DNS Rule
Changes in sing-box 1.10.0
rule_set_ipcidr_match_source
rule_set_ip_cidr_match_source
rule_set_ip_cidr_accept_empty
process_path_regex
Changes in sing-box 1.9.0
geoip
ip_cidr
ip_is_private
client_subnet
rule_set_ipcidr_match_source
Changes in sing-box 1.8.0
Structure
{
"dns": {
"rules": [
{
"inbound": [
"mixed-in"
],
"ip_version": 6,
"query_type": [
"A",
"HTTPS",
32768
],
"network": "tcp",
"auth_user": [
"usera",
"userb"
],
"protocol": [
"tls",
"http",
"quic"
],
"domain": [
"test.com"
],
"domain_suffix": [
".cn"
],
"domain_keyword": [
"test"
],
"domain_regex": [
"^stun\\..+"
],
"geosite": [
"cn"
],
"source_geoip": [
"private"
],
"geoip": [
"cn"
],
"source_ip_cidr": [
"10.0.0.0/24",
"192.168.0.1"
],
"source_ip_is_private": false,
"ip_cidr": [
"10.0.0.0/24",
"192.168.0.1"
],
"ip_is_private": false,
"source_port": [
12345
],
"source_port_range": [
"1000:2000",
":3000",
"4000:"
],
"port": [
80,
443
],
"port_range": [
"1000:2000",
":3000",
"4000:"
],
"process_name": [
"curl"
],
"process_path": [
"/usr/bin/curl"
],
"process_path_regex": [
"^/usr/bin/.+"
],
"package_name": [
"com.termux"
],
"user": [
"sekai"
],
"user_id": [
1000
],
"clash_mode": "direct",
"wifi_ssid": [
"My WIFI"
],
"wifi_bssid": [
"00:00:00:00:00:00"
],
"rule_set": [
"geoip-cn",
"geosite-cn"
],
// deprecated
"rule_set_ipcidr_match_source": false,
"rule_set_ip_cidr_match_source": false,
"rule_set_ip_cidr_accept_empty": false,
"invert": false,
"outbound": [
"direct"
],
"server": "local",
"disable_cache": false,
"rewrite_ttl": 100,
"client_subnet": "127.0.0.1/24"
},
{
"type": "logical",
"mode": "and",
"rules": [],
"server": "local",
"disable_cache": false,
"rewrite_ttl": 100,
"client_subnet": "127.0.0.1/24"
}
]
}
}
You can ignore the JSON Array [] tag when the content is only one item
Default Fields
The default rule uses the following matching logic:
(domain
|| domain_suffix
|| domain_keyword
|| domain_regex
|| geosite
) &&
(port
|| port_range
) &&
(source_geoip
|| source_ip_cidr
|| source_ip_is_private
) &&
(source_port
|| source_port_range
) &&
other fields
Additionally, included rule-sets can be considered merged rather than as a single rule sub-item.
inbound
Tags of Inbound.
ip_version
4 (A DNS query) or 6 (AAAA DNS query).
Not limited if empty.
query_type
DNS query type. Values can be integers or type name strings.
network
tcp
or udp
.
auth_user
Username, see each inbound for details.
protocol
Sniffed protocol, see Sniff for details.
domain
Match full domain.
domain_suffix
Match domain suffix.
domain_keyword
Match domain using keyword.
domain_regex
Match domain using regular expression.
geosite
Deprecated in sing-box 1.8.0
Geosite is deprecated and may be removed in the future, check Migration.
Match geosite.
source_geoip
Deprecated in sing-box 1.8.0
GeoIP is deprecated and may be removed in the future, check Migration.
Match source geoip.
source_ip_cidr
Match source IP CIDR.
source_ip_is_private
Since sing-box 1.8.0
Match non-public source IP.
source_port
Match source port.
source_port_range
Match source port range.
port
Match port.
port_range
Match port range.
process_name
Only supported on Linux, Windows, and macOS.
Match process name.
process_path
Only supported on Linux, Windows, and macOS.
Match process path.
process_path_regex
Since sing-box 1.10.0
Only supported on Linux, Windows, and macOS.
Match process path using regular expression.
package_name
Match android package name.
user
Only supported on Linux.
Match user name.
user_id
Only supported on Linux.
Match user id.
clash_mode
Match Clash mode.
wifi_ssid
Only supported in graphical clients on Android and Apple platforms.
Match WiFi SSID.
wifi_bssid
Only supported in graphical clients on Android and Apple platforms.
Match WiFi BSSID.
rule_set
Since sing-box 1.8.0
Match rule-set.
rule_set_ipcidr_match_source
Since sing-box 1.9.0
Deprecated in sing-box 1.10.0
rule_set_ipcidr_match_source
is renamed to rule_set_ip_cidr_match_source
and will be remove in sing-box 1.11.0.
Make ip_cidr
rule items in rule-sets match the source IP.
rule_set_ip_cidr_match_source
Since sing-box 1.10.0
Make ip_cidr
rule items in rule-sets match the source IP.
invert
Invert match result.
outbound
Match outbound.
any
can be used as a value to match any outbound.
server
Required
Tag of the target dns server.
disable_cache
Disable cache and save cache in this query.
rewrite_ttl
Rewrite TTL in DNS responses.
client_subnet
Since sing-box 1.9.0
Append a edns0-subnet
OPT extra record with the specified IP prefix to every query by default.
If value is an IP address instead of prefix, /32
or /128
will be appended automatically.
Will overrides dns.client_subnet
and servers.[].client_subnet
.
Address Filter Fields
Only takes effect for address requests (A/AAAA/HTTPS). When the query results do not match the address filtering rule items, the current rule will be skipped.
ip_cidr
items in included rule-sets also takes effect as an address filtering field.
Enable experimental.cache_file.store_rdrc
to cache results.
geoip
Since sing-box 1.9.0
Match GeoIP with query response.
ip_cidr
Since sing-box 1.9.0
Match IP CIDR with query response.
ip_is_private
Since sing-box 1.9.0
Match private IP with query response.
rule_set_ip_cidr_accept_empty
Since sing-box 1.10.0
Make ip_cidr
rules in rule-sets accept empty query response.
Logical Fields
type
logical
mode
and
or or
rules
Included rules.