DNS Rule
Changes in sing-box 1.11.0
action
server
disable_cache
rewrite_ttl
client_subnet
network_type
network_is_expensive
network_is_constrained
Changes in sing-box 1.10.0
rule_set_ipcidr_match_source
rule_set_ip_cidr_match_source
rule_set_ip_cidr_accept_empty
process_path_regex
Changes in sing-box 1.9.0
geoip
ip_cidr
ip_is_private
client_subnet
rule_set_ipcidr_match_source
Changes in sing-box 1.8.0
Structure
{
"dns": {
"rules": [
{
"inbound": [
"mixed-in"
],
"ip_version": 6,
"query_type": [
"A",
"HTTPS",
32768
],
"network": "tcp",
"auth_user": [
"usera",
"userb"
],
"protocol": [
"tls",
"http",
"quic"
],
"domain": [
"test.com"
],
"domain_suffix": [
".cn"
],
"domain_keyword": [
"test"
],
"domain_regex": [
"^stun\\..+"
],
"geosite": [
"cn"
],
"source_geoip": [
"private"
],
"geoip": [
"cn"
],
"source_ip_cidr": [
"10.0.0.0/24",
"192.168.0.1"
],
"source_ip_is_private": false,
"ip_cidr": [
"10.0.0.0/24",
"192.168.0.1"
],
"ip_is_private": false,
"source_port": [
12345
],
"source_port_range": [
"1000:2000",
":3000",
"4000:"
],
"port": [
80,
443
],
"port_range": [
"1000:2000",
":3000",
"4000:"
],
"process_name": [
"curl"
],
"process_path": [
"/usr/bin/curl"
],
"process_path_regex": [
"^/usr/bin/.+"
],
"package_name": [
"com.termux"
],
"user": [
"sekai"
],
"user_id": [
1000
],
"clash_mode": "direct",
"network_type": [
"wifi"
],
"network_is_expensive": false,
"network_is_constrained": false,
"wifi_ssid": [
"My WIFI"
],
"wifi_bssid": [
"00:00:00:00:00:00"
],
"rule_set": [
"geoip-cn",
"geosite-cn"
],
// deprecated
"rule_set_ipcidr_match_source": false,
"rule_set_ip_cidr_match_source": false,
"rule_set_ip_cidr_accept_empty": false,
"invert": false,
"outbound": [
"direct"
],
"action": "route",
"server": "local"
},
{
"type": "logical",
"mode": "and",
"rules": [],
"action": "route",
"server": "local"
}
]
}
}
You can ignore the JSON Array [] tag when the content is only one item
Default Fields
The default rule uses the following matching logic:
(domain || domain_suffix || domain_keyword || domain_regex || geosite) &&
(port || port_range) &&
(source_geoip || source_ip_cidr || source_ip_is_private) &&
(source_port || source_port_range) &&
other fields
Additionally, included rule-sets can be considered merged rather than as a single rule sub-item.
inbound
Tags of Inbound.
ip_version
4 (A DNS query) or 6 (AAAA DNS query).
Not limited if empty.
query_type
DNS query type. Values can be integers or type name strings.
network
tcp or udp.
auth_user
Username, see each inbound for details.
protocol
Sniffed protocol, see Sniff for details.
domain
Match full domain.
domain_suffix
Match domain suffix.
domain_keyword
Match domain using keyword.
domain_regex
Match domain using regular expression.
geosite
Deprecated in sing-box 1.8.0
Geosite is deprecated and will be removed in sing-box 1.12.0, check Migration.
Match geosite.
source_geoip
Deprecated in sing-box 1.8.0
GeoIP is deprecated and will be removed in sing-box 1.12.0, check Migration.
Match source geoip.
source_ip_cidr
Match source IP CIDR.
source_ip_is_private
Since sing-box 1.8.0
Match non-public source IP.
source_port
Match source port.
source_port_range
Match source port range.
port
Match port.
port_range
Match port range.
process_name
Only supported on Linux, Windows, and macOS.
Match process name.
process_path
Only supported on Linux, Windows, and macOS.
Match process path.
process_path_regex
Since sing-box 1.10.0
Only supported on Linux, Windows, and macOS.
Match process path using regular expression.
package_name
Match android package name.
user
Only supported on Linux.
Match user name.
user_id
Only supported on Linux.
Match user id.
clash_mode
Match Clash mode.
network_type
Since sing-box 1.11.0
Only supported in graphical clients on Android and Apple platforms.
Match network type.
Available values: wifi, cellular, ethernet and other.
network_is_expensive
Since sing-box 1.11.0
Only supported in graphical clients on Android and Apple platforms.
Match if network is considered Metered (on Android) or considered expensive, such as Cellular or a Personal Hotspot (on Apple platforms).
network_is_constrained
Since sing-box 1.11.0
Only supported in graphical clients on Apple platforms.
Match if network is in Low Data Mode.
wifi_ssid
Only supported in graphical clients on Android and Apple platforms.
Match WiFi SSID.
wifi_bssid
Only supported in graphical clients on Android and Apple platforms.
Match WiFi BSSID.
rule_set
Since sing-box 1.8.0
Match rule-set.
rule_set_ipcidr_match_source
Since sing-box 1.9.0
Deprecated in sing-box 1.10.0
rule_set_ipcidr_match_source is renamed to rule_set_ip_cidr_match_source and will be remove in sing-box 1.11.0.
Make ip_cidr rule items in rule-sets match the source IP.
rule_set_ip_cidr_match_source
Since sing-box 1.10.0
Make ip_cidr rule items in rule-sets match the source IP.
invert
Invert match result.
outbound
Match outbound.
any can be used as a value to match any outbound.
action
Required
See DNS Rule Actions for details.
server
Deprecated in sing-box 1.11.0
Moved to DNS Rule Action.
disable_cache
Deprecated in sing-box 1.11.0
Moved to DNS Rule Action.
rewrite_ttl
Deprecated in sing-box 1.11.0
Moved to DNS Rule Action.
client_subnet
Deprecated in sing-box 1.11.0
Moved to DNS Rule Action.
Address Filter Fields
Only takes effect for address requests (A/AAAA/HTTPS). When the query results do not match the address filtering rule items, the current rule will be skipped.
ip_cidr items in included rule-sets also takes effect as an address filtering field.
Enable experimental.cache_file.store_rdrc to cache results.
geoip
Since sing-box 1.9.0
Match GeoIP with query response.
ip_cidr
Since sing-box 1.9.0
Match IP CIDR with query response.
ip_is_private
Since sing-box 1.9.0
Match private IP with query response.
rule_set_ip_cidr_accept_empty
Since sing-box 1.10.0
Make ip_cidr rules in rule-sets accept empty query response.
Logical Fields
type
logical
mode
and or or
rules
Included rules.