routing problem for domains with different IP behaviors

[patterniha]

the #4335 issue has become very messy and confusing and many people have misunderstood the problem.
although it was my fault that I couldn't express the problem correctly.

Problem:

assume that built-in-dns return [ip1, ip2] in answer of dns-query for the domain "example.com".
and we want to use ip2 in outbound.

but with the current capabilities of Xray-core this is not possible, even with using features like: loopback, dialerProxy, IPOnDemand, sniffing,...

Application1:

assume that twimg.com return [ip1, ip2]
and ip1 is behind cloudflare and ip2 is behind fastly.
and we have two outbounds: the first is cloudflare-worker(that doesn't support cloudflare ips) and the second is freedom-fragment.

and we want to use worker as much as possible.
so we should choose ip2 and worker-outbound.

Application2:

we have two outbounds: the first is tls-repack-domain-fronting and the second is freedom-fragment: example

cloudflare-ips doesn't support domain-fronting.
but we want to use domain-fronting as much as possible.
so we should choose ip2 and tls-repack outbound.

Suggested solution:

• in routing rules we save all matched-things(ip/domain) in ctx and then use in outbound, so, even if the address is a domain, we can achieve our goal by using a proper ip-rule and using IPOnDemand/IPIfNonMatch.

[HeXis-YS]

I think there are a lot of solutions out there for your needs.
For example, hosts/DNS with expectIPs+domain/IP-based routing rules.
The key to solving the problem is to limit the IPs returned by DNS query.

[patterniha]

I think there are a lot of solutions out there for your needs. For example, hosts/DNS with expectIPs+domain/IP-based routing rules. The key to solving the problem is to limit the IPs returned by DNS query.

No, if returned Ips is only in cloudflare range, i forcibly use another proxy instead of worker/domain-fronting.

I just want to use worker/domain-fronting as much as possible.

Your solution completely disconnects the connection.

[HeXis-YS]

I think there are a lot of solutions out there for your needs. For example, hosts/DNS with expectIPs+domain/IP-based routing rules. The key to solving the problem is to limit the IPs returned by DNS query.

No, if returned Ips is only in cloudflare range, i forcibly use another proxy instead of worker/domain-fronting.

I just want to use worker/domain-fronting as much as possible.

Your solution completely disconnects the connection.

Just specify two DNS, one with Fastly IPs as expectIPs and a normal one. If the DNS query result contains both Fastly and Cloudflare IPs, only Fastly ones are retained, and you can route the connections with an IP-based rule. Otherwise, the normal DNS is used as fallback and all IPs are returned.

[patterniha]

one with Fastly IPs as expectIPs

So, we have a redundant dns-query for all cloudflare domains!

[HeXis-YS]

one with Fastly IPs as expectIPs

So, we have a redundant dns-query for all cloudflare domains!

You can configure to use this DNS to resolve only certain domains. And the results are cached, so there will not be too many duplicate queries.
For example:

      "8.8.8.8",
      {
        "address": "8.8.8.8",
        "domains": ["domain:twimg.com"],
        "expectIPs": ["geoip:fastly"],
        "skipFallback": true
      }

[patterniha]

Certain domains???
We have no information about which domains are behaving this way.
twimg.com is only one domain that i found by chance.

Any domain can behave like this.

[HeXis-YS]

Certain domains??? We have no information about which domains are behaving this way. twimg.com is only one domain that i found by chance.

Any domain can behave like this.

Second, with this, we have a redundant query for all cloudflare domains!

Well, in this case, most domains require 2 queries.
Xray-core is not going to be able to fully meet your needs. If this is important to you, I would recommend implementing an external proxy that forwards DNS queries and filters the returned IPs.

[patterniha]

Yes, this feature should be added.
ctx is the key.
Do you read and understand the suggested solution?

(I don't want any of this for myself, I want it for all Iranian users.)

[HeXis-YS]

ctx is the key. Do you read and understand the suggested solution?

I think I understand what you are talking about. I don't care about ctx, I just care about solving the problem in the easiest way possible.
In my opinion, limiting the IPs returned by DNS queries is the simplest solution.
For the above solution I proposed, would this solve your problem except that it would send duplicate queries? If this is the case, you can fix the problem of sending duplicate queries by changing just one line of the code.
Change this line

Xray-core/app/dns/nameserver.go

Line 206 in 2cba2c4

return nil, errExpectedIPNonMatch

to

Xray-core/app/dns/nameserver.go

Line 194 in 2cba2c4

return ips, nil

[HeXis-YS]

I've submitted a similar issue #4146 before, but it doesn't seem to be a priority for developers. And it's hard to consider the current implementation "a bug" since Xray/v2ray has worked this way since a few years ago. No user has reported any practical issue related to this since then.

[patterniha]

geoip:fastly is just an example, other ips could be of any range, so we need "notExpectIPs".

@RPRX @Fangliding

@HeXis-YS solution with some changes completely solve this problem.

Suppose this solution:

{
        "address": "8.8.8.8",
        "expectIPs": ["geoip:!cloudflare"]
},
{
        "address": "8.8.8.8"
{

the problem is that the second dns-query-result may not be the same as the first one.(suppose the first one only contains cloudflare-ips and the second one contains both cloudflare and non-cloudflare ips)
also, another problem is that we have a redundant dns-query for all cloudflare domains(domains that only return cloudflare ips)

so we also need to add "ignoreExpectIPsWhenNoMatch" bool option for each DnsServerObject, and change the:

Xray-core/app/dns/nameserver.go

Lines 205 to 207 in 2cba2c4

	if len(newIps) == 0 {
	return nil, errExpectedIPNonMatch
	}

to:

if len(newIps) == 0 {
		if ignoreExpectIPsWhenNoMatch{
                	return ips, nil
                }
		return nil, errExpectedIPNonMatch
	}

///

so with:

{
        "address": "8.8.8.8",
        "expectIPs": ["geoip:!cloudflare"],
        "ignoreExpectIPsWhenNoMatch": true
}

and using "dialerProxy" + "forceIP" in outbound, the problem is completely solved, and we can achieve our goal.

Thank you very much @HeXis-YS.

[RPRX]

#4423 (comment)

是否是 expected IP 是另一个问题，这个确实可以加个选项