Skip to content

Commit 02c289b

Browse files
committed
优化 sing-boxr DNS 防泄漏配置;优化 ShellCrash 搭配 sing-boxr 的 DNS 配置
1 parent 5ea7b40 commit 02c289b

3 files changed

Lines changed: 40 additions & 27 deletions

_posts/2024-08-22-dnsnoleaks-singboxr-ruleset.md

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -8,7 +8,7 @@ tags: [sing-box, sing-boxr, ShellCrash, ruleset, rule_set, 进阶, DNS, DNS 泄
88

99
> 说明
1010
{: .prompt-tip }
11-
1. 此方案彻底防止了 DNS 泄露(未知域名在匹配 `rule_set:cnip` 规则时会先由国外 DNS 解析且配置 `client_subnet`,解析出 IP 在国内则走国内 DNS 解析且走 `国内 IP` 规则,否则走 `fakeip` 且走 `漏网之鱼` 规则),兼容性高,可放心使用
11+
1. 此方案彻底防止了 DNS 泄露(未知域名在匹配 `rule_set:cnip` 规则时会先由国外 DNS 解析且配置 `client_subnet`,解析出 IP 在国内则直接返回解析结果且走 `国内 IP` 规则,否则走 `fakeip` 且走 `漏网之鱼` 规则),兼容性高,可放心使用
1212
2. 本教程以 [ShellCrash](https://github.com/juewuy/ShellCrash) 为例,其它客户端亦可参考
1313
3. 本教程搭载 [sing-box 内核 reF1nd-Test 版](https://github.com/reF1nd/sing-box/tree/reF1nd-testing)(导入内核方法可参考《[ShellCrash 和 AdGuard Home 快速安装教程/导入 mihomo 内核 或 sing-box 内核](https://proxy-tutorials.dustinwin.us.kg/posts/pin-toolsinstall/#%E4%BA%8C-%E5%AF%BC%E5%85%A5-mihomo-%E5%86%85%E6%A0%B8-%E6%88%96-sing-box-%E5%86%85%E6%A0%B8)》)
1414
4. 可进入 <https://ipleak.net> 测试 DNS 是否泄露,“DNS Addresses” 栏目下没有中国国旗(因 `ipleak.net` 属未知域名,默认走 `漏网之鱼` 规则),即代表 DNS 没有发生泄露
@@ -101,7 +101,7 @@ sed -i ':a;N;$!ba;s/{[[:space:]]*"ip_accept_any": true,[[:space:]]*"server": "ho
101101
{ "rule_set": [ "cn" ], "server": "dns_direct" },
102102
// 推荐将 `client_subnet` 设置为当前宽带运营商分配的默认 DNS 的 IP 段
103103
{ "action": "evaluate", "server": "dns_proxy", "client_subnet": "211.137.58.0/24" },
104-
{ "match_response": true, "rule_set": [ "cnip" ], "server": "dns_direct" },
104+
{ "match_response": true, "rule_set": [ "cnip" ], "action": "respond" },
105105
{ "match_response": true, "ip_accept_any": true, "invert": true, "action": "respond" },
106106
{ "query_type": [ "A", "AAAA" ], "server": "dns_fakeip" }
107107
],
@@ -198,7 +198,7 @@ sed -i ':a;N;$!ba;s/{[[:space:]]*"ip_accept_any": true,[[:space:]]*"server": "ho
198198
{ "rule_set": [ "cn" ], "server": "dns_direct" },
199199
// 推荐将 `client_subnet` 设置为当前宽带运营商分配的默认 DNS 的 IP 段
200200
{ "action": "evaluate", "server": "dns_proxy", "client_subnet": "211.137.58.0/24" },
201-
{ "match_response": true, "rule_set": [ "cnip" ], "server": "dns_direct" }
201+
{ "match_response": true, "rule_set": [ "cnip" ], "action": "respond" }
202202
],
203203
"final": "dns_proxy",
204204
"strategy": "prefer_ipv4",

_posts/2024-08-22-share-shellcrash-singboxr-ruleset.md

Lines changed: 20 additions & 13 deletions
Original file line numberDiff line numberDiff line change
@@ -10,9 +10,10 @@ tags: [sing-box, sing-boxr, ShellCrash, ruleset, rule_set, 分享, Router]
1010
{: .prompt-warning }
1111
1. 请根据自身情况进行修改,**适合自己的方案才是最好的方案**,如无特殊需求,可以照搬
1212
2. 此方案适用于 [ShellCrash](https://github.com/juewuy/ShellCrash)(以 ARM64 架构为例,且安装路径为 `/data/ShellCrash`{: .filepath})
13-
3. 本方案绕过了 CNIP 且不搭配 [AdGuard Home](https://github.com/AdguardTeam/AdGuardHome),在 DNS 层拦截广告
14-
4. 本人将路由器设置了每天早上 6 点重启,使得《[](https://proxy-tutorials.dustinwin.us.kg/posts/share-shellcrash-singboxr-ruleset/#%E5%85%AD-%E6%B7%BB%E5%8A%A0%E5%AE%9A%E6%97%B6%E4%BB%BB%E5%8A%A1)》中设置的定时任务生效
15-
5. 本教程搭载 [sing-box 内核 reF1nd-Test 版](https://github.com/reF1nd/sing-box/tree/reF1nd-testing)
13+
3. 本方案绕过了 CNIP 且 IP 在国内的未知域名也会被绕过
14+
4. 本方案不搭配 [AdGuard Home](https://github.com/AdguardTeam/AdGuardHome),在 DNS 层拦截广告
15+
5. 本人将路由器设置了每天早上 6 点重启,使得《[](https://proxy-tutorials.dustinwin.us.kg/posts/share-shellcrash-singboxr-ruleset/#%E5%85%AD-%E6%B7%BB%E5%8A%A0%E5%AE%9A%E6%97%B6%E4%BB%BB%E5%8A%A1)》中设置的定时任务生效
16+
6. 本教程搭载 [sing-box 内核 reF1nd-Test 版](https://github.com/reF1nd/sing-box/tree/reF1nd-testing)
1617

1718
## 一、 生成配置文件 .json 文件直链
1819
具体方法此处不再赘述,请看《[生成带有自定义出站和规则的 sing-boxr 配置文件直链-ruleset 方案](https://proxy-tutorials.dustinwin.us.kg/posts/link-singboxr-ruleset)》,贴一下我使用的配置:
@@ -92,9 +93,8 @@ tags: [sing-box, sing-boxr, ShellCrash, ruleset, rule_set, 分享, Router]
9293
{ "rule_set": [ "ai" ], "outbound": "AI 平台" },
9394
{ "rule_set": [ "networktest" ], "outbound": "网络测试" },
9495
{ "rule_set": [ "proxy" ], "outbound": "国外域名" },
95-
{ "rule_set": [ "telegramip" ], "outbound": "电报消息" },
96-
{ "action": "resolve", "match_only": true },
97-
{ "rule_set": [ "cnip" ], "outbound": "全球直连" }
96+
{ "rule_set": [ "cnip" ], "outbound": "全球直连" },
97+
{ "rule_set": [ "telegramip" ], "outbound": "电报消息" }
9898
],
9999
"rule_set": [
100100
{
@@ -182,18 +182,18 @@ tags: [sing-box, sing-boxr, ShellCrash, ruleset, rule_set, 分享, Router]
182182
"url": "https://github.com/DustinWin/ruleset_geodata/releases/download/sing-box-ruleset/cn.srs"
183183
},
184184
{
185-
"tag": "telegramip",
185+
"tag": "cnip",
186186
"type": "remote",
187187
"format": "binary",
188-
"path": "./ruleset/telegramip.srs",
189-
"url": "https://github.com/DustinWin/ruleset_geodata/releases/download/sing-box-ruleset/telegramip.srs"
188+
"path": "./ruleset/cnip.srs",
189+
"url": "https://github.com/DustinWin/ruleset_geodata/releases/download/sing-box-ruleset/cnip.srs"
190190
},
191191
{
192-
"tag": "cnip",
192+
"tag": "telegramip",
193193
"type": "remote",
194194
"format": "binary",
195-
"path": "./ruleset/cnip.srs",
196-
"url": "https://github.com/DustinWin/ruleset_geodata/releases/download/sing-box-ruleset/cnip.srs"
195+
"path": "./ruleset/telegramip.srs",
196+
"url": "https://github.com/DustinWin/ruleset_geodata/releases/download/sing-box-ruleset/telegramip.srs"
197197
}
198198
],
199199
"final": "漏网之鱼",
@@ -283,6 +283,9 @@ sc
283283
{ "rule_set": [ "trackerslist", "microsoft-cn", "apple-cn", "google-cn", "games-cn" ], "server": "dns_direct" },
284284
{ "rule_set": [ "games", "ai", "proxy" ], "query_type": [ "A", "AAAA" ], "server": "dns_fakeip" },
285285
{ "rule_set": [ "private", "cn" ], "server": "dns_direct" },
286+
{ "action": "evaluate", "server": "dns_direct" },
287+
{ "match_response": true, "rule_set": [ "cnip" ], "action": "respond" },
288+
{ "match_response": true, "ip_accept_any": true, "invert": true, "action": "respond" },
286289
{ "query_type": [ "A", "AAAA" ], "server": "dns_fakeip" }
287290
],
288291
"final": "dns_direct",
@@ -336,6 +339,10 @@ sc
336339
{ "rule_set": [ "trackerslist", "microsoft-cn", "apple-cn", "google-cn", "games-cn" ], "server": "dns_direct" },
337340
{ "rule_set": [ "games", "ai", "proxy" ], "query_type": [ "A", "AAAA" ], "server": "dns_fakeip" },
338341
{ "rule_set": [ "private", "cn" ], "server": "dns_direct" },
342+
// 推荐将 `client_subnet` 设置为当前宽带运营商分配的默认 DNS 的 IP 段
343+
{ "action": "evaluate", "server": "dns_proxy", "client_subnet": "211.137.58.0/24" },
344+
{ "match_response": true, "rule_set": [ "cnip" ], "action": "respond" },
345+
{ "match_response": true, "ip_accept_any": true, "invert": true, "action": "respond" },
339346
{ "query_type": [ "A", "AAAA" ], "server": "dns_fakeip" }
340347
],
341348
"final": "dns_proxy",
@@ -349,7 +356,7 @@ sc
349356
```
350357

351358
## 四、 编辑 http_clients 文件
352-
连接 SSH 后执行命令 `vi $CRASHDIR/jsons/experimental.json`,按一下 Ins 键(Insert 键),粘贴如下内容:
359+
连接 SSH 后执行命令 `vi $CRASHDIR/jsons/http_clients.json`,按一下 Ins 键(Insert 键),粘贴如下内容:
353360

354361
```json
355362
{ "http_clients": [ { "tag": "detour_proxy", "version": 3, "detour": "GLOBAL" } ] }

_posts/2024-08-22-share-shellcrashadguardhome-singboxr-ruleset.md

Lines changed: 17 additions & 11 deletions
Original file line numberDiff line numberDiff line change
@@ -10,7 +10,7 @@ tags: [sing-box, sing-boxr, ShellCrash, AdGuard Home, ruleset, rule_set, 分享,
1010
{: .prompt-warning }
1111
1. 此方案采用 [ShellCrash](https://github.com/juewuy/ShellCrash) 作为上游,[AdGuard Home](https://github.com/AdguardTeam/AdGuardHome) 作为下游的模式
1212
2. 请根据自身情况进行修改,**适合自己的方案才是最好的方案**,如无特殊需求,可以照搬
13-
3. 此方案中 ShellCrash 采用了**绕过 CN_IP** 的模式(仍与 AdGuard Home 配合完美)
13+
3. 此方案中 ShellCrash 采用了**绕过 CN_IP** 的模式且 IP 在国内的未知域名也会被绕过(仍与 AdGuard Home 配合完美)
1414
4. 此方案适用于 ShellCrash(以 ARM64 架构为例,且安装路径为 `/data/ShellCrash`{: .filepath})
1515
5. 此方案适用于 AdGuard Home(以 ARM64 架构为例,且安装路径为 `/data/AdGuardHome`{: .filepath})
1616
6. 此方案不建议启用 ShellCrash 配置脚本 → 2) 功能设置 → 3) 透明路由流量过滤 → 2) 过滤局域网设备,因不经过内核的设备在访问 `漏网之鱼` 域名时会遇到无法访问的情况
@@ -95,9 +95,8 @@ tags: [sing-box, sing-boxr, ShellCrash, AdGuard Home, ruleset, rule_set, 分享,
9595
{ "rule_set": [ "ai" ], "outbound": "AI 平台" },
9696
{ "rule_set": [ "networktest" ], "outbound": "网络测试" },
9797
{ "rule_set": [ "proxy" ], "outbound": "国外域名" },
98-
{ "rule_set": [ "telegramip" ], "outbound": "电报消息" },
99-
{ "action": "resolve", "match_only": true },
100-
{ "rule_set": [ "cnip" ], "outbound": "全球直连" }
98+
{ "rule_set": [ "cnip" ], "outbound": "全球直连" },
99+
{ "rule_set": [ "telegramip" ], "outbound": "电报消息" }
101100
],
102101
"rule_set": [
103102
{
@@ -185,18 +184,18 @@ tags: [sing-box, sing-boxr, ShellCrash, AdGuard Home, ruleset, rule_set, 分享,
185184
"url": "https://github.com/DustinWin/ruleset_geodata/releases/download/sing-box-ruleset/cn.srs"
186185
},
187186
{
188-
"tag": "telegramip",
187+
"tag": "cnip",
189188
"type": "remote",
190189
"format": "binary",
191-
"path": "./ruleset/telegramip.srs",
192-
"url": "https://github.com/DustinWin/ruleset_geodata/releases/download/sing-box-ruleset/telegramip.srs"
190+
"path": "./ruleset/cnip.srs",
191+
"url": "https://github.com/DustinWin/ruleset_geodata/releases/download/sing-box-ruleset/cnip.srs"
193192
},
194193
{
195-
"tag": "cnip",
194+
"tag": "telegramip",
196195
"type": "remote",
197196
"format": "binary",
198-
"path": "./ruleset/cnip.srs",
199-
"url": "https://github.com/DustinWin/ruleset_geodata/releases/download/sing-box-ruleset/cnip.srs"
197+
"path": "./ruleset/telegramip.srs",
198+
"url": "https://github.com/DustinWin/ruleset_geodata/releases/download/sing-box-ruleset/telegramip.srs"
200199
}
201200
],
202201
"final": "漏网之鱼",
@@ -292,6 +291,9 @@ sc
292291
{ "rule_set": [ "fakeip-filter", "trackerslist", "microsoft-cn", "apple-cn", "google-cn", "games-cn" ], "server": "dns_direct" },
293292
{ "rule_set": [ "games", "ai", "proxy" ], "query_type": [ "A", "AAAA" ], "server": "dns_fakeip" },
294293
{ "rule_set": [ "private", "cn" ], "server": "dns_direct" },
294+
{ "action": "evaluate", "server": "dns_direct" },
295+
{ "match_response": true, "rule_set": [ "cnip" ], "action": "respond" },
296+
{ "match_response": true, "ip_accept_any": true, "invert": true, "action": "respond" },
295297
{ "query_type": [ "A", "AAAA" ], "server": "dns_fakeip" }
296298
],
297299
"final": "dns_direct",
@@ -343,6 +345,10 @@ sc
343345
{ "rule_set": [ "fakeip-filter", "trackerslist", "microsoft-cn", "apple-cn", "google-cn", "games-cn" ], "server": "dns_direct" },
344346
{ "rule_set": [ "games", "ai", "proxy" ], "query_type": [ "A", "AAAA" ], "server": "dns_fakeip" },
345347
{ "rule_set": [ "private", "cn" ], "server": "dns_direct" },
348+
// 推荐将 `client_subnet` 设置为当前宽带运营商分配的默认 DNS 的 IP 段
349+
{ "action": "evaluate", "server": "dns_proxy", "client_subnet": "211.137.58.0/24" },
350+
{ "match_response": true, "rule_set": [ "cnip" ], "action": "respond" },
351+
{ "match_response": true, "ip_accept_any": true, "invert": true, "action": "respond" },
346352
{ "query_type": [ "A", "AAAA" ], "server": "dns_fakeip" }
347353
],
348354
"final": "dns_proxy",
@@ -356,7 +362,7 @@ sc
356362
```
357363

358364
## 四、 编辑 http_clients 文件
359-
连接 SSH 后执行命令 `vi $CRASHDIR/jsons/experimental.json`,按一下 Ins 键(Insert 键),粘贴如下内容:
365+
连接 SSH 后执行命令 `vi $CRASHDIR/jsons/http_clients.json`,按一下 Ins 键(Insert 键),粘贴如下内容:
360366

361367
```json
362368
{ "http_clients": [ { "tag": "detour_proxy", "version": 3, "detour": "GLOBAL" } ] }

0 commit comments

Comments
 (0)