Add address filter support for DNS rules

2024-11-22 08:31:30 +00:00 · 2024-02-03 17:45:27 +08:00 · 2024-02-03 17:45:27 +08:00 · 0517ceef76
parent 830ea46932
commit 0517ceef76
37 changed files with 436 additions and 248 deletions
--- a/adapter/inbound.go
+++ b/adapter/inbound.go
@ -56,6 +56,8 @@ type InboundContext struct {
 	SourcePortMatch              bool
 	DestinationAddressMatch      bool
 	DestinationPortMatch         bool
 	DidMatch                     bool
 	IgnoreDestinationIPCIDRMatch bool
 }
 func (c *InboundContext) ResetRuleCache() {
@ -64,6 +66,7 @@ func (c *InboundContext) ResetRuleCache() {
 	c.SourcePortMatch = false
 	c.DestinationAddressMatch = false
 	c.DestinationPortMatch = false
 	c.DidMatch = false
 }
 type inboundContextKey struct{}
--- a/adapter/router.go
+++ b/adapter/router.go
@ -86,6 +86,8 @@ type DNSRule interface {
 	Rule
 	DisableCache() bool
 	RewriteTTL() *uint32
 	WithAddressLimit() bool
 	MatchAddressLimit(metadata *InboundContext) bool
 }
 type RuleSet interface {
@ -99,6 +101,7 @@ type RuleSet interface {
 type RuleSetMetadata struct {
 	ContainsProcessRule bool
 	ContainsWIFIRule    bool
 	ContainsIPCIDRRule  bool
 }
 type RuleSetStartContext interface {
--- a/docs/configuration/dns/index.md
+++ b/docs/configuration/dns/index.md
@ -22,7 +22,7 @@
 ### Fields
 | Key      | Format                          |
-|----------|--------------------------------|
+|----------|---------------------------------|
 | `server` | List of [DNS Server](./server/) |
 | `rules`  | List of [DNS Rule](./rule/)     |
 | `fakeip` | [FakeIP](./fakeip/)             |
--- a/docs/configuration/dns/rule.md
+++ b/docs/configuration/dns/rule.md
@ -1,7 +1,13 @@
 ---
-icon: material/alert-decagram
+icon: material/new-box
 ---
 !!! quote "Changes in sing-box 1.9.0"
    :material-plus: [geoip](#geoip)  
    :material-plus: [ip_cidr](#ip_cidr)  
    :material-plus: [ip_is_private](#ip_is_private)
 !!! quote "Changes in sing-box 1.8.0"
    :material-plus: [rule_set](#rule_set)  
@ -53,11 +59,19 @@ icon: material/alert-decagram
        "source_geoip": [
          "private"
        ],
        "geoip": [
          "cn"
        ],
        "source_ip_cidr": [
          "10.0.0.0/24",
          "192.168.0.1"
        ],
        "source_ip_is_private": false,
        "ip_cidr": [
          "10.0.0.0/24",
          "192.168.0.1"
        ],
        "ip_is_private": false,
        "source_port": [
          12345
        ],
@ -312,6 +326,32 @@ Disable cache and save cache in this query.
 Rewrite TTL in DNS responses.
 ### Address Filter Fields
 Only takes effect for IP address requests. When the query results do not match the address filtering rule items, the current rule will be skipped.
 !!! note ""
    `ip_cidr` items in included rule sets also takes effect as an address filtering field.
 #### geoip
 !!! question "Since sing-box 1.9.0"
 Match GeoIP with query response.
 #### ip_cidr
 !!! question "Since sing-box 1.9.0"
 Match IP CIDR with query response.
 #### ip_is_private
 !!! question "Since sing-box 1.9.0"
 Match private IP with query response.
 ### Logical Fields
 #### type
--- a/docs/configuration/dns/rule.zh.md
+++ b/docs/configuration/dns/rule.zh.md
@ -1,7 +1,13 @@
 ---
-icon: material/alert-decagram
+icon: material/new-box
 ---
 !!! quote "sing-box 1.9.0 中的更改"
    :material-plus: [geoip](#geoip)  
    :material-plus: [ip_cidr](#ip_cidr)  
    :material-plus: [ip_is_private](#ip_is_private)
 !!! quote "sing-box 1.8.0 中的更改"
    :material-plus: [rule_set](#rule_set)  
@ -53,10 +59,19 @@ icon: material/alert-decagram
        "source_geoip": [
          "private"
        ],
        "geoip": [
          "cn"
        ],
        "source_ip_cidr": [
-          "10.0.0.0/24"
+          "10.0.0.0/24",
          "192.168.0.1"
        ],
        "source_ip_is_private": false,
        "ip_cidr": [
          "10.0.0.0/24",
          "192.168.0.1"
        ],
        "ip_is_private": false,
        "source_port": [
          12345
        ],
@ -307,6 +322,32 @@ DNS 查询类型。值可以为整数或者类型名称字符串。
 重写 DNS 回应中的 TTL。
 ### 地址筛选字段
 仅对IP地址请求生效。 当查询结果与地址筛选规则项不匹配时，将跳过当前规则。
 !!! note ""
    引用的规则集中的 `ip_cidr` 项也作为地址筛选字段生效。
 #### geoip
 !!! question "自 sing-box 1.9.0 起"
 与查询响应匹配 GeoIP。
 #### ip_cidr
 !!! question "自 sing-box 1.9.0 起"
 与查询相应匹配 IP CIDR。
 #### ip_is_private
 !!! question "自 sing-box 1.9.0 起"
 与查询响应匹配非公开 IP。
 ### 逻辑字段
 #### type
--- a/docs/configuration/experimental/cache-file.md
+++ b/docs/configuration/experimental/cache-file.md
@ -1,7 +1,3 @@
 ---
 icon: material/new-box
 ---
 !!! question "Since sing-box 1.8.0"
 ### Structure
--- a/docs/configuration/experimental/cache-file.zh.md
+++ b/docs/configuration/experimental/cache-file.zh.md
@ -1,7 +1,3 @@
 ---
 icon: material/new-box
 ---
 !!! question "自 sing-box 1.8.0 起"
 ### 结构
--- a/docs/configuration/experimental/clash-api.md
+++ b/docs/configuration/experimental/clash-api.md
@ -1,7 +1,3 @@
 ---
 icon: material/alert-decagram
 ---
 !!! quote "Changes in sing-box 1.8.0"
    :material-delete-alert: [store_mode](#store_mode)  
--- a/docs/configuration/experimental/clash-api.zh.md
+++ b/docs/configuration/experimental/clash-api.zh.md
@ -1,7 +1,3 @@
 ---
 icon: material/alert-decagram
 ---
 !!! quote "sing-box 1.8.0 中的更改"
    :material-delete-alert: [store_mode](#store_mode)  
--- a/docs/configuration/experimental/index.md
+++ b/docs/configuration/experimental/index.md
@ -1,7 +1,3 @@
 ---
 icon: material/alert-decagram
 ---
 # Experimental
 !!! quote "Changes in sing-box 1.8.0"
--- a/docs/configuration/experimental/index.zh.md
+++ b/docs/configuration/experimental/index.zh.md
@ -1,7 +1,3 @@
 ---
 icon: material/alert-decagram
 ---
 # 实验性
 !!! quote "sing-box 1.8.0 中的更改"
--- a/docs/configuration/inbound/tun.md
+++ b/docs/configuration/inbound/tun.md
@ -1,7 +1,3 @@
 ---
 icon: material/alert-decagram
 ---
 !!! quote "Changes in sing-box 1.8.0"
    :material-plus: [gso](#gso)  
--- a/docs/configuration/inbound/tun.zh.md
+++ b/docs/configuration/inbound/tun.zh.md
@ -1,7 +1,3 @@
 ---
 icon: material/alert-decagram
 ---
 !!! quote "sing-box 1.8.0 中的更改"
    :material-plus: [gso](#gso)  
--- a/docs/configuration/outbound/wireguard.md
+++ b/docs/configuration/outbound/wireguard.md
@ -1,7 +1,3 @@
 ---
 icon: material/new-box
 ---
 !!! quote "Changes in sing-box 1.8.0"
    :material-plus: [gso](#gso)  
--- a/docs/configuration/outbound/wireguard.zh.md
+++ b/docs/configuration/outbound/wireguard.zh.md
@ -1,7 +1,3 @@
 ---
 icon: material/new-box
 ---
 !!! quote "sing-box 1.8.0 中的更改"
    :material-plus: [gso](#gso)  
--- a/docs/configuration/route/index.md
+++ b/docs/configuration/route/index.md
@ -1,7 +1,3 @@
 ---
 icon: material/alert-decagram
 ---
 # Route
 !!! quote "Changes in sing-box 1.8.0"
--- a/docs/configuration/route/index.zh.md
+++ b/docs/configuration/route/index.zh.md
@ -1,7 +1,3 @@
 ---
 icon: material/alert-decagram
 ---
 # 路由
 !!! quote "sing-box 1.8.0 中的更改"
--- a/docs/configuration/route/rule.md
+++ b/docs/configuration/route/rule.md
@ -1,7 +1,3 @@
 ---
 icon: material/alert-decagram
 ---
 !!! quote "Changes in sing-box 1.8.0"
    :material-plus: [rule_set](#rule_set)  
--- a/docs/configuration/route/rule.zh.md
+++ b/docs/configuration/route/rule.zh.md
@ -1,7 +1,3 @@
 ---
 icon: material/alert-decagram
 ---
 !!! quote "sing-box 1.8.0 中的更改"
    :material-plus: [rule_set](#rule_set)  
--- a/docs/configuration/rule-set/headless-rule.md
+++ b/docs/configuration/rule-set/headless-rule.md
@ -1,7 +1,3 @@
 ---
 icon: material/new-box
 ---
 ### Structure
 !!! question "Since sing-box 1.8.0"
--- a/docs/configuration/rule-set/index.md
+++ b/docs/configuration/rule-set/index.md
@ -1,7 +1,3 @@
 ---
 icon: material/new-box
 ---
 # Rule Set
 !!! question "Since sing-box 1.8.0"
--- a/docs/configuration/rule-set/source-format.md
+++ b/docs/configuration/rule-set/source-format.md
@ -1,7 +1,3 @@
 ---
 icon: material/new-box
 ---
 # Source Format
 !!! question "Since sing-box 1.8.0"
--- a/docs/configuration/shared/tls.md
+++ b/docs/configuration/shared/tls.md
@ -1,8 +1,3 @@
 ---
 icon: material/alert-decagram
 ---
 !!! quote "Changes in sing-box 1.8.0"
    :material-alert-decagram: [utls](#utls)  
--- a/docs/configuration/shared/tls.zh.md
+++ b/docs/configuration/shared/tls.zh.md
@ -1,7 +1,3 @@
 ---
 icon: material/alert-decagram
 ---
 !!! quote "sing-box 1.8.0 中的更改"
    :material-alert-decagram: [utls](#utls)  
--- a/docs/manual/proxy/client.md
+++ b/docs/manual/proxy/client.md
@ -290,52 +290,6 @@ flowchart TB
 === ":material-dns: DNS rules"
    !!! info
        DNS rules are optional if FakeIP is used.
    ```json
    {
      "dns": {
        "servers": [
          {
            "tag": "google",
            "address": "tls://8.8.8.8"
          },
          {
            "tag": "local",
            "address": "223.5.5.5",
            "detour": "direct"
          }
        ],
        "rules": [
          {
            "outbound": "any",
            "server": "local"
          },
          {
            "clash_mode": "Direct",
            "server": "local"
          },
          {
            "clash_mode": "Global",
            "server": "google"
          },
          {
            "geosite": "geolocation-cn",
            "server": "local"
          }
        ]
      }
    }
    ```
 === ":material-dns: DNS rules (1.8.0+)"
    !!! info
        DNS rules are optional if FakeIP is used.
    ```json
    {
      "dns": {
@ -382,74 +336,78 @@ flowchart TB
    }
    ```
-=== ":material-router-network: Route rules"
+=== ":material-dns: DNS rules (1.9.0+)"
    !!! warning "DNS leaks"
        The new DNS feature allows you to more precisely bypass Chinese websites via **DNS leaks**. Do not use plain local DNS if using this method.
    ```json
    {
-      "outbounds": [
+      "dns": {
        "servers": [
          {
-          "type": "direct",
+            "tag": "google",
-          "tag": "direct"
+            "address": "tls://8.8.8.8"
          },
          {
-          "type": "block",
+            "tag": "local",
-          "tag": "block"
+            "address": "https://223.5.5.5/dns-query",
            "detour": "direct"
          }
        ],
      "route": {
        "rules": [
          {
-            "type": "logical",
+            "outbound": "any",
-            "mode": "or",
+            "server": "local"
            "rules": [
              {
                "protocol": "dns"
              },
              {
                "port": 53
              }
            ],
            "outbound": "dns"
          },
          {
            "geoip": "private",
            "outbound": "direct"
          },
          {
            "clash_mode": "Direct",
-            "outbound": "direct"
+            "server": "local"
          },
          {
            "clash_mode": "Global",
-            "outbound": "default"
+            "server": "google"
          },
          {
-            "type": "logical",
+            "rule_set": "geosite-geolocation-cn",
-            "mode": "or",
+            "server": "local"
            "rules": [
              {
                "port": 853
          },
          {
-                "network": "udp",
+            "clash_mode": "Default",
-                "port": 443
+            "server": "google"
          },
          {
-                "protocol": "stun"
+            "rule_set": "geoip-cn",
-              }
+            "server": "local"
            ],
            "outbound": "block"
          },
          {
            "geosite": "geolocation-cn",
            "outbound": "direct"
          }
        ]
      },
      "route": {
        "rule_set": [
          {
            "type": "remote",
            "tag": "geosite-geolocation-cn",
            "format": "binary",
            "url": "https://raw.githubusercontent.com/SagerNet/sing-geosite/rule-set/geosite-geolocation-cn.srs"
          },
          {
            "type": "remote",
            "tag": "geoip-cn",
            "format": "binary",
            "url": "https://raw.githubusercontent.com/SagerNet/sing-geoip/rule-set/geoip-cn.srs"
          }
        ]
      },
      "experimental": {
        "clash_api": {
          "default_mode": "Leak"
        }
      }
    }
    ```
-=== ":material-router-network: Route rules (1.8.0+)"
+=== ":material-router-network: Route rules"
    ```json
    {
--- a/go.mod
+++ b/go.mod
@ -24,10 +24,10 @@ require (
 	github.com/sagernet/cloudflare-tls v0.0.0-20231208171750-a4483c1b7cd1
 	github.com/sagernet/gomobile v0.1.3
 	github.com/sagernet/gvisor v0.0.0-20231209105102-8d27a30e436e
-	github.com/sagernet/quic-go v0.40.1
+	github.com/sagernet/quic-go v0.43.0-beta.3
 	github.com/sagernet/reality v0.0.0-20230406110435-ee17307e7691
 	github.com/sagernet/sing v0.4.0-beta.20
-	github.com/sagernet/sing-dns v0.1.14
+	github.com/sagernet/sing-dns v0.2.0-beta.18
 	github.com/sagernet/sing-mux v0.2.0
 	github.com/sagernet/sing-quic v0.1.15
 	github.com/sagernet/sing-shadowsocks v0.2.6
--- a/go.sum
+++ b/go.sum
@ -101,15 +101,15 @@ github.com/sagernet/gvisor v0.0.0-20231209105102-8d27a30e436e h1:DOkjByVeAR56dks
 github.com/sagernet/gvisor v0.0.0-20231209105102-8d27a30e436e/go.mod h1:fLxq/gtp0qzkaEwywlRRiGmjOK5ES/xUzyIKIFP2Asw=
 github.com/sagernet/netlink v0.0.0-20220905062125-8043b4a9aa97 h1:iL5gZI3uFp0X6EslacyapiRz7LLSJyr4RajF/BhMVyE=
 github.com/sagernet/netlink v0.0.0-20220905062125-8043b4a9aa97/go.mod h1:xLnfdiJbSp8rNqYEdIW/6eDO4mVoogml14Bh2hSiFpM=
-github.com/sagernet/quic-go v0.40.1 h1:qLeTIJR0d0JWRmDWo346nLsVN6EWihd1kalJYPEd0TM=
+github.com/sagernet/quic-go v0.43.0-beta.3 h1:qclJbbpgZe76EH62Bdu3LfDSC2zmuxj7zXCpdQBbe7c=
-github.com/sagernet/quic-go v0.40.1/go.mod h1:CcKTpzTAISxrM4PA5M20/wYuz9Tj6Tx4DwGbNl9UQrU=
+github.com/sagernet/quic-go v0.43.0-beta.3/go.mod h1:3EtxR1Yaa1FZu6jFPiBHpOAdhOxL4A3EPxmiVgjJvVM=
 github.com/sagernet/reality v0.0.0-20230406110435-ee17307e7691 h1:5Th31OC6yj8byLGkEnIYp6grlXfo1QYUfiYFGjewIdc=
 github.com/sagernet/reality v0.0.0-20230406110435-ee17307e7691/go.mod h1:B8lp4WkQ1PwNnrVMM6KyuFR20pU8jYBD+A4EhJovEXU=
 github.com/sagernet/sing v0.2.18/go.mod h1:OL6k2F0vHmEzXz2KW19qQzu172FDgSbUSODylighuVo=
 github.com/sagernet/sing v0.4.0-beta.20 h1:8rEepj4LMcR0Wd389fJIziv/jr3MBtX5qXBHsfxJ+dY=
 github.com/sagernet/sing v0.4.0-beta.20/go.mod h1:PFQKbElc2Pke7faBLv8oEba5ehtKO21Ho+TkYemTI3Y=
-github.com/sagernet/sing-dns v0.1.14 h1:kxE/Ik3jMXmD3sXsdt9MgrNzLFWt64mghV+MQqzyf40=
+github.com/sagernet/sing-dns v0.2.0-beta.18 h1:6vzXZThRdA7YUzBOpSbUT48XRumtl/KIpIHFSOP0za8=
-github.com/sagernet/sing-dns v0.1.14/go.mod h1:AA+vZMNovuPN5i/sPnfF6756Nq94nzb5nXodMWbta5w=
+github.com/sagernet/sing-dns v0.2.0-beta.18/go.mod h1:k/dmFcQpg6+m08gC1yQBy+13+QkuLqpKr4bIreq4U24=
 github.com/sagernet/sing-mux v0.2.0 h1:4C+vd8HztJCWNYfufvgL49xaOoOHXty2+EAjnzN3IYo=
 github.com/sagernet/sing-mux v0.2.0/go.mod h1:khzr9AOPocLa+g53dBplwNDz4gdsyx/YM3swtAhlkHQ=
 github.com/sagernet/sing-quic v0.1.15 h1:LGWPxQEeg89+68RHP7HtAV0RZeEWQikUqOfE9nYmr2A=
--- a/option/rule_dns.go
+++ b/option/rule_dns.go
@ -77,6 +77,9 @@ type DefaultDNSRule struct {
 	DomainRegex       Listable[string]       `json:"domain_regex,omitempty"`
 	Geosite           Listable[string]       `json:"geosite,omitempty"`
 	SourceGeoIP       Listable[string]       `json:"source_geoip,omitempty"`
 	GeoIP             Listable[string]       `json:"geoip,omitempty"`
 	IPCIDR            Listable[string]       `json:"ip_cidr,omitempty"`
 	IPIsPrivate       bool                   `json:"ip_is_private,omitempty"`
 	SourceIPCIDR      Listable[string]       `json:"source_ip_cidr,omitempty"`
 	SourceIPIsPrivate bool                   `json:"source_ip_is_private,omitempty"`
 	SourcePort        Listable[uint16]       `json:"source_port,omitempty"`
--- a/route/router_dns.go
+++ b/route/router_dns.go
@ -2,13 +2,13 @@ package route
 import (
 	"context"
 	"errors"
 	"net/netip"
 	"strings"
 	"time"
 	"github.com/sagernet/sing-box/adapter"
 	C "github.com/sagernet/sing-box/constant"
 	"github.com/sagernet/sing-box/log"
 	"github.com/sagernet/sing-dns"
 	"github.com/sagernet/sing/common/cache"
 	E "github.com/sagernet/sing/common/exceptions"
@ -37,12 +37,17 @@ func (m *DNSReverseMapping) Query(address netip.Addr) (string, bool) {
 	return domain, loaded
 }
-func (r *Router) matchDNS(ctx context.Context, allowFakeIP bool) (context.Context, dns.Transport, dns.DomainStrategy) {
+func (r *Router) matchDNS(ctx context.Context, allowFakeIP bool, index int) (context.Context, dns.Transport, dns.DomainStrategy, adapter.DNSRule, int) {
 	metadata := adapter.ContextFrom(ctx)
 	if metadata == nil {
 		panic("no context")
 	}
-	for i, rule := range r.dnsRules {
+	if index < len(r.dnsRules) {
 		dnsRules := r.dnsRules
 		if index != -1 {
 			dnsRules = dnsRules[index+1:]
 		}
 		for ruleIndex, rule := range dnsRules {
 			metadata.ResetRuleCache()
 			if rule.Match(metadata) {
 				detour := rule.Outbound()
@ -54,7 +59,11 @@ func (r *Router) matchDNS(ctx context.Context, allowFakeIP bool) (context.Contex
 				if _, isFakeIP := transport.(adapter.FakeIPTransport); isFakeIP && !allowFakeIP {
 					continue
 				}
-			r.dnsLogger.DebugContext(ctx, "match[", i, "] ", rule.String(), " => ", detour)
+				displayRuleIndex := ruleIndex
 				if index != -1 {
 					displayRuleIndex += index + 1
 				}
 				r.dnsLogger.DebugContext(ctx, "match[", displayRuleIndex, "] ", rule.String(), " => ", detour)
 				if rule.DisableCache() {
 					ctx = dns.ContextWithDisableCache(ctx, true)
 				}
@ -62,16 +71,17 @@ func (r *Router) matchDNS(ctx context.Context, allowFakeIP bool) (context.Contex
 					ctx = dns.ContextWithRewriteTTL(ctx, *rewriteTTL)
 				}
 				if domainStrategy, dsLoaded := r.transportDomainStrategy[transport]; dsLoaded {
-				return ctx, transport, domainStrategy
+					return ctx, transport, domainStrategy, rule, ruleIndex
 				} else {
-				return ctx, transport, r.defaultDomainStrategy
+					return ctx, transport, r.defaultDomainStrategy, rule, ruleIndex
 				}
 			}
 		}
 	}
 	if domainStrategy, dsLoaded := r.transportDomainStrategy[r.defaultTransport]; dsLoaded {
-		return ctx, r.defaultTransport, domainStrategy
+		return ctx, r.defaultTransport, domainStrategy, nil, -1
 	} else {
-		return ctx, r.defaultTransport, r.defaultDomainStrategy
+		return ctx, r.defaultTransport, r.defaultDomainStrategy, nil, -1
 	}
 }
@ -86,7 +96,8 @@ func (r *Router) Exchange(ctx context.Context, message *mDNS.Msg) (*mDNS.Msg, er
 	)
 	response, cached = r.dnsClient.ExchangeCache(ctx, message)
 	if !cached {
-		ctx, metadata := adapter.AppendContext(ctx)
+		var metadata *adapter.InboundContext
 		ctx, metadata = adapter.AppendContext(ctx)
 		if len(message.Question) > 0 {
 			metadata.QueryType = message.Question[0].Qtype
 			switch metadata.QueryType {
@ -97,16 +108,46 @@ func (r *Router) Exchange(ctx context.Context, message *mDNS.Msg) (*mDNS.Msg, er
 			}
 			metadata.Domain = fqdnToDomain(message.Question[0].Name)
 		}
-		ctx, transport, strategy := r.matchDNS(ctx, true)
+		var (
-		ctx, cancel := context.WithTimeout(ctx, C.DNSTimeout)
+			transport dns.Transport
-		defer cancel()
+			strategy  dns.DomainStrategy
-		response, err = r.dnsClient.Exchange(ctx, transport, message, strategy)
+			rule      adapter.DNSRule
-		if err != nil && len(message.Question) > 0 {
+			ruleIndex int
 		)
 		ruleIndex = -1
 		for {
 			var (
 				dnsCtx       context.Context
 				cancel       context.CancelFunc
 				addressLimit bool
 			)
 			dnsCtx, transport, strategy, rule, ruleIndex = r.matchDNS(ctx, true, ruleIndex)
 			dnsCtx, cancel = context.WithTimeout(dnsCtx, C.DNSTimeout)
 			if rule != nil && rule.WithAddressLimit() && isAddressQuery(message) {
 				addressLimit = true
 				response, err = r.dnsClient.ExchangeWithResponseCheck(dnsCtx, transport, message, strategy, func(response *mDNS.Msg) bool {
 					metadata.DestinationAddresses, _ = dns.MessageToAddresses(response)
 					return rule.MatchAddressLimit(metadata)
 				})
 			} else {
 				addressLimit = false
 				response, err = r.dnsClient.Exchange(dnsCtx, transport, message, strategy)
 			}
 			cancel()
 			if err != nil {
 				if errors.Is(err, dns.ErrResponseRejected) {
 					r.dnsLogger.DebugContext(ctx, E.Cause(err, "response rejected for ", formatQuestion(message.Question[0].String())))
 				} else if len(message.Question) > 0 {
 					r.dnsLogger.ErrorContext(ctx, E.Cause(err, "exchange failed for ", formatQuestion(message.Question[0].String())))
 				} else {
 					r.dnsLogger.ErrorContext(ctx, E.Cause(err, "exchange failed for <empty query>"))
 				}
 			}
 			if !addressLimit || err == nil {
 				break
 			}
 		}
 	if len(message.Question) > 0 && response != nil {
 		LogDNSAnswers(r.dnsLogger, ctx, message.Question[0].Name, response.Answer)
 	}
 	if r.dnsReverseMapping != nil && len(message.Question) > 0 && response != nil && len(response.Answer) > 0 {
 		for _, answer := range response.Answer {
@ -125,22 +166,57 @@ func (r *Router) Lookup(ctx context.Context, domain string, strategy dns.DomainS
 	r.dnsLogger.DebugContext(ctx, "lookup domain ", domain)
 	ctx, metadata := adapter.AppendContext(ctx)
 	metadata.Domain = domain
-	ctx, transport, transportStrategy := r.matchDNS(ctx, false)
+	var (
 		transport         dns.Transport
 		transportStrategy dns.DomainStrategy
 		rule              adapter.DNSRule
 		ruleIndex         int
 		resultAddrs       []netip.Addr
 		err               error
 	)
 	ruleIndex = -1
 	for {
 		var (
 			dnsCtx       context.Context
 			cancel       context.CancelFunc
 			addressLimit bool
 		)
 		metadata.ResetRuleCache()
 		metadata.DestinationAddresses = nil
 		dnsCtx, transport, transportStrategy, rule, ruleIndex = r.matchDNS(ctx, false, ruleIndex)
 		if strategy == dns.DomainStrategyAsIS {
 			strategy = transportStrategy
 		}
-	ctx, cancel := context.WithTimeout(ctx, C.DNSTimeout)
+		dnsCtx, cancel = context.WithTimeout(dnsCtx, C.DNSTimeout)
-	defer cancel()
+		if rule != nil && rule.WithAddressLimit() {
-	addrs, err := r.dnsClient.Lookup(ctx, transport, domain, strategy)
+			addressLimit = true
-	if len(addrs) > 0 {
+			resultAddrs, err = r.dnsClient.LookupWithResponseCheck(dnsCtx, transport, domain, strategy, func(responseAddrs []netip.Addr) bool {
-		r.dnsLogger.InfoContext(ctx, "lookup succeed for ", domain, ": ", strings.Join(F.MapToString(addrs), " "))
+				metadata.DestinationAddresses = responseAddrs
-	} else if err != nil {
+				return rule.MatchAddressLimit(metadata)
-		r.dnsLogger.ErrorContext(ctx, E.Cause(err, "lookup failed for ", domain))
+			})
 		} else {
 			addressLimit = false
 			resultAddrs, err = r.dnsClient.Lookup(dnsCtx, transport, domain, strategy)
 		}
 		cancel()
 		if err != nil {
 			if errors.Is(err, dns.ErrResponseRejected) {
 				r.dnsLogger.DebugContext(ctx, "response rejected for ", domain)
 			} else {
 				r.dnsLogger.ErrorContext(ctx, E.Cause(err, "lookup failed for ", domain))
 			}
 		} else if len(resultAddrs) == 0 {
 			r.dnsLogger.ErrorContext(ctx, "lookup failed for ", domain, ": empty result")
 			err = dns.RCodeNameError
 		}
-	return addrs, err
+		if !addressLimit || err == nil {
 			break
 		}
 	}
 	if len(resultAddrs) > 0 {
 		r.dnsLogger.InfoContext(ctx, "lookup succeed for ", domain, ": ", strings.Join(F.MapToString(resultAddrs), " "))
 	}
 	return resultAddrs, err
 }
 func (r *Router) LookupDefault(ctx context.Context, domain string) ([]netip.Addr, error) {
@ -154,10 +230,13 @@ func (r *Router) ClearDNSCache() {
 	}
 }
-func LogDNSAnswers(logger log.ContextLogger, ctx context.Context, domain string, answers []mDNS.RR) {
+func isAddressQuery(message *mDNS.Msg) bool {
-	for _, answer := range answers {
+	for _, question := range message.Question {
-		logger.InfoContext(ctx, "exchanged ", domain, " ", mDNS.Type(answer.Header().Rrtype).String(), " ", formatQuestion(answer.String()))
+		if question.Qtype == mDNS.TypeA || question.Qtype == mDNS.TypeAAAA {
 			return true
 		}
 	}
 	return false
 }
 func fqdnToDomain(fqdn string) string {
--- a/route/router_rule.go
+++ b/route/router_rule.go
@ -59,7 +59,7 @@ func isGeoIPRule(rule option.DefaultRule) bool {
 }
 func isGeoIPDNSRule(rule option.DefaultDNSRule) bool {
-	return len(rule.SourceGeoIP) > 0 && common.Any(rule.SourceGeoIP, notPrivateNode)
+	return len(rule.SourceGeoIP) > 0 && common.Any(rule.SourceGeoIP, notPrivateNode) || len(rule.GeoIP) > 0 && common.Any(rule.GeoIP, notPrivateNode)
 }
 func isGeositeRule(rule option.DefaultRule) bool {
@ -97,3 +97,7 @@ func isWIFIDNSRule(rule option.DefaultDNSRule) bool {
 func isWIFIHeadlessRule(rule option.DefaultHeadlessRule) bool {
 	return len(rule.WIFISSID) > 0 || len(rule.WIFIBSSID) > 0
 }
 func isIPCIDRHeadlessRule(rule option.DefaultHeadlessRule) bool {
 	return len(rule.IPCIDR) > 0 || rule.IPSet != nil
 }
--- a/route/rule_abstract.go
+++ b/route/rule_abstract.go
@ -15,6 +15,7 @@ type abstractDefaultRule struct {
 	sourceAddressItems      []RuleItem
 	sourcePortItems         []RuleItem
 	destinationAddressItems []RuleItem
 	destinationIPCIDRItems  []RuleItem
 	destinationPortItems    []RuleItem
 	allItems                []RuleItem
 	ruleSetItem             RuleItem
@ -64,6 +65,7 @@ func (r *abstractDefaultRule) Match(metadata *adapter.InboundContext) bool {
 	}
 	if len(r.sourceAddressItems) > 0 && !metadata.SourceAddressMatch {
 		metadata.DidMatch = true
 		for _, item := range r.sourceAddressItems {
 			if item.Match(metadata) {
 				metadata.SourceAddressMatch = true
@ -73,6 +75,7 @@ func (r *abstractDefaultRule) Match(metadata *adapter.InboundContext) bool {
 	}
 	if len(r.sourcePortItems) > 0 && !metadata.SourcePortMatch {
 		metadata.DidMatch = true
 		for _, item := range r.sourcePortItems {
 			if item.Match(metadata) {
 				metadata.SourcePortMatch = true
@ -82,6 +85,7 @@ func (r *abstractDefaultRule) Match(metadata *adapter.InboundContext) bool {
 	}
 	if len(r.destinationAddressItems) > 0 && !metadata.DestinationAddressMatch {
 		metadata.DidMatch = true
 		for _, item := range r.destinationAddressItems {
 			if item.Match(metadata) {
 				metadata.DestinationAddressMatch = true
@ -90,7 +94,18 @@ func (r *abstractDefaultRule) Match(metadata *adapter.InboundContext) bool {
 		}
 	}
 	if !metadata.IgnoreDestinationIPCIDRMatch && len(r.destinationIPCIDRItems) > 0 && !metadata.DestinationAddressMatch {
 		metadata.DidMatch = true
 		for _, item := range r.destinationIPCIDRItems {
 			if item.Match(metadata) {
 				metadata.DestinationAddressMatch = true
 				break
 			}
 		}
 	}
 	if len(r.destinationPortItems) > 0 && !metadata.DestinationPortMatch {
 		metadata.DidMatch = true
 		for _, item := range r.destinationPortItems {
 			if item.Match(metadata) {
 				metadata.DestinationPortMatch = true
@ -100,6 +115,9 @@ func (r *abstractDefaultRule) Match(metadata *adapter.InboundContext) bool {
 	}
 	for _, item := range r.items {
 		if _, isRuleSet := item.(*RuleSetItem); !isRuleSet {
 			metadata.DidMatch = true
 		}
 		if !item.Match(metadata) {
 			return r.invert
 		}
@ -113,7 +131,7 @@ func (r *abstractDefaultRule) Match(metadata *adapter.InboundContext) bool {
 		return r.invert
 	}
-	if len(r.destinationAddressItems) > 0 && !metadata.DestinationAddressMatch {
+	if ((!metadata.IgnoreDestinationIPCIDRMatch && len(r.destinationIPCIDRItems) > 0) || len(r.destinationAddressItems) > 0) && !metadata.DestinationAddressMatch {
 		return r.invert
 	}
@ -121,6 +139,10 @@ func (r *abstractDefaultRule) Match(metadata *adapter.InboundContext) bool {
 		return r.invert
 	}
 	if !metadata.DidMatch {
 		return true
 	}
 	return !r.invert
 }
--- a/route/rule_default.go
+++ b/route/rule_default.go
@ -109,7 +109,7 @@ func NewDefaultRule(router adapter.Router, logger log.ContextLogger, options opt
 	}
 	if len(options.GeoIP) > 0 {
 		item := NewGeoIPItem(router, logger, false, options.GeoIP)
-		rule.destinationAddressItems = append(rule.destinationAddressItems, item)
+		rule.destinationIPCIDRItems = append(rule.destinationIPCIDRItems, item)
 		rule.allItems = append(rule.allItems, item)
 	}
 	if len(options.SourceIPCIDR) > 0 {
@ -130,12 +130,12 @@ func NewDefaultRule(router adapter.Router, logger log.ContextLogger, options opt
 		if err != nil {
 			return nil, E.Cause(err, "ipcidr")
 		}
-		rule.destinationAddressItems = append(rule.destinationAddressItems, item)
+		rule.destinationIPCIDRItems = append(rule.destinationIPCIDRItems, item)
 		rule.allItems = append(rule.allItems, item)
 	}
 	if options.IPIsPrivate {
 		item := NewIPIsPrivateItem(false)
-		rule.destinationAddressItems = append(rule.destinationAddressItems, item)
+		rule.destinationIPCIDRItems = append(rule.destinationIPCIDRItems, item)
 		rule.allItems = append(rule.allItems, item)
 	}
 	if len(options.SourcePort) > 0 {
--- a/route/rule_dns.go
+++ b/route/rule_dns.go
@ -5,6 +5,7 @@ import (
 	C "github.com/sagernet/sing-box/constant"
 	"github.com/sagernet/sing-box/log"
 	"github.com/sagernet/sing-box/option"
 	"github.com/sagernet/sing/common"
 	E "github.com/sagernet/sing/common/exceptions"
 )
@ -111,6 +112,11 @@ func NewDefaultDNSRule(router adapter.Router, logger log.ContextLogger, options
 		rule.sourceAddressItems = append(rule.sourceAddressItems, item)
 		rule.allItems = append(rule.allItems, item)
 	}
 	if len(options.GeoIP) > 0 {
 		item := NewGeoIPItem(router, logger, false, options.GeoIP)
 		rule.destinationIPCIDRItems = append(rule.destinationIPCIDRItems, item)
 		rule.allItems = append(rule.allItems, item)
 	}
 	if len(options.SourceIPCIDR) > 0 {
 		item, err := NewIPCIDRItem(true, options.SourceIPCIDR)
 		if err != nil {
@ -119,11 +125,24 @@ func NewDefaultDNSRule(router adapter.Router, logger log.ContextLogger, options
 		rule.sourceAddressItems = append(rule.sourceAddressItems, item)
 		rule.allItems = append(rule.allItems, item)
 	}
 	if len(options.IPCIDR) > 0 {
 		item, err := NewIPCIDRItem(false, options.IPCIDR)
 		if err != nil {
 			return nil, E.Cause(err, "ip_cidr")
 		}
 		rule.destinationIPCIDRItems = append(rule.destinationIPCIDRItems, item)
 		rule.allItems = append(rule.allItems, item)
 	}
 	if options.SourceIPIsPrivate {
 		item := NewIPIsPrivateItem(true)
 		rule.sourceAddressItems = append(rule.sourceAddressItems, item)
 		rule.allItems = append(rule.allItems, item)
 	}
 	if options.IPIsPrivate {
 		item := NewIPIsPrivateItem(false)
 		rule.destinationIPCIDRItems = append(rule.destinationIPCIDRItems, item)
 		rule.allItems = append(rule.allItems, item)
 	}
 	if len(options.SourcePort) > 0 {
 		item := NewPortItem(true, options.SourcePort)
 		rule.sourcePortItems = append(rule.sourcePortItems, item)
@ -211,6 +230,34 @@ func (r *DefaultDNSRule) RewriteTTL() *uint32 {
 	return r.rewriteTTL
 }
 func (r *DefaultDNSRule) WithAddressLimit() bool {
 	if len(r.destinationIPCIDRItems) > 0 {
 		return true
 	}
 	for _, rawRule := range r.items {
 		ruleSet, isRuleSet := rawRule.(*RuleSetItem)
 		if !isRuleSet {
 			continue
 		}
 		if ruleSet.ContainsIPCIDRRule() {
 			return true
 		}
 	}
 	return false
 }
 func (r *DefaultDNSRule) Match(metadata *adapter.InboundContext) bool {
 	metadata.IgnoreDestinationIPCIDRMatch = true
 	defer func() {
 		metadata.IgnoreDestinationIPCIDRMatch = false
 	}()
 	return r.abstractDefaultRule.Match(metadata)
 }
 func (r *DefaultDNSRule) MatchAddressLimit(metadata *adapter.InboundContext) bool {
 	return r.abstractDefaultRule.Match(metadata)
 }
 var _ adapter.DNSRule = (*LogicalDNSRule)(nil)
 type LogicalDNSRule struct {
@ -254,3 +301,47 @@ func (r *LogicalDNSRule) DisableCache() bool {
 func (r *LogicalDNSRule) RewriteTTL() *uint32 {
 	return r.rewriteTTL
 }
 func (r *LogicalDNSRule) WithAddressLimit() bool {
 	for _, rawRule := range r.rules {
 		switch rule := rawRule.(type) {
 		case *DefaultDNSRule:
 			if rule.WithAddressLimit() {
 				return true
 			}
 		case *LogicalDNSRule:
 			if rule.WithAddressLimit() {
 				return true
 			}
 		}
 	}
 	return false
 }
 func (r *LogicalDNSRule) Match(metadata *adapter.InboundContext) bool {
 	if r.mode == C.LogicalTypeAnd {
 		return common.All(r.rules, func(it adapter.HeadlessRule) bool {
 			metadata.ResetRuleCache()
 			return it.(adapter.DNSRule).Match(metadata)
 		}) != r.invert
 	} else {
 		return common.Any(r.rules, func(it adapter.HeadlessRule) bool {
 			metadata.ResetRuleCache()
 			return it.(adapter.DNSRule).Match(metadata)
 		}) != r.invert
 	}
 }
 func (r *LogicalDNSRule) MatchAddressLimit(metadata *adapter.InboundContext) bool {
 	if r.mode == C.LogicalTypeAnd {
 		return common.All(r.rules, func(it adapter.HeadlessRule) bool {
 			metadata.ResetRuleCache()
 			return it.(adapter.DNSRule).MatchAddressLimit(metadata)
 		}) != r.invert
 	} else {
 		return common.Any(r.rules, func(it adapter.HeadlessRule) bool {
 			metadata.ResetRuleCache()
 			return it.(adapter.DNSRule).MatchAddressLimit(metadata)
 		}) != r.invert
 	}
 }
--- a/route/rule_headless.go
+++ b/route/rule_headless.go
@ -80,11 +80,11 @@ func NewDefaultHeadlessRule(router adapter.Router, options option.DefaultHeadles
 		if err != nil {
 			return nil, E.Cause(err, "ipcidr")
 		}
-		rule.destinationAddressItems = append(rule.destinationAddressItems, item)
+		rule.destinationIPCIDRItems = append(rule.destinationIPCIDRItems, item)
 		rule.allItems = append(rule.allItems, item)
 	} else if options.IPSet != nil {
 		item := NewRawIPCIDRItem(false, options.IPSet)
-		rule.destinationAddressItems = append(rule.destinationAddressItems, item)
+		rule.destinationIPCIDRItems = append(rule.destinationIPCIDRItems, item)
 		rule.allItems = append(rule.allItems, item)
 	}
 	if len(options.SourcePort) > 0 {
--- a/route/rule_item_rule_set.go
+++ b/route/rule_item_rule_set.go
@ -4,6 +4,7 @@ import (
 	"strings"
 	"github.com/sagernet/sing-box/adapter"
 	"github.com/sagernet/sing/common"
 	E "github.com/sagernet/sing/common/exceptions"
 	F "github.com/sagernet/sing/common/format"
 )
@ -13,7 +14,7 @@ var _ RuleItem = (*RuleSetItem)(nil)
 type RuleSetItem struct {
 	router            adapter.Router
 	tagList           []string
-	setList           []adapter.HeadlessRule
+	setList           []adapter.RuleSet
 	ipcidrMatchSource bool
 }
@ -46,6 +47,12 @@ func (r *RuleSetItem) Match(metadata *adapter.InboundContext) bool {
 	return false
 }
 func (r *RuleSetItem) ContainsIPCIDRRule() bool {
 	return common.Any(r.setList, func(ruleSet adapter.RuleSet) bool {
 		return ruleSet.Metadata().ContainsIPCIDRRule
 	})
 }
 func (r *RuleSetItem) String() string {
 	if len(r.tagList) == 1 {
 		return F.ToString("rule_set=", r.tagList[0])
--- a/route/rule_set_local.go
+++ b/route/rule_set_local.go
@ -3,12 +3,14 @@ package route
 import (
 	"context"
 	"os"
 	"strings"
 	"github.com/sagernet/sing-box/adapter"
 	"github.com/sagernet/sing-box/common/srs"
 	C "github.com/sagernet/sing-box/constant"
 	"github.com/sagernet/sing-box/option"
 	E "github.com/sagernet/sing/common/exceptions"
 	F "github.com/sagernet/sing/common/format"
 	"github.com/sagernet/sing/common/json"
 )
@ -55,6 +57,7 @@ func NewLocalRuleSet(router adapter.Router, options option.RuleSet) (*LocalRuleS
 	var metadata adapter.RuleSetMetadata
 	metadata.ContainsProcessRule = hasHeadlessRule(plainRuleSet.Rules, isProcessHeadlessRule)
 	metadata.ContainsWIFIRule = hasHeadlessRule(plainRuleSet.Rules, isWIFIHeadlessRule)
 	metadata.ContainsIPCIDRRule = hasHeadlessRule(plainRuleSet.Rules, isIPCIDRHeadlessRule)
 	return &LocalRuleSet{rules, metadata}, nil
 }
@ -67,6 +70,10 @@ func (s *LocalRuleSet) Match(metadata *adapter.InboundContext) bool {
 	return false
 }
 func (s *LocalRuleSet) String() string {
 	return strings.Join(F.MapToString(s.rules), " ")
 }
 func (s *LocalRuleSet) StartContext(ctx context.Context, startContext adapter.RuleSetStartContext) error {
 	return nil
 }
--- a/route/rule_set_remote.go
+++ b/route/rule_set_remote.go
@ -7,6 +7,7 @@ import (
 	"net"
 	"net/http"
 	"runtime"
 	"strings"
 	"time"
 	"github.com/sagernet/sing-box/adapter"
@ -14,6 +15,7 @@ import (
 	C "github.com/sagernet/sing-box/constant"
 	"github.com/sagernet/sing-box/option"
 	E "github.com/sagernet/sing/common/exceptions"
 	F "github.com/sagernet/sing/common/format"
 	"github.com/sagernet/sing/common/json"
 	"github.com/sagernet/sing/common/logger"
 	M "github.com/sagernet/sing/common/metadata"
@ -68,6 +70,10 @@ func (s *RemoteRuleSet) Match(metadata *adapter.InboundContext) bool {
 	return false
 }
 func (s *RemoteRuleSet) String() string {
 	return strings.Join(F.MapToString(s.rules), " ")
 }
 func (s *RemoteRuleSet) StartContext(ctx context.Context, startContext adapter.RuleSetStartContext) error {
 	var dialer N.Dialer
 	if s.options.RemoteOptions.DownloadDetour != "" {
@ -150,6 +156,7 @@ func (s *RemoteRuleSet) loadBytes(content []byte) error {
 	}
 	s.metadata.ContainsProcessRule = hasHeadlessRule(plainRuleSet.Rules, isProcessHeadlessRule)
 	s.metadata.ContainsWIFIRule = hasHeadlessRule(plainRuleSet.Rules, isWIFIHeadlessRule)
 	s.metadata.ContainsIPCIDRRule = hasHeadlessRule(plainRuleSet.Rules, isIPCIDRHeadlessRule)
 	s.rules = rules
 	return nil
 }