Skip to content

geosite/cn: bare domain_suffix "cn" matches all *.cn and breaks Google Play under split routing #154

Description

@CoquiLee

Summary

The sing/geo/geosite/cn.srs rule set (decompiled JSON) contains a domain_suffix entry "cn", which effectively matches all hostnames under the .cn ccTLD (e.g. services.googleapis.cn, www.google.cn, …).

When this rule set is used for “domestic traffic → direct” routing together with DNS split (domestic resolver for CN geosite), Google Play app downloads/installs may stall around 99% or fail, while disabling this rule set or removing the bare "cn" suffix restores success.

Environment

  • Rule file (latest checked): https://raw.githubusercontent.com/MetaCubeX/meta-rules-dat/sing/geo/geosite/cn.srs
  • Client: sing-box TUN, rule_set type local, route like geosite-cn / cndirect + geoip-cndirect, DNS rules sending matching domains to domestic DNS.
  • sing-box: 1.12.x (example)

Evidence

  1. Rule content — after sing-box rule-set decompile cn.srs, the list includes a standalone suffix:

    "cn",
    

    (In our decompiled file this appears around line 24281 of cn.json.)

  2. Runtime log — same session shows most Play-related hosts on outbound/vless, but services.googleapis.cn:443 goes outbound/direct:

    dns: exchanged A services.googleapis.cn. ... A 120.253.250.226
    outbound/direct[direct]: outbound connection to services.googleapis.cn:443
    

    while e.g. play.googleapis.com, play-fe.googleapis.com, play-lh.googleusercontent.com remain on outbound/vless.

Why this is problematic

  • A bare domain_suffix: "cn" is extremely broad: it is not “one site”, it is the entire .cn zone from a matching perspective.
  • Google and other global vendors host API endpoints under *.googleapis.cn, which are still global product surface, not “domestic-only websites” in the sense many split-routing configs assume.
  • Mixing direct for *.googleapis.cn with proxy for *.googleapis.com / Play CDN hosts breaks consistent egress for one app install pipeline.

Suggested change (discussion)

  • Remove the bare "cn" entry from the cn / geosite-cn list or
  • Replace it with explicit domain_suffix entries that truly mean “domestic-only”, or
  • Document clearly that including "cn" implies all .cn names go domestic, and that this is unsafe for configs that mix global apps (Play) with split DNS.

If this list is generated from v2fly/domain-list-community, please point to the upstream category so we can open a follow-up there if needed.

Repro (high level)

  1. Use cn.srs / geosite-cn.srs from sing/geo/geosite/ with CN → direct route + DNS split for CN geosite.
  2. Install or update a large app from Google Play through the tunnel.
  3. Observe stall/failure; capture sing-box logs showing services.googleapis.cndirect while other Play endpoints → proxy.
  4. Remove "cn" from the decompiled rule JSON, sing-box rule-set compile again, retry — install completes.

Thank you for maintaining these rule sets.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions