DNS
DNS is an outbound protocol, mainly used to intercept and forward DNS queries.
This outbound protocol can only receive DNS traffic (including queries based on UDP and TCP protocols); other types of traffic will cause errors.
When processing DNS queries, this outbound protocol forwards IP queries (i.e., A and AAAA) to the built-in DNS server. For other types of query traffic, see nonIPQuery below.
OutboundConfigurationObject
{
"network": "tcp",
"address": "1.1.1.1",
"port": 53,
"userLevel": 0,
"nonIPQuery": "skip",
"blockTypes": [65]
}2
3
4
5
6
7
8
network: "tcp" | "udp"
Modifies the transport layer protocol for DNS traffic. Optional values are "tcp" and "udp". When unspecified, the source transport method remains unchanged.
address: address
Modifies the DNS server address. When unspecified, the address specified in the source remains unchanged.
port: number
Modifies the DNS server port. When unspecified, the port specified in the source remains unchanged.
userLevel: number
User level. Connections will use the Local Policy corresponding to this user level, mainly affecting timeouts of this outbound.
nonIPQuery: string
Controls non-IP queries (non-A and non-AAAA). "drop" means discard; "skip" means it is not processed by the built-in DNS server and is forwarded to the destination; "reject" returns a DNS reject response, explicitly refusing the request immediately. Compared to "drop", this avoids applications waiting too long for a DNS response until timeout.
The default value is "reject".
blockTypes: array
An integer array used to block query types listed in the array. For example, "blockTypes": [65,28] means blocking type 65 (HTTPS) and 28 (AAAA). Common uses include blocking type 65 to prevent browsers from initiating ECH.
When the query type matches blockTypes, it is blocked before further processing:
- If
nonIPQueryis"reject", a DNS reject response is returned. - Otherwise it will be dropped.
This option is mainly used together with nonIPQuery: "skip" to "forward other non-A/AAAA queries while blocking some types". If nonIPQuery is "drop" or "reject", non-A/AAAA queries are not forwarded anyway, so blockTypes is mainly useful for blocking A/AAAA (not recommended; use queryStrategy in the built-in DNS settings to control IPv4/IPv6 instead).