Bypass unblocked domains as much as possible (minimize proxy usage) #10
Description
I've had requests recently about how to only pass blocked websites through the proxy and bypass (route direct) the rest.
So the server is only used when it is really needed.
The problem is that we don't have a complete list of blocked or unblocked domains.
I've seen a few lists for China for example, but those lists are definitely not complete because there are so many domains and also GFW is updated every day.
In Iran/Russia, GFW return specific-and-fixed-IPs/NXDOMAIN for blocked domains, but in China GFW return random incorrect IPs, so I'm considering implementing the following way that will work in China as well:
///
Fact-A: if GFW does not spoof DNS for a domain -> in 99% cases, GFW also didn't block tls-sni/http-host for that domain. also, the returned-IPs are not blocked.
///
So the idea is that we check return IPs for a non-block-DNS with a domestic-DNS, if both returned-IPs are equal, then GFW definitely didn't spoof the IPs, so according to fact-A, we can bypass that domain.
///
How to implement in Xray-core?
I thought about it and the following idea came to mind:
we can add checkServerTag option for DNS-server-objects, this is the tag of other DNS-server that use for check IPs.
{
"tag": "non-block-dns", // remote-DNS
"address": "any",
"checkServerTag": "domestic-dns-tag" // for example DNS-server-tag with "localhost" / "223.5.5.5" address.
}
if "non-block-dns" is used, it get IPs from "checkServer" too, if both have same IPs, then the domain is added to global "checkedDomains" list, and in any case, the original IP addresses will be returned.
and in routing we can add special word checked to the domain list:
{
"outboundTag": "direct",
"domain": ["checked", "geosite:china", "geosite:private"]
}
So if a domain exists in "checkedDomains" list then it route to direct.
Also, since this is only used in client-side, the size of the "checkedDomains" list will not be very large.
Also, if a domain is in "checkedDomains" list, there is no need to check again.
///
P1: it is still possible that GFW doesn't spoof DNS for a domain but tls-sni/http-host is blocked for that domain, or returned-IPs are blocked at all.
P2: there are many domains that have many IPs, but each time, (for example) two of them are returned, for example, cloudflare-domains returns two different IPs based on nearest-location,... each time.
so if the IPs are different, the domain is not necessarily blocked, but if the IPs are the same, the IPs is definitely not spoofed.
P3: in Iran some websites are not blocked, but they sanctioned Iran.
///
P1 is not a big problem, there are very few domains that don't follow fact-A, at least in the case of Iran, I don't know a single domain that doesn't follow fact-A!
P2 is not a big problem either, It only allows a number of domains that are not blocked to pass through the proxy.
P3 is not a big problem for Iran either, we have a nearly complete list of sanctioned domains in the "chocolate4u" list ("geosite:sanctioned")
@RPRX @Fangliding @yuhan6665 @Meo597
Regardless of how it's implemented, I think it's worth it and it takes a lot of load off the servers, what do you think?
update:
we can also collect RST-ACK-received-domain/IPs to be more accurate, although we may not receive RST-ACK for some IPs.