound/unbound.conf or in the /etc/unbound/unbound.conf.d/ directory.

Not certainly in that way. 10.10.10.0 is the IP of the Wireguard server. In the client configuration, in the Interface section I specify DNS = 10.10.10.0. This means that the DNS resolver on the server is being used. The Unbound configuration has permission to connect to 127.0.0.1/32 and 10.0.0.0/8. In this option, all Wireguard clients use DNS on the vps, and there are no DNS leaks. The fact that it works exactly like this has been tested on VPS using “dig”. But I only talked about Wireguard to make sure that my dns resolver works as expected on the vps. I don't combine X-ray and Wireguard. And now I’ve completely disabled wg in order to properly configure xray

Now, to configure unbound + xray, I temporarily opened port 53 for everyone using ufw and in the Unbound settings I specified “access-control: 0.0.0.0/0 allow”

[Pro100x3mal]

@us254 Please tell me. Above I showed my full server config according to your example. xray starts, but clients do not have internet access. Maybe it is necessary to add more in the client settings/configurations? I use 2 applications - Shadowrockett and Streisand

[Pro100x3mal]

@us254 Please tell me. Above I showed my full server config according to your example. xray starts, but clients do not have internet access. Maybe it is necessary to add more in the client settings/configurations? I use 2 applications - Shadowrockett and Streisand

I removed all previously added dns information from the server configuration file and returned it as it was. Is this exactly the case where my Unbound resolver on vps is used? If you specify 127.0.0.1 in the dns settings in the streisand and shadowrocket application, then when testing the dns leak, I see requests to servers in different countries. If I specify 8.8.8.8, requests come from one country (the country of my vps), but to many different servers.

[Pro100x3mal]

sudo apt update
sudo apt install unbound -y
sudo nano /etc/unbound/unbound.conf

forward-zone:
name: "."
forward-addr: 1.1.1.1

sudo systemctl restart unbound
sudo nano /etc/systemd/resolved.conf

[Resolve]
DNS=127.0.0.1
#FallbackDNS=
#Domains=
DNSSEC=yes
#DNSOverTLS=no
#MulticastDNS=no
#LLMNR=no
#Cache=no-negative
DNSStubListener=no
#DNSStubListenerExtra=

sudo ln -fs /run/systemd/resolve/resolv.conf /etc/resolv.conf
sudo systemctl restart systemd-resolved

sudo systemctl daemon-reload
sudo systemctl enable unbound
sudo systemctl is-enabled unbound

I do not use third party DNS servers (such as 1.1.1.1, 8.8.8.8 and the like). My own caching recursive DNS server directly sends requests to authoritative servers. I use the Unbound cache to speed up domain name resolution. Here is my /etc/unbound/unbound.conf.d/myunbound.conf configuration:

server:
num-threads: 4
outgoing-range: 200
num-queries-per-thread: 100
so-reuseport: yes
msg-cache-size: 128m
rrset-cache-size: 256m
msg-cache-slabs: 16
rrset-cache-slabs: 16
infra-cache-slabs: 16
key-cache-slabs: 16
prefetch: yes
prefetch-key: yes
serve-expired: yes
serve-expired-ttl: 86400
cache-min-ttl: 0
cache-max-ttl: 86400
qname-minimisation: yes
minimal-responses: yes
hide-identity: yes
hide-version: yes
verbosity: 0
interface: 0.0.0.0
access-control: 127.0.0.1/32 allow
access-control: 10.10.10.0/24 allow
access-control: 192.168.0.0/16 allow
access-control: 172.16.0.0/12 allow
private-address: 10.10.10.0/24
private-address: 192.168.0.0/16
private-address: 172.16.0.0/12
do-ip4: yes
do-ip6: no
do-udp: yes
do-tcp: yes
remote-control:
control-enable: no

Accordingly, I don't use forward-zone. And I need to configure xray to use exactly my dns resolver, which is the system resolver on my vps (127.0.0.1)