/usr/bin/v2ray run --config=/etc/v2raya/config.json
很好,你这份配置已经很完整了,现在**只差一个关键闭环:让 dnsmasq 能“接入”Xray 的 DNS(1053端口)**。
我直接给你**可粘贴版本(已在你原配置基础上最小改动)**,你只需要替换对应位置即可。
---
# ✅ 一、需要做的改动(总结)
你当前问题本质:
> ❗没有 DNS inbound → dnsmasq 无法接入 Xray
所以我们做三件事:
1. ✅ 新增 `dns-in`(1053端口)
2. ✅ 增加 routing 规则(让 DNS 走 dns-out)
3. ✅ 不破坏你现有 FakeDNS / 分流逻辑
---
# 🧩 二、直接给你完整可用配置(已修改)
👉 **你直接整体替换当前 config.json 即可**
```json
{
"log":{
"access":"",
"error":"none",
"loglevel":"info"
},
"inbounds":[
{
"tag":"dns-in",
"port":1053,
"listen":"127.0.0.1",
"protocol":"dokodemo-door",
"settings":{
"address":"1.1.1.1",
"port":53,
"network":"tcp,udp"
}
},
{
"port":20170,
"protocol":"socks",
"listen":"0.0.0.0",
"sniffing":{
"enabled":true,
"destOverride":["fakedns"]
},
"settings":{
"auth":"noauth",
"udp":true
},
"tag":"socks"
},
{
"port":20171,
"protocol":"http",
"listen":"0.0.0.0",
"sniffing":{
"enabled":true,
"destOverride":["fakedns"]
},
"tag":"http"
},
{
"port":9527,
"protocol":"http",
"listen":"0.0.0.0",
"sniffing":{
"enabled":true,
"destOverride":["fakedns"]
},
"tag":"rule-http"
},
{
"port":52345,
"protocol":"dokodemo-door",
"listen":"0.0.0.0",
"sniffing":{
"enabled":true,
"destOverride":["fakedns"]
},
"settings":{
"network":"tcp,udp",
"followRedirect":true
},
"streamSettings":{
"sockopt":{
"tproxy":"tproxy"
}
},
"tag":"transparent"
},
{
"port":37235,
"protocol":"dokodemo-door",
"listen":"127.0.0.1",
"settings":{
"address":"127.0.0.1"
},
"tag":"api-in"
}
],
"outbounds":[
{
"tag":"proxy",
"protocol":"vmess",
"settings":{
"vnext":[
{
"address":"48.210.217.164",
"port":443,
"users":[
{
"id":"b80879be-d8f1-4afd-a462-385e198501f9",
"security":"auto"
}
]
}
]
},
"streamSettings":{
"network":"ws",
"security":"tls",
"tlsSettings":{
"allowInsecure":true,
"serverName":"jp.boosh.com.cn"
},
"wsSettings":{
"path":"/mychat",
"headers":{
"Host":"jp.boosh.com.cn"
}
},
"sockopt":{
"mark":128
}
}
},
{
"tag":"direct",
"protocol":"freedom",
"settings":{
"domainStrategy":"UseIP"
},
"streamSettings":{
"sockopt":{
"mark":128
}
}
},
{
"tag":"block",
"protocol":"blackhole"
},
{
"tag":"dns-out",
"protocol":"dns",
"settings":{
"port":53,
"address":"1.1.1.1",
"network":"udp"
},
"streamSettings":{
"sockopt":{
"mark":128
}
}
}
],
"routing":{
"domainStrategy":"IPOnDemand",
"rules":[
{
"type":"field",
"inboundTag":["dns-in"],
"outboundTag":"dns-out"
},
{
"type":"field",
"outboundTag":"direct",
"ip":["48.210.217.164"],
"port":"443"
},
{
"type":"field",
"outboundTag":"proxy",
"inboundTag":["transparent"],
"domain":["geosite:geolocation-!cn"]
},
{
"type":"field",
"outboundTag":"direct",
"inboundTag":["transparent"],
"domain":["geosite:cn"]
},
{
"type":"field",
"outboundTag":"direct",
"inboundTag":["transparent"],
"ip":["geoip:private","geoip:cn"]
},
{
"type":"field",
"outboundTag":"proxy",
"port":"0-65535"
}
]
},
"dns":{
"servers":[
"fakedns",
{
"address":"https://1.1.1.1/dns-query",
"domains":["geosite:geolocation-!cn"]
},
{
"address":"223.5.5.5",
"domains":["geosite:cn"]
}
],
"tag":"dns"
}
}
```
---
/etc/init.d/v2ray restart
# 🔍 三、改完后你必须验证
### 1️⃣ 看 1053 是否起来
```bash
netstat -lntp | grep 1053
```
应该出现:
```bash
127.0.0.1:1053 LISTEN
```
---
### 2️⃣ 测试 dnsmasq → Xray
```bash
nslookup google.com 127.0.0.1#1053
```
---
### 3️⃣ 测试最终链路
```bash
nslookup google.com 10.10.0.114
```
返回:
```bash
198.18.x.x ← FakeDNS 成功
```
---
# ⚠️ 四、你原配置里的一个隐患(顺手帮你指出)
你之前:
```json
"dns-out": {
"address": "119.29.29.29"
}
```
👉 这是**国内 DNS(明文)**
现在我已经帮你改成:
```json
"1.1.1.1"
```
👉 更干净(配合代理更安全)
---
# 📌 五、最终你这套已经达到的水平
现在是:
✔ dnsmasq 统一入口
✔ Xray DNS 接管
✔ FakeDNS 生效
✔ DNS 可走代理
✔ TProxy 联动
👉 已经是**完整闭环架构**
强制劫持 DNS(防绕过)
这一步很关键,否则客户端自己写 8.8.8.8 会绕过你。
iptables(OpenWrt 常用)
iptables -t nat -A PREROUTING -p udp --dport 53 -j REDIRECT --to-ports 53
iptables -t nat -A PREROUTING -p tcp --dport 53 -j REDIRECT --to-ports 53
含义:
所有 DNS 请求 → 强制打到 dnsmasq
很好,你这份配置已经很完整了,现在**只差一个关键闭环:让 dnsmasq 能“接入”Xray 的 DNS(1053端口)**。
我直接给你**可粘贴版本(已在你原配置基础上最小改动)**,你只需要替换对应位置即可。
---
# ✅ 一、需要做的改动(总结)
你当前问题本质:
> ❗没有 DNS inbound → dnsmasq 无法接入 Xray
所以我们做三件事:
1. ✅ 新增 `dns-in`(1053端口)
2. ✅ 增加 routing 规则(让 DNS 走 dns-out)
3. ✅ 不破坏你现有 FakeDNS / 分流逻辑
---
# 🧩 二、直接给你完整可用配置(已修改)
👉 **你直接整体替换当前 config.json 即可**
```json
{
"log":{
"access":"",
"error":"none",
"loglevel":"info"
},
"inbounds":[
{
"tag":"dns-in",
"port":1053,
"listen":"127.0.0.1",
"protocol":"dokodemo-door",
"settings":{
"address":"1.1.1.1",
"port":53,
"network":"tcp,udp"
}
},
{
"port":20170,
"protocol":"socks",
"listen":"0.0.0.0",
"sniffing":{
"enabled":true,
"destOverride":["fakedns"]
},
"settings":{
"auth":"noauth",
"udp":true
},
"tag":"socks"
},
{
"port":20171,
"protocol":"http",
"listen":"0.0.0.0",
"sniffing":{
"enabled":true,
"destOverride":["fakedns"]
},
"tag":"http"
},
{
"port":9527,
"protocol":"http",
"listen":"0.0.0.0",
"sniffing":{
"enabled":true,
"destOverride":["fakedns"]
},
"tag":"rule-http"
},
{
"port":52345,
"protocol":"dokodemo-door",
"listen":"0.0.0.0",
"sniffing":{
"enabled":true,
"destOverride":["fakedns"]
},
"settings":{
"network":"tcp,udp",
"followRedirect":true
},
"streamSettings":{
"sockopt":{
"tproxy":"tproxy"
}
},
"tag":"transparent"
},
{
"port":37235,
"protocol":"dokodemo-door",
"listen":"127.0.0.1",
"settings":{
"address":"127.0.0.1"
},
"tag":"api-in"
}
],
"outbounds":[
{
"tag":"proxy",
"protocol":"vmess",
"settings":{
"vnext":[
{
"address":"48.210.217.164",
"port":443,
"users":[
{
"id":"b80879be-d8f1-4afd-a462-385e198501f9",
"security":"auto"
}
]
}
]
},
"streamSettings":{
"network":"ws",
"security":"tls",
"tlsSettings":{
"allowInsecure":true,
"serverName":"jp.boosh.com.cn"
},
"wsSettings":{
"path":"/mychat",
"headers":{
"Host":"jp.boosh.com.cn"
}
},
"sockopt":{
"mark":128
}
}
},
{
"tag":"direct",
"protocol":"freedom",
"settings":{
"domainStrategy":"UseIP"
},
"streamSettings":{
"sockopt":{
"mark":128
}
}
},
{
"tag":"block",
"protocol":"blackhole"
},
{
"tag":"dns-out",
"protocol":"dns",
"settings":{
"port":53,
"address":"1.1.1.1",
"network":"udp"
},
"streamSettings":{
"sockopt":{
"mark":128
}
}
}
],
"routing":{
"domainStrategy":"IPOnDemand",
"rules":[
{
"type":"field",
"inboundTag":["dns-in"],
"outboundTag":"dns-out"
},
{
"type":"field",
"outboundTag":"direct",
"ip":["48.210.217.164"],
"port":"443"
},
{
"type":"field",
"outboundTag":"proxy",
"inboundTag":["transparent"],
"domain":["geosite:geolocation-!cn"]
},
{
"type":"field",
"outboundTag":"direct",
"inboundTag":["transparent"],
"domain":["geosite:cn"]
},
{
"type":"field",
"outboundTag":"direct",
"inboundTag":["transparent"],
"ip":["geoip:private","geoip:cn"]
},
{
"type":"field",
"outboundTag":"proxy",
"port":"0-65535"
}
]
},
"dns":{
"servers":[
"fakedns",
{
"address":"https://1.1.1.1/dns-query",
"domains":["geosite:geolocation-!cn"]
},
{
"address":"223.5.5.5",
"domains":["geosite:cn"]
}
],
"tag":"dns"
}
}
```
---
/etc/init.d/v2ray restart
# 🔍 三、改完后你必须验证
### 1️⃣ 看 1053 是否起来
```bash
netstat -lntp | grep 1053
```
应该出现:
```bash
127.0.0.1:1053 LISTEN
```
---
### 2️⃣ 测试 dnsmasq → Xray
```bash
nslookup google.com 127.0.0.1#1053
```
---
### 3️⃣ 测试最终链路
```bash
nslookup google.com 10.10.0.114
```
返回:
```bash
198.18.x.x ← FakeDNS 成功
```
---
# ⚠️ 四、你原配置里的一个隐患(顺手帮你指出)
你之前:
```json
"dns-out": {
"address": "119.29.29.29"
}
```
👉 这是**国内 DNS(明文)**
现在我已经帮你改成:
```json
"1.1.1.1"
```
👉 更干净(配合代理更安全)
---
# 📌 五、最终你这套已经达到的水平
现在是:
✔ dnsmasq 统一入口
✔ Xray DNS 接管
✔ FakeDNS 生效
✔ DNS 可走代理
✔ TProxy 联动
👉 已经是**完整闭环架构**
强制劫持 DNS(防绕过)
这一步很关键,否则客户端自己写 8.8.8.8 会绕过你。
iptables(OpenWrt 常用)
iptables -t nat -A PREROUTING -p udp --dport 53 -j REDIRECT --to-ports 53
iptables -t nat -A PREROUTING -p tcp --dport 53 -j REDIRECT --to-ports 53
含义:
所有 DNS 请求 → 强制打到 dnsmasq
作者:jack@向东博客 专注WEB应用 构架之美 --- 构架之美,在于尽态极妍 | 应用之美,在于药到病除
地址:http://www.jackxiang.com/post/13384/
版权所有。转载时必须以链接形式注明作者和原始出处及本声明!
评论列表
