支持多 DoH, 或者每个代理均可配置 DoH

iugo

Surge 的 DNS 逻辑可能是这样的:

首先用 DNS 解析出 DoH 域名中的 IP.
然后根据域名决定路由规则.
如果代理, 则访问 DoH 也使用代理.
如果直连, 则访问 DoH 也使用直连.

可以看到, 无论是代理还是直连, 都使用一个 DoH. 但是这就考验 DoH 的能力了.

如果能支持两个 DoH 就好了, 一个是直连的, 一个是代理(其他)的.

或者在 proxy 中新增一个 DoH 选项. 当匹配到这个代理的时候, 使用特定的 DoH 覆盖默认值.

mieqq

iugo 某个域名走代理的话，最终是在代理端解析的

newrevolution

mieqq I have been wondering why we can not have a simple option that says "resolve names remotely or proxy side" instead of local Mapping. That way, you can select either resolving names locally using your DoH exclusively or resolving names using the DNS server of the Upstream IP PROXY address exclusively.

The word "exclusive" is very important meaning that no other DNS server is allowed to resolve names except the option selected by user.

Local Mapping is not elegant enough as many websites has several unknown third party websites that are resolved when you open them. Do you now begin to monitor such hidden URLs and keep mapping locally each time you open the desired Websites? e.g. Content Delivery Networks (CDNs) like facebook, google analytics, twitter syndication, e.t.c.

mieqq

newrevolution

[General]
use-local-host-item-for-proxy = false

By default, DNS lookup is always performed on the remote server if a proxy policy is used. After enabling this option, Surge uses the IP address instead of the domain to set up the proxy connection if the local DNS mapping result of the target domain exists.

newrevolution

mieqq Okay, do you have a sample configuration showing this? The option I'm requesting for would have been better if it's available in combination with PROCESS-NAMES and IN-PORT RULES and not just Domain names so that any Domains on the specific Port can obey the DNS resolution option preferred by the user.
The other rule-based proxy utility I'm using has this option. it's very strict and exclusive, and no mix up in DNS resolution.
"Simplicity is actually the most ultimate sophistication"

mieqq

newrevolution

DNS lookup is always performed on the remote server if a proxy policy is used,Not related to rule type

newrevolution

mieqq Agreed sir but how do I tell Surge to resolve names using the DOH and only the DOH for all Domains visited on Port 2122 for example

mieqq

newrevolution

Can’t do it now, The [Host] field does not support specific ports. You can send a feature request.

newrevolution

mieqq Thank you and that's the problem I have but for now, please can you give me a simple line in [Host] that tells surge to use my doh for all Domains Names maybe I can work with that

mieqq

newrevolution

[General]
encrypted-dns-server = https://…

[Rule]
FINAL,DIRECT

then all domain names will resolve by the doh

newrevolution

mieqq I always want my DOH to use Proxy by following outbound mode. And my FINAL rule uses a Proxy policy not Direct

mieqq


[Host]
* = server:https://your_doh

Only match the domain names that use DIRECT policy

mieqq

newrevolution

I don't think there's any problem with this. You want the domain names to be resolved remotely, so use proxy, otherwise DIRECT

It is very simple to implement with rules.

newrevolution

mieqq Thank you sir, I have added:

[Host]
*= server:https://dns.nextdns.io/cXbaX0/dns-query

I really appreciate this. I can make do with this for now until supports for specific ports/process-names in [Host] is added.

newrevolution

mieqq But anyone might want to use a Proxy Policy in combination with DOH as the resolver only. Surge assumes that if you are using proxy policy, then you must use the DNS servers of the upstream proxy policy 🙂

mieqq

newrevolution

The only way to ensure that you get a CDN node server address that best suits the proxy server is to perform a DNS lookup at the proxy server.

You can also choose to configure DoH on the proxy server.

newrevolution

mieqq Okay sir, how do I configure DoH on the proxy server? Please, can you help with a simple configuration example

Also, I'm using only Surge Proxy and NOT enhanced Mode, do I need to hijack dns? as such:
hijack-dns = 45.90.28.0:53, 45.90.30.0:53
I'm asking because it appears that the hijack-dns feature is only effective with the Surge VIF activated?

newrevolution

mieqq Okay, I did some tweaking and figured a bug when Surge switches between resolver/bootstraps due to latency.

dns-server = 45.90.28.0, 45.90.30.0

it resolves to:
CLoudflareNet 0000 0000
CISCO
LVT CHOOP
OPENDNSINC and so on,
After switching to fastest resolver, it goes back to NEXTDNS again and normal
I used:

https://cmdns.dev.dns-oarc.net/

to keep track of the DNS resolution process by Surge because this is the only DNS check site that keeps your DNS resolution alive under "active connection" tab for a long time up to 15 minutes, I monitored it and I figured the slight leakage.
So, best option is to use a single resolver. e.g.
dns-server = 45.90.28.0
but I hijacked both on :53
hijack-dns = 45.90.28.0:53, 45.90.30.0:53

Hijacking DNS using *:53 results to loop in my configuration and then google takes over with wrong IP address location lol. Thank you for your time today, that was really helpful.