github.com/sagernet/sing-box@v1.9.0-rc.20/docs/configuration/dns/rule.md (about) 1 --- 2 icon: material/new-box 3 --- 4 5 !!! quote "Changes in sing-box 1.9.0" 6 7 :material-plus: [geoip](#geoip) 8 :material-plus: [ip_cidr](#ip_cidr) 9 :material-plus: [ip_is_private](#ip_is_private) 10 :material-plus: [client_subnet](#client_subnet) 11 :material-plus: [rule_set_ipcidr_match_source](#rule_set_ipcidr_match_source) 12 13 !!! quote "Changes in sing-box 1.8.0" 14 15 :material-plus: [rule_set](#rule_set) 16 :material-plus: [source_ip_is_private](#source_ip_is_private) 17 :material-delete-clock: [geoip](#geoip) 18 :material-delete-clock: [geosite](#geosite) 19 20 ### Structure 21 22 ```json 23 { 24 "dns": { 25 "rules": [ 26 { 27 "inbound": [ 28 "mixed-in" 29 ], 30 "ip_version": 6, 31 "query_type": [ 32 "A", 33 "HTTPS", 34 32768 35 ], 36 "network": "tcp", 37 "auth_user": [ 38 "usera", 39 "userb" 40 ], 41 "protocol": [ 42 "tls", 43 "http", 44 "quic" 45 ], 46 "domain": [ 47 "test.com" 48 ], 49 "domain_suffix": [ 50 ".cn" 51 ], 52 "domain_keyword": [ 53 "test" 54 ], 55 "domain_regex": [ 56 "^stun\\..+" 57 ], 58 "geosite": [ 59 "cn" 60 ], 61 "source_geoip": [ 62 "private" 63 ], 64 "geoip": [ 65 "cn" 66 ], 67 "source_ip_cidr": [ 68 "10.0.0.0/24", 69 "192.168.0.1" 70 ], 71 "source_ip_is_private": false, 72 "ip_cidr": [ 73 "10.0.0.0/24", 74 "192.168.0.1" 75 ], 76 "ip_is_private": false, 77 "source_port": [ 78 12345 79 ], 80 "source_port_range": [ 81 "1000:2000", 82 ":3000", 83 "4000:" 84 ], 85 "port": [ 86 80, 87 443 88 ], 89 "port_range": [ 90 "1000:2000", 91 ":3000", 92 "4000:" 93 ], 94 "process_name": [ 95 "curl" 96 ], 97 "process_path": [ 98 "/usr/bin/curl" 99 ], 100 "package_name": [ 101 "com.termux" 102 ], 103 "user": [ 104 "sekai" 105 ], 106 "user_id": [ 107 1000 108 ], 109 "clash_mode": "direct", 110 "wifi_ssid": [ 111 "My WIFI" 112 ], 113 "wifi_bssid": [ 114 "00:00:00:00:00:00" 115 ], 116 "rule_set": [ 117 "geoip-cn", 118 "geosite-cn" 119 ], 120 "rule_set_ipcidr_match_source": false, 121 "invert": false, 122 "outbound": [ 123 "direct" 124 ], 125 "server": "local", 126 "disable_cache": false, 127 "rewrite_ttl": 100, 128 "client_subnet": "127.0.0.1/24" 129 }, 130 { 131 "type": "logical", 132 "mode": "and", 133 "rules": [], 134 "server": "local", 135 "disable_cache": false, 136 "rewrite_ttl": 100, 137 "client_subnet": "127.0.0.1/24" 138 } 139 ] 140 } 141 } 142 143 ``` 144 145 !!! note "" 146 147 You can ignore the JSON Array [] tag when the content is only one item 148 149 ### Default Fields 150 151 !!! note "" 152 153 The default rule uses the following matching logic: 154 (`domain` || `domain_suffix` || `domain_keyword` || `domain_regex` || `geosite`) && 155 (`port` || `port_range`) && 156 (`source_geoip` || `source_ip_cidr` || `source_ip_is_private`) && 157 (`source_port` || `source_port_range`) && 158 `other fields` 159 160 Additionally, included rule sets can be considered merged rather than as a single rule sub-item. 161 162 #### inbound 163 164 Tags of [Inbound](/configuration/inbound/). 165 166 #### ip_version 167 168 4 (A DNS query) or 6 (AAAA DNS query). 169 170 Not limited if empty. 171 172 #### query_type 173 174 DNS query type. Values can be integers or type name strings. 175 176 #### network 177 178 `tcp` or `udp`. 179 180 #### auth_user 181 182 Username, see each inbound for details. 183 184 #### protocol 185 186 Sniffed protocol, see [Sniff](/configuration/route/sniff/) for details. 187 188 #### domain 189 190 Match full domain. 191 192 #### domain_suffix 193 194 Match domain suffix. 195 196 #### domain_keyword 197 198 Match domain using keyword. 199 200 #### domain_regex 201 202 Match domain using regular expression. 203 204 #### geosite 205 206 !!! failure "Deprecated in sing-box 1.8.0" 207 208 Geosite is deprecated and may be removed in the future, check [Migration](/migration/#migrate-geosite-to-rule-sets). 209 210 Match geosite. 211 212 #### source_geoip 213 214 !!! failure "Deprecated in sing-box 1.8.0" 215 216 GeoIP is deprecated and may be removed in the future, check [Migration](/migration/#migrate-geoip-to-rule-sets). 217 218 Match source geoip. 219 220 #### source_ip_cidr 221 222 Match source IP CIDR. 223 224 #### source_ip_is_private 225 226 !!! question "Since sing-box 1.8.0" 227 228 Match non-public source IP. 229 230 #### source_port 231 232 Match source port. 233 234 #### source_port_range 235 236 Match source port range. 237 238 #### port 239 240 Match port. 241 242 #### port_range 243 244 Match port range. 245 246 #### process_name 247 248 !!! quote "" 249 250 Only supported on Linux, Windows, and macOS. 251 252 Match process name. 253 254 #### process_path 255 256 !!! quote "" 257 258 Only supported on Linux, Windows, and macOS. 259 260 Match process path. 261 262 #### package_name 263 264 Match android package name. 265 266 #### user 267 268 !!! quote "" 269 270 Only supported on Linux. 271 272 Match user name. 273 274 #### user_id 275 276 !!! quote "" 277 278 Only supported on Linux. 279 280 Match user id. 281 282 #### clash_mode 283 284 Match Clash mode. 285 286 #### wifi_ssid 287 288 !!! quote "" 289 290 Only supported in graphical clients on Android and Apple platforms. 291 292 Match WiFi SSID. 293 294 #### wifi_bssid 295 296 !!! quote "" 297 298 Only supported in graphical clients on Android and Apple platforms. 299 300 Match WiFi BSSID. 301 302 #### rule_set 303 304 !!! question "Since sing-box 1.8.0" 305 306 Match [Rule Set](/configuration/route/#rule_set). 307 308 #### rule_set_ipcidr_match_source 309 310 !!! question "Since sing-box 1.9.0" 311 312 Make `ipcidr` in rule sets match the source IP. 313 314 #### invert 315 316 Invert match result. 317 318 #### outbound 319 320 Match outbound. 321 322 `any` can be used as a value to match any outbound. 323 324 #### server 325 326 ==Required== 327 328 Tag of the target dns server. 329 330 #### disable_cache 331 332 Disable cache and save cache in this query. 333 334 #### rewrite_ttl 335 336 Rewrite TTL in DNS responses. 337 338 #### client_subnet 339 340 !!! question "Since sing-box 1.9.0" 341 342 Append a `edns0-subnet` OPT extra record with the specified IP prefix to every query by default. 343 344 If value is an IP address instead of prefix, `/32` or `/128` will be appended automatically. 345 346 Will overrides `dns.client_subnet` and `servers.[].client_subnet`. 347 348 ### Address Filter Fields 349 350 Only takes effect for IP address requests. When the query results do not match the address filtering rule items, the current rule will be skipped. 351 352 !!! info "" 353 354 `ip_cidr` items in included rule sets also takes effect as an address filtering field. 355 356 !!! note "" 357 358 Enable `experimental.cache_file.store_rdrc` to cache results. 359 360 #### geoip 361 362 !!! question "Since sing-box 1.9.0" 363 364 Match GeoIP with query response. 365 366 #### ip_cidr 367 368 !!! question "Since sing-box 1.9.0" 369 370 Match IP CIDR with query response. 371 372 #### ip_is_private 373 374 !!! question "Since sing-box 1.9.0" 375 376 Match private IP with query response. 377 378 ### Logical Fields 379 380 #### type 381 382 `logical` 383 384 #### mode 385 386 `and` or `or` 387 388 #### rules 389 390 Included rules.