Summary
The sing/geo/geosite/cn.srs rule set (decompiled JSON) contains a domain_suffix entry "cn", which effectively matches all hostnames under the .cn ccTLD (e.g. services.googleapis.cn, www.google.cn, …).
When this rule set is used for “domestic traffic → direct” routing together with DNS split (domestic resolver for CN geosite), Google Play app downloads/installs may stall around 99% or fail, while disabling this rule set or removing the bare "cn" suffix restores success.
Environment
- Rule file (latest checked):
https://raw.githubusercontent.com/MetaCubeX/meta-rules-dat/sing/geo/geosite/cn.srs
- Client: sing-box TUN,
rule_set type local, route like geosite-cn / cn → direct + geoip-cn → direct, DNS rules sending matching domains to domestic DNS.
- sing-box: 1.12.x (example)
Evidence
-
Rule content — after sing-box rule-set decompile cn.srs, the list includes a standalone suffix:
(In our decompiled file this appears around line 24281 of cn.json.)
-
Runtime log — same session shows most Play-related hosts on outbound/vless, but services.googleapis.cn:443 goes outbound/direct:
dns: exchanged A services.googleapis.cn. ... A 120.253.250.226
outbound/direct[direct]: outbound connection to services.googleapis.cn:443
while e.g. play.googleapis.com, play-fe.googleapis.com, play-lh.googleusercontent.com remain on outbound/vless.
Why this is problematic
- A bare
domain_suffix: "cn" is extremely broad: it is not “one site”, it is the entire .cn zone from a matching perspective.
- Google and other global vendors host API endpoints under
*.googleapis.cn, which are still global product surface, not “domestic-only websites” in the sense many split-routing configs assume.
- Mixing direct for
*.googleapis.cn with proxy for *.googleapis.com / Play CDN hosts breaks consistent egress for one app install pipeline.
Suggested change (discussion)
- Remove the bare
"cn" entry from the cn / geosite-cn list or
- Replace it with explicit
domain_suffix entries that truly mean “domestic-only”, or
- Document clearly that including
"cn" implies all .cn names go domestic, and that this is unsafe for configs that mix global apps (Play) with split DNS.
If this list is generated from v2fly/domain-list-community, please point to the upstream category so we can open a follow-up there if needed.
Repro (high level)
- Use
cn.srs / geosite-cn.srs from sing/geo/geosite/ with CN → direct route + DNS split for CN geosite.
- Install or update a large app from Google Play through the tunnel.
- Observe stall/failure; capture sing-box logs showing
services.googleapis.cn → direct while other Play endpoints → proxy.
- Remove
"cn" from the decompiled rule JSON, sing-box rule-set compile again, retry — install completes.
Thank you for maintaining these rule sets.
Summary
The
sing/geo/geosite/cn.srsrule set (decompiled JSON) contains adomain_suffixentry"cn", which effectively matches all hostnames under the.cnccTLD (e.g.services.googleapis.cn,www.google.cn, …).When this rule set is used for “domestic traffic → direct” routing together with DNS split (domestic resolver for CN geosite), Google Play app downloads/installs may stall around 99% or fail, while disabling this rule set or removing the bare
"cn"suffix restores success.Environment
https://raw.githubusercontent.com/MetaCubeX/meta-rules-dat/sing/geo/geosite/cn.srsrule_settypelocal, route likegeosite-cn/cn→direct+geoip-cn→direct, DNS rules sending matching domains to domestic DNS.Evidence
Rule content — after
sing-box rule-set decompile cn.srs, the list includes a standalone suffix:(In our decompiled file this appears around line 24281 of
cn.json.)Runtime log — same session shows most Play-related hosts on
outbound/vless, butservices.googleapis.cn:443goesoutbound/direct:while e.g.
play.googleapis.com,play-fe.googleapis.com,play-lh.googleusercontent.comremain onoutbound/vless.Why this is problematic
domain_suffix: "cn"is extremely broad: it is not “one site”, it is the entire.cnzone from a matching perspective.*.googleapis.cn, which are still global product surface, not “domestic-only websites” in the sense many split-routing configs assume.*.googleapis.cnwith proxy for*.googleapis.com/ Play CDN hosts breaks consistent egress for one app install pipeline.Suggested change (discussion)
"cn"entry from thecn/geosite-cnlist ordomain_suffixentries that truly mean “domestic-only”, or"cn"implies all.cnnames go domestic, and that this is unsafe for configs that mix global apps (Play) with split DNS.If this list is generated from v2fly/domain-list-community, please point to the upstream category so we can open a follow-up there if needed.
Repro (high level)
cn.srs/geosite-cn.srsfromsing/geo/geosite/with CN → direct route + DNS split for CN geosite.services.googleapis.cn→directwhile other Play endpoints →proxy."cn"from the decompiled rule JSON,sing-box rule-set compileagain, retry — install completes.Thank you for maintaining these rule sets.